I spent the past weekend implementing HTTPS for my main websites, including this blog, and am glad to report that everything seems to have gone well. If you visit any of my *.kareldonk.com websites and suriname360, you’ll see a (green) lock in the address bar depending on which web-browser you use.
Let’s Encrypt knows a thing or two about how this works. Sponsors include Cisco, Mozilla, the Electronic Frontier Foundation, and Akamai, as well as Facebook, IdenTrust, and a host of other knowledgeable Internet companies. This isn’t a rinky-dink operation.
At the same time that these Internet heavyweights are backing the push for universal encryption, we’re still hearing that various governments around the world are trying to subvert encryption standards. Kazakhstan has announced it will man-in-the-middle every secured communication in or out of the country, starting on Jan. 1. Whether or not it can actually do so may be immaterial, because the country has also stated it will monitor the Internet activities of every person within its borders and of those who communicate with outside those borders. France announced it would like to ban Tor and public Wi-Fi networks, though the prime minister later said it was perhaps a bit much — regardless, there is no mistaking the intent.
Their service is currently in beta and so far appears to be working well. Although their client software is designed to make the whole procedure of getting and installing certificates completely automated, it’s possible to use it in manual mode. This is very important if you’re hosting your website on a shared hosting account (like most people do) and don’t have low level access to the server(s). You can still obtain certificates on a different system manually, and then install them on the server hosting your website, provided that your hosting provider allows this via their control panel.
The certificates issued by Let’s Encrypt are Domain Validation (DV) certificates. These guarantee the user that the content they’re receiving/viewing does indeed come from the website they’re visiting. For example, it makes it difficult for third parties to look at and modify the content during transmission, or to inject content into pages (like advertising injection). And because of the encryption, it also provides a higher level of privacy.
Depending on your website it can take some time to make the necessary changes in order to make it fully secure via HTTPS. In my case I had to make changes in the HTML code to make sure no mixed content was being served, and I also had to update all my posts in the database to fix these issues (mostly fixing source URLs that used HTTP for loading content). Finally I configured the webserver to force serving all content through HTTPS.
Manually getting the certificates from Let’s Encrypt and installing them can be a hassle if you have to do it for a couple of domains, especially since the certificates are currently valid for only 90 days. But I think things might improve in the future. Right now Let’s Encrypt only supports manual domain validation via HTTP, but will soon also be supporting validation via DNS records which should be less work. In addition there’s talk about supporting longer certificate lifetimes, and I really hope they change their policy to support that. Personally I’d be happy with a certificate lifetime of at least a year so that I only have to renew my certificates once a year.
Of course it’s going to be even better when hosting providers begin implementing Let’s Encrypt on their servers especially for their shared hosting, so that they can automatically take care of getting and installing certificates from Let’s Encrypt (here’s a list of hosts that are working on it). In that case a lifetime of 90 days won’t be an issue, and this is what the people at Let’s Encrypt are going for in the first place. Here’s what DreamHost is doing:
DreamHost users will soon be able to generate and enable Let’s Encrypt certificates directly within their control panel. Who knows — now that certificates are free, we may even enable HTTPS for all new customers by default!
Thanks to Edward Snowden’s revelations, the world now knows that virtually all of their Internet traffic (innocent or otherwise) is being monitored at any given time. Who’s doing the monitoring? A lot of different governments around the world, for starters — and that’s just what he told us about. Anyone on the Internet can peek at traffic and spy on anyone or anything, with or without just cause.
DreamHost believes that your private data should remain private. You should have a reasonable expectation that your interactions with a website won’t be monitored by a third party — ever.
In the end it’s always going to be impossible to have complete security and privacy; we are after all a part of nature, and nature is an inherently open system where there can be no secrets in the long term. But seeing as how we currently live in a very hostile world caused by the anti-social system that we live in, we have to do what we can to protect ourselves as much as possible from all the possible abuse. And I think universal encryption initiatives like Let’s Encrypt will (temporarily) help us to work towards a better world.