Free SSL/TLS Encryption with Let’s Encrypt

Let’s Encrypt is an organization that offers free SSL/TLS certificates for webmasters. The service is backed by the Internet Security Research Group (ISRG); a non-profit corporation out of California.

How it works: When a browser attempts to connect to your website it requests the web server to identify itself. Your web server then sends a copy of its SSL certificate back to the browser. The Browser will then determine if it trusts the certificate by checking what it received against a certificate authority (In this scenario Let’s Encrypt is the CA). After the browser verifies the certificate and determines it to be legitimate it sends a signal back to the server to proceed. At that point, the server acknowledges the browser and starts an encrypted session; making the data shared between the user’s browser and your server encrypted.

Although some CAs offer certifications that have a year duration or longer; Let’s Encrypt strategically opted to offer a 90 day lifetime. The reason for this is primarily for security purposes. By limiting the lifetime to 90 days this decreases the ability for keys to be stolen and re-used for malicious purposes. Automating the renewal of certifications also streamlines the process making it more scalable since a sys admin doesn’t manually have to renew.

The reason why free SSL/TLS certificates from Let’s Encrypt is relevant (beyond encryption just being good practice) is the Chrome version 56 update. Google previously announced that effective January 2017 it would begin warning users if a website that requires a login or is e-commerce is not secure.

The Chrome Security Team’s plan with this is to “help users browse the web safely”. On the Google Security Blog, Emily Schecter stated that:

Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.

You need to set your website up on HTTPS. The fact that Chrome takes 51.06% of all browser usage (source Wikipedia) means that this is significant and will affect your users. Even if your website doesn’t require a login or isn’t an online store, you should go ahead and start planning to move to HTTPS as Google officially announced several years ago that it is a ranking signal.

Historically, SSL certificates can cost as much as hundreds of dollars per year. Let’s Encrypt offers it for free.

To Learn More:

2 Comments

Leave a Reply