Lets encrypt thoughts
On: 2nd September 2017
I just want to emthisise up front that there is no fact or truth behind what i'm saying in this post, just my thoughts and feelings. I am completely happy for someone to tell me that I'm wrong here.
What is lets encrypt
Lets encrypt is a SSL certificate authority this is free to use, automated and uses open protocols to perform this. A certificate authority is an organisation that will give you a certificate to say this website belongs to you. With this you can encrypt the connection between your website's server and the end user's web browser. This is typically setup with a small tool on your server that communicates with lets encrypt to obtains the certificate.
Why use lets encrypt
The clear reason for using lets encrypt is that you can get a certificate that is recognised by web browsers for free. There are many other benefits as well. You get a tool that you can run periodically to automatically renew your certificates. This is nice. No more panic when you find that your certificate is expiring having to buy and install a new one.
One alternative I know of is AWS. There is a feature to get certificates for free. The issue I have with this is that you cannot take the certificate and private key and install it on your server. You have to use it on an AWS managed service like cloud front. What if you just host a site on an EC2 instance? How do you use it? You have to stick cloud front in front of your application. Maybe that's fine, maybe its a good thing. What if you just simply don't want a CDN, what's your option? The way I see this is it's a way to tie you to the platform. I don't like that!
I'm sure this isn't the only alternative though. There has been many sites that can get you a free cert in the past.
My burning question...
Lets encrypt seems like an awesome thing and it is, but if you can get a certificate for free now, why would you still pay for one? I have several lines of thought here. The simplest idea is that you could simply be hosting your site on a shared hosting platform that doesn't give you the option of lets encrypt and there for the only way of getting a certificate installed is by buying one and installing it the more traditional way.
If you are not using shared hosting what other reasons may you choose to pay. The most obiouse thing that grabs me when looking at buying a certificate is they oftern offer a garentee. A payout if things go wrong. Now, although this seems like a very good reason to pay, really, what does it cover. The certificate doesn't have any bearing on the SSL security that you actually run on your server. Thats up to you to ensure that your server is configure in the most secure way so surely the certificate authorities are not insuring that the server that the certificate is on is good, if the encryption is cracked they will pay out on that?
I did some research on the insurance side of the certificates and what really happens here is that they are insuring the end user that if they incur a monetary loss due to the site that is secured by the certificate, the CA will pay out. Again though this leaves the question of what if the server was mis configured or running old software, who is really liable. Just something to think about. I'm sure there is a answer to this if you dig into the terms of the certificate you are buying.
Other reasons you may want to purchase a certificate is to have it signed by a well know security company, they will run more substantial check to verify you are who you say you are. They also allow you to submit a CSR (Certificate Signing Request) which allows you to include more details about your company on the certificate. This, plus being signed by a respected company means anyone questioning the legitimacy of the website they are looking at can read the certificate and make a decision about if it is good or not. But come on, WHO DOES THAT!
My overall feeling about lets encrypt is that it is an amazing tool, to enable the whole of the internet to start moving over to SSL With this there isn't much excuse not to do it anymore. Ok, you might have a hosting provider that doesn't offer it, but then move! Get a cheap virtual server, pay someone to set it up. Job done! Is lets encrypt suitable for everyone/every business, probably not.
For websites like this, for your typical marketing websites, blogs, personal site and similar, these are sites that you probably wouldn't of use to even run SSL on. With lets encrypt there is no reason not too. There is also a growing push towards doing so. It helps to create a more private web, preventing man in the middle attacks but also just making it harder for third parties to track your activity. Another reason you may want to run SSL is to run HTTP 2 which can give you many performance benefits, most browsers require the site to be secured by SSL for them to connect over HTTP2.
I feel though, if you are running an ecommerce site, a site that collects personal information, a company providing financial services or something like that, you may want to consider paying for a certificate to get the extra verification, get the insurance. Weather its worth it or not, if you are a big company then the cost of a certificate is probably not a problem for you, why take the risk. Weather it is necessary or not, weather you will ever make use of the insurance, I'm not sure.
Lets Encrypt - the website all about lets encrypt
Certbot - the tool I use to get lets encrypt certificates
Please if you read this and you have your own thoughts, facts or opinions on this topic please write a comment below. I would truly like it if someone can answer my questions or give their ideas. Maybe everything I have written is completely stupid!