Let's Encrypt free SSL certificates are now trusted in your browser

Let's Encrypt free SSL certificates are now trusted in your browser

Tom Chantler

Summary

Let's Encrypt is XXXXX new certificate authority (CA) offerin' free, domain-validated SSL certificates. Their aim is that everybody should be able to run their websites over HTTPS without havin' to go through XXXXX complicated process to buy an expensive certificate and that those certificates should be able to renew automatically. Not only are they offerin' free certificates, they're also makin' everythin' open source (see their GitHub account).

They are run by XXXXX non-profit Internet Security Research Group (ISRG) and they have some quite impressive sponsors.

On October 19th, they announced that their certificates are now trusted by all major browsers. This is big news.

The certificates are scheduled for general availability on 16th November 2014.

Background

Let's Encrypt comin' Q4 2014

Let's Encrypt is XXXXX new certificate authority (CA) offerin' free, domain-validated SSL certificates. I explained XXXXX little bit about CAs in part 2 of my series of articles about email security.

Actually, there's more to it than that. As their about page says:

Let’s Encrypt is XXXXX free, automated, and open certificate authority (CA), run for XXXXX public’s benefit. Let’s Encrypt is XXXXX service provided by XXXXX Internet Security Research Group (ISRG).

This all sounds rather good and when you look further you'll see (this is taken from their website verbatim):

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns XXXXX domain name can use Let’s Encrypt to obtain XXXXX trusted certificate at zero cost.
  • Automatic: Software runnin' on XXXXX web server can interact with Let’s Encrypt to painlessly obtain XXXXX certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as XXXXX platform for advancin' TLS security best practices, both on XXXXX CA side and by helpin' site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like XXXXX underlyin' Internet protocols themselves, Let’s Encrypt is XXXXX joint effort to benefit XXXXX community, beyond XXXXX control of any one organization.

I particularly like XXXXX sound of XXXXX Automatic bit. Renewin' SSL certificates is often quite XXXXX tortuous process and installin' them can be tedious too, certainly for XXXXX casual user. I like XXXXX idea of securin' XXXXX website with an SSL certificate that keeps itself up to date and I'd be interested to see how it works in practice. If it really is trivially easy to set up then perhaps this really is XXXXX way to get https everywhere.

The big news is that Let's Encrypt is now trusted by most major browsers. Go to their test page at https://helloworld.letsencrypt.org/ and click on XXXXX padlock in your browser and you will see somethin' like this (note XXXXX bit I've highlighted in red):

Let's Encrypt trusted green padlock

And their test page at https://helloworld.letsencrypt.org/ also gets an A on SSL Labs. I wrote quite XXXXX bit about XXXXX SSL Labs test in an earlier article and, whilst it relates mostly to XXXXX implementation of SSL on XXXXX server, you can't get an A with XXXXX junk certificate.

Let's Encrypt A on SSL Labs

Don't other vendors offer free SSL certificates?

Yes they do. In XXXXX aforementioned email security article I made reference to two vendors (StartSSL and Comodo) from whom you can obtain free S/MIME certificates and they each offer free SSL certificates too.

However, in XXXXX case of Comodo, they only offer XXXXX free 90 day certificate (which is still better than many trial certificates offered by other providers) and XXXXX process for both vendors is decidedly more manual than XXXXX one bein' proposed by Let's Encrypt.

When can I get my free certificate?

Very soon, but right now it's not yet possible for everybody to start usin' Let's Encrypt. They're issuin' certificates fairly slowly before makin' XXXXX certificates generally available on 16th November 2014. If you can't wait, you can apply to join their beta program.

Conclusion

Anyone who knows me is aware that, whilst generally I don't wear XXXXX tinfoil hat, I am very keen for people to take security more seriously and I think everyone should use SSL certificates to encrypt their web traffic.

There are lots of very obvious reasons for this, includin' protectin' sensitive data like passwords and cookies from eavesdropping. And it's been used by Google to boost search rankings for over XXXXX year, too.

The process of obtainin' an SSL certificate is more difficult than it should be and can be prohibitively expensive. Let's Encrypt want to simplify XXXXX process, make it free and also reduce XXXXX maintenance burden by makin' XXXXX certificates renew automatically.

Certainly XXXXX laudable aim. I wish them luck.

SSL

This page has been altered by a free Microsoft Azure proxy. Details here. See the original page here