A year ago if you wanted a simple SSL certificate for your site or application you had to part with your hard earned dollars to get it. Granted that the cash shortages were still not known to most of us, liquidity was already a problem. On 12 April last year Let’s Encrypt changed all that.
Less than a year after its launch (it started issuing certificates in April last year) it announced that it had broken the 20 million certificates mark at the end of 2016. That’s phenomenal growth by most measures and it raises the question, why is Let’s Encrypt such a big deal and what is their role in SSL certificates all about?
Well, technically, SSL a deprecated cryptographic protocol for the Transport Secure Layer (TLS) protocol that people insist on continuing using. TLS is a communications protocol that allows you to securely access internet services such as the web and email. It provides privacy (prevent people from spying) as well as ensure data integrity (prevent someone from tampering with your data).
We have already looked SSL certificates here.
Why do I need it?
If you have an eCommerce site or app then SSL certificates are a must as such apps are a prime target for hackers and scammers. You will need a certificate in order to be PCI compliant. If you run a site/app which deals with user data such as logins, passwords and other confidential information you will need to use TLS to protect your site against various attacks.
Even if you don’t run such sites having an encrypted connection will help boost your SEO. While it’s true that no one really knows the specifics of Google’s secret sauce, it has been confirmed that SSL is one of the key factors that is considered.
If you are the sort of person who responds to sticks instead of carrots here’s your stick: Starting this month users of the Chrome browser, arguably the most popular global browser, will start receiving a warning every time they land on an unsecured page telling them the site is not secure. Most novice users will run to the bushes as soon as they see this. Google has a lot of clout when it comes to the web and it’s always a good thing to listen to them.
You said free
Let’s Encrypt offers free certificates, which means for zero costs/gratis. This will help ensure that poor people like us, SMEs and tight-fisted conglomerates can have as many certificates as they need for all sorts of domains including sub-domains.
To prove just how popular free is, here are some of Let’s Encrypt’s milestones:
- Let’s Encrypt is founded by two Mozilla employees in 2012
- Following tortoise-paced bureaucratic mumbo jumbo steps, they issue their first certificate in October 2015
- It reaches it’s 1 millionth certificate in March 2015 after 4 months in its public beta
- 44 days later they issue their 2 millionth certificate
- By November they had issued their 20 millionth certificate
- By January 2017 Let’s Encrypt now has about 20 active certificates and issues about 1 million certificates per day.
- The certificates are domain validation certificates
- They expire after precisely 90 days
- The issuing process is automated
I am afraid of certificates
If you are one of those people who faints at the site of a bash terminal and this has been your reason for not implementing Let’s Encrypt on your site you will be pleased to know that there is now a plethora of clients that make the process trivial.
Most major web providers now have click to install packages that make this process painless. Beware of some web hosts that provide you with “free” certificates that are actually paid certificates from other providers and might make you pay in subsequent years.
My favourite method, however, remains the Easy Engine python script which even completely automates the whole process including the configuration for Nginx and setting up Cron job to be executed every 89 days.
A word about StartSSL
Those of you who have been frequenting this site for a while might remember that I once posted about how you could get a certificate from StartSSL. Well, the business was sold to a company called WoSign and due to some transparency issues Google and Mozilla will stop trusting Certificates issued after October 2016. So my advice – stay away and switch over to Let’s Encrypt.
An SSL certificate is one of many essential arrows in a developer’s or webmaster’s quiver. It goes a long way in protecting the privacy and integrity of your customer’s communications. Let’s Encrypt is proving a bastion on that front. Their figures prove it and their clarion call beckoning to those who have not yet joined the secure web cause.