Let’s Encrypt is a relatively new Certificate Authority (CA) offering free, automated certificates for websites. In light of recent changes by Google to Chrome, if it wasn’t important to you to change to HTTPS on your websites and devices, it should be now. As of Chrome version 68, all non HTTPS websites will be met with a security warning. Non-HTTPS sites also incur a penalty in Google’s SEO rankings, which if you’re a business or a brand relying on a website should be of great concern.
What is SSL/TLS and HTTPS?
Let’s try make all this jargon a bit more clear, shall we? When you are browsing the web, if you look at your address bar you will see a prefix to all websites, generally http:// or https:// – though in newer browsers you’ll generally only see “insecure” or “secure” displayed respectively. HTTP stands for HyperText Transfer Protocol – the foundation of the internet and how pages are displayed and communicated.
HTTPS adds an S for “Secure” – and security is ensured by having a digital certificate issued and installed on your site. These certificates enable something called Transport Layer Security (TLS), or in some cases its predecessor Secure Sockets Layer (SSL). This addition of a certificate adds a layer of encryption and security to your connections on the web, in that the data from your browser is encrypted when communicating to and from the website you are visiting. This makes it incredibly difficult for a hacker to perform what is called a “man-in-the-middle” attack, where they intercept these communications and harvest, for example, your user name and password or credit card details that you are submitting. Think of any spy movie when they ask “is this line secure?”, HTTPS is that, for the internet.
How do these certificates work?
A Certificate Authority (CA) is an organisation that is trusted across the web and by industry to supply official certificates to websites. These certificates are time restricted, traditionally on a 1-3 year basis, after which they need to be renewed to ensure that they are valid. A list of these trusted authorities is also registered in your web browser and operating system (like Windows or Linux) automatically along with your updates, so that the browser knows that if a certificate comes from a particular authority, the browser can trust it and list the site as secure.
In a very simplified nutshell, you as the owner of a website or company, would register with a CA and ask them to issue a certificate for your site. They would then provide this to you, and you or your IT team would install it with your hosting. When someone visits your site, their browser would “see” the certificate on the website, and if it was issued by a trusted Certificate Authority (among numerous other checks, balances, and “handshakes”), the connection would then be encrypted.
How does LetsEncrypt work?
Let’s Encrypt is a CA, but they work a little differently. In the past you’d pay a lot of money for a certificate every year which put certificates out of reach for many smaller web hosts and individuals. Let’s Encrypt addresses this by issuing free and automated certificates with a validity of 3 months. Note: you still should pay for a more secure certificate if you are running any sort of e-commerce site or are dealing with people’s personal information!
Not only do they work differently in their business model, they also work differently in their approach for issuing certificates. I will post more details about their approach in a technical post next week. Ideally, you’d host with a service provider such as Hetzner or myself here in SA who have Let’s Encrypt certificates enabled by default – completely taking the pain out of enabling HTTPS.
In short, as any sort of business or individual with a web presence in the form of a site, you need to have a certificate to not only protect your users, but also to ensure you stay relevant in Google’s searches. If you’d like to move to host that supports Let’s Encrypt or if you’d like to stay at your current host but secure your site, reach out to me and let’s chat.