The internet is moving towards towards encrypted web traffic. If you pay attention to the address window in your browser, you will notice that more websites are starting with “https://” instead of “http://”. Websites that begin with “https://” use encryption to protect the information being exchanged with consumers.
Security over the internet is a good idea and like many good ideas, some take longer to “stick” than others. HTTPS was originally developed as part of the Netscape browser back in 1994. That year is memorable because Kurt Cobain was still with us, there was no World Series and Nelson Mandela was elected President of South Africa.
We experienced significant HTTPS movement in 2010 when a group of industry leaders created the HTTPS Everywhere browser extension which makes browsers use more secure connections if possible. Unfortunately, the tool only addressed the browser side of the equation. Website operators still needed to add HTTPS to their sites in order to enable encryption.
Implementing HTTPS requires the operator to obtain a “certificate” that is used to drive encryption. The “certificate” can be anywhere from $5 to $150 per year depending on the extras provided by the vendor and there is even a free certificate available. The catch with offerings at the low end of the spectrum is that they may not be recognized by all browsers and are actually “on ramps” to more expensive packages.
I recently (December) ran across another industry effort called Let’s Encrypt. One of the common players across “Let’s Encrypt” and “Https Everywhere” is the Electronic Frontier Foundation (EFF). I run into this group often because of my Open Source work and I have always found them to represent principles that improve the internet for everyone. There is no cost to a Let’s Encrypt certificate, and there is also no marketing scheme or upsell strategy either.
Let’s Encrypt has been in a public BETA since December 2015 and there are many tutorials available if you would like to support HTTPS with your website but cannot afford to purchase a certificate. I have successfully installed Let’s Encrypt on five computers with the following services:
- Apache MacOS
- Apache Linux (various distributions)
- Nginx Linux (Fedora)
- Dovecot Linux (IMPA and POP3)
So far, so good. I can’t imaging the Raspberry Pi having a problem, but I’m too lazy to test that right now, so I visited CRTLabs. I talked to David Conroy and Chris Coté and they have been using Let’s Encrypt certificated in their IoT work for a while. That figures. It is becoming more difficult to surprise them with anything these days. At least they don’t taunt me with “Pick up the pace!” comments.
As a software developer, these certificates are so much nicer than the “self-signed” variety. Also, the providers are working through an auto update strategy. Wouldn’t it be great if they emerge from BETA with certificates that work AND automatically renew? I’d love to get fewer calls about services that stop because someone forgot to renew a SSL certificate.
