Let's Encrypt is a new certificate authority (CA) offering free, domain-validated SSL certificates. Their aim is that everybody should be able to run their websites over HTTPS without having to go through a complicated process to buy an expensive certificate and that those certificates should be able to renew automatically. Not only are they offering free certificates, they're also making everything open source (see their GitHub account).
On October 19th, they announced that their certificates are now trusted by all major browsers. This is big news.
The certificates are scheduled for general availability on 16th November 2015.
Let's Encrypt is a new certificate authority (CA) offering free, domain-validated SSL certificates. I explained a little bit about CAs in part 2 of my series of articles about email security.
Actually, there's more to it than that. As their about page says:
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).
This all sounds rather good and when you look further you'll see (this is taken from their website verbatim):
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
I particularly like the sound of the Automatic bit. Renewing SSL certificates is often quite a tortuous process and installing them can be tedious too, certainly for the casual user. I like the idea of securing a website with an SSL certificate that keeps itself up to date and I'd be interested to see how it works in practice. If it really is trivially easy to set up then perhaps this really is a way to get https everywhere.
The big news is that Let's Encrypt is now trusted by most major browsers. Go to their test page at https://helloworld.letsencrypt.org/ and click on the padlock in your browser and you will see something like this (note the bit I've highlighted in red):
And their test page at https://helloworld.letsencrypt.org/ also gets an A on SSL Labs. I wrote quite a bit about the SSL Labs test in an earlier article and, whilst it relates mostly to the implementation of SSL on the server, you can't get an A with a junk certificate.
Don't other vendors offer free SSL certificates?
Yes they do. In the aforementioned email security article I made reference to two vendors (StartSSL and Comodo) from whom you can obtain free S/MIME certificates and they each offer free SSL certificates too.
However, in the case of Comodo, they only offer a free 90 day certificate (which is still better than many trial certificates offered by other providers) and the process for both vendors is decidedly more manual than the one being proposed by Let's Encrypt.
When can I get my free certificate?
Very soon, but right now it's not yet possible for everybody to start using Let's Encrypt. They're issuing certificates fairly slowly before making the certificates generally available on 16th November 2015. If you can't wait, you can apply to join their beta program.
Anyone who knows me is aware that, whilst generally I don't wear a tinfoil hat, I am very keen for people to take security more seriously and I think everyone should use SSL certificates to encrypt their web traffic.
There are lots of very obvious reasons for this, including protecting sensitive data like passwords and cookies from eavesdropping. And it's been used by Google to boost search rankings for over a year, too.
The process of obtaining an SSL certificate is more difficult than it should be and can be prohibitively expensive. Let's Encrypt want to simplify the process, make it free and also reduce the maintenance burden by making the certificates renew automatically.
Certainly a laudable aim. I wish them luck.