You might notice if you browse this blog now, that it’s served over HTTPS. I’ve even added an Apache configuration to redirect plain HTTP requests to secure HTTPS and I’ve spent the last few days checking the pages for URLs including non-secure content and rewriting them to use HTTPS where possible, or otherwise removing them. You’ll also notice in the left-hand corner of the browser’s address bar, there’s a (hopefully familiar) little green lock which indicates:
- your communication with the site is encrypted well
- the authenticity of the site is verified by a trusted authority
Of those, the latter usually involves paying a trusted certificate authority a lot of money to verify and sign your site’s certificate so that browsers will mark it trusted. Security is important but this high cost often creates a barrier for small companies wanting to use https.
As a reader, you don’t really gain too much from sinisterstuf.org being served over HTTPS, but for me it’s much more secure signing in to the administration panel. Although even on sites that don’t require users to log in, it’s still important to use encryption. That’s why I’m really excited about the new Certificate Authority called Let’s Encrypt which offers automated, trusted signing for free, using open standards with the aim of making it possible for every site on the internet to serve its content securely.
You can read about how Let’s Encrypt works and the technical specification. They provide a commandline tool which you run on your server to verify your ownership of the site and get a signed certificate for it. It even configures your web server to use the certificate automatically and supports both Apache and Nginx, although there are also services online that help with this, you can go to certain sites to find out how much a business server costs and how you can implement this into your business.
Unfortunately the shared hosting that serves my site doesn’t allow me shell access, so I used the free web client at gethttpsforfree.com to set up my certificates. It took quite a few steps because I have several sub-domains, and of course this completely defeats the point of it being easy because it’s automated. Nevertheless, by just following the steps and running the commands shown, I was able to obtain and install a trusted signed certificate for my site.
In the future I might like to write a tool that does the requesting and signing on a separate machine with shell access and transfers the verification files to the web server via FTP. That way I could automate my process as was originally intended without paying more for hosting.
Until then, it’s really cool to see other people are starting to use Let’s Encrypt too. For example, the innovative, open source strategy game Warzone 2100‘s website’s certificate is issued by Let’s Encrypt. I think this is really great and a step forward towards the goal of better security and trust on the web.