If you’ve spent any time browsing the web, I hope you’ve learned not to enter any private information (passwords, credit cards, etc.) on websites that don’t have that little screen padlock next to the address bar in your web browser.
Seeing this icon means that communication between your computer and the website your visited is encrypted using a TLS (or it’s predecessor SSL) certificate, and not as plain-text communication which can be snooped on.
These certificates are common place for e-commerce sites, banks, online e-mail providers – anyone who deals with private information. In fact, in order to accept credit cards online, the payment gateways require that you have a valid certificate in place. There are, of course, other websites that make sure your connection to them was secure, but (I assume) this is mainly due to the owner’s own stance on encryption, or because their IT department or web hosting company recommended it.
Then came August 6, 2014. A post on the Official Google Webmaster Blog, “HTTPS as a ranking signal” announced that Google would begin using the existence of a TLS/SSL certificate as a signal in their page rank algorithm – the scoring system that determines how high (or low) your website appears in Google’s search results. Any web developer you speak to will tell you, in my experience, that this announcement caused a lot of website owners to immediately start asking for SSL certificates. Yes, they cost a little bit of money, but if it affected Google rankings, then it was worth it! (Grumbling rant: Privacy should be the reason… but, as with other things like proper web accessibility, SEO is often the factor that gets site owner’s attention)
Obtaining an certificate – the old way
The process of obtaining a secure certificate has always been … a pain. You needed to pay a Certificate Authority (CA) for a certificate, upload a certificate request from your web server, reply to identity verification e-mails, install the resulting certificate on your server…. and then go through this process again when your certificate expired. In many cases, your website also needed a dedicated IP address (this also costs money).
The costs for these certificates ranged anywhere from a few dollars a year to a few hundred dollars a year depending on levels of identity verification, # of domains they covered, etc.
On December 3, 2015, a new service entered public beta, called LetsEncrypt. LetsEncrypt is “a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code.”.
This certificate authority, sponsored by companies like Mozilla, the EFF, Facebook, Automattic, Shopify, Cisco, Akamai, and others, is promoting the widespread use of TLS certificates on ALL websites, for free.
What does this mean? We’re going to start seeing web hosting companies offering free LetsEncrypt certificates as part of their hosting plans. Earlier this month, SiteGround announced that LetsEncrypt certificates are now available to all it’s shared hosting customers as an automated option in their cPanel Control Panel. This is the first host I’ve seen to integrate LetsEncrypt into their core offering, but I’m sure there are others.
As of this morning, the site you’re visiting right now is secured by LetsEncrypt!
Since I manage my own web server configuration, I followed this great guide from DigitalOcean [affiliate link], “How To Secure Nginx with Let’s Encrypt on Ubuntu 14.04“. It gives step by step instructions on setting up LetsEncrypt, including configuring your server to automatically renew the certificate.
Ready to get that padlock next to your site’s URL? Check out LetsEncrypt today!