Most readers of this article will have set up SSL/TLS encryption for a website at some point in their career. It goes with the territory for system administrators and site owners. But for the average website owner, the processes is fraught with difficulty and opportunities to make a mistake. Let’s Encrypt — which will become available to the public next month — is a new way of adding domain-validated SSL certificates to a site that aims to make it easy for everyone.
It’s reasonable to ask: does everyone really need SSL encryption? It’s obvious that eCommerce sites and sites that handle sensitive information need a way to protect data that travels between server and browser from snoopers. The case for the average blog is somewhat less clear, but with the advent of ISPs that choose to inject their own advertising into blogs, the proliferation of content management systems that require authentication to post, and the eagerness of certain organisations to track what people are reading on the web, there’s a strong argument that all sites should be protected.
At least that’s the position of Internet giants like Mozilla, Google, and even Apple, all of which have made the use of HTTP/2 — the next big thing in the web world — dependent on a site implementing TLS.
Let’s Encrypt is an attempt by Internet Security Research Group, which includes representatives from Mozilla, Cisco, and the EFF, to make it easy to implement SSL for less-technical people.
In a nutshell, the SSL system has three basic components: the site, an SSL certificate, and a Certificate Authority that validates the certificate. There are various levels of validation, the simplest of which is domain validation: the holder of this certificate has legitimate control over the domain it applies to.
Let’s Encrypt is a combination of a Certificate Authority that can validate SSL certificates, a protocol for automating the process of validating a certificate called the Automated Certificate Management Environment (ACME), and a set of tools for using the protocol and configuring a server for SSL.
The Let’s Encrypt process is really quite simple. A webmaster downloads the necessary tools to their server, runs a simple command, and the “letsencrypt” utility handles the creation of certificates, the validation of the domain, and the installation of the certificate in the web server.
The whole process takes seconds, and because Let’s Encrypt is a recognised Certificate Authority, all browsers will recognise the domain validated certificates as secure.
The Let’s Encrypt root certificates were created earlier this year, and the system has been in a limited trial for the last couple of months. It’s expected to go live on September 15th, at which point, anyone who wants a free SSL certificate with domain validation can easily add encryption to their site.