Introduction to Let’s Encrypt Website Security – Free TLS/SSL Certificates for Everyone

06.06.17 Security Best Practices

An Industry Disrupted

The internet is all about disruption of established business models. But that disruption is not limited to virtual vs bricks-and-mortar businesses. Sometimes – often – internet and web technologies disrupt themselves.

Over the last decade, an entire sub-industry sprung up to provide TLS/SSL certificates for a fee, including big names like Network Solutions, Symantec, and Verisign. And thousands of other companies acted as Value-Added Resellers for TLS/SSL certificates – charging a premium fee for the certificates with things like free annual updates, support, and installation included. Even large providers like GoDaddy have enjoyed bumping up the needle on their top-line revenue by offering these as add-ons.

What Is Let’s Encrypt

As if on cue, the Internet Security Research Group (ISRG) has arrived and, since the official launch last year, they are rapidly overtaking all the paid certificate services. The ISRG’s stated mission is to reduce the “financial, technological, and educational barriers to secure communication over the internet.” Their first major initiative is Let’s Encrypt – a free, automated, and open certificate authority (CA) being run for the general public benefit.

Since they issued their first certificate in April 2016, Let’s Encrypt has been receiving wide acceptance and support by major organizations, including Digital Ocean, Google Chrome, Shopify, Mozilla, Akamai, Facebook, Cisco, and dozens of other technology and hosting businesses. Further, the major hosting, website, and server control panels (Plesk, cPanel, etc.) recognized the market shift and fully support Let’s Encrypt implementation in their latest versions.

There are many ways to secure websites using SSL/TLS using paid services and other open source alternatives. Website owners and developers like Let’s Encrypt because it is:

Sound, proven technology
Platform neutral and open source
Broadly accepted with more than 35 million active certificates as of April, 2017
Relatively easy to implement
Renewable automatically
Free (donations accepted)

The last item on that list is the truly disruptive part.

A Security and Economic Revolution – Free SSL

Let’s Encrypt is not offering any radically new technology or paradigm shift in approach or application. This is basic website security best practices stuff these days. But so many websites are not secure or otherwise encrypted, and there are so many malevolent actors out there trying to do harm, the ISRG does not want a few dollars to get in the way of a safer internet. So, with the help of a few corporate sponsors – who notably are NOT in the TLS/SSL business – ISRG’s Let’s Encrypt service are opening the free SSL floodgates.

Not Everything is Unicorns and Rainbows

Let’s Encrypt Certificates are not the best choice for every website application – at least not yet. Let’s Encrypt only offers Domain Validation (DV) certificates. They do not offer Organization Validation (OV), Extended Validation (EV), or Wildcard certificates since these kinds of specialty certificates cannot yet be delivered through a fully-automated process (we’ll see if that changes in the future). And since this is a free service, technical support is only provided through online documentation and a community support forum. So if you are new to TLS/SSL, this may not be the best course for you until you have a bit more experience.

You should also consider that this is still a relatively new service. As such, there will likely be occasional errors and headaches as they iron out the details and expand to serve a greater volume of requests. For example, there have been a few minor service outages when validation calls were failing and the datacenter serving up the validations suffered temporary outages … in most cases this is no big deal. These have all been short-duration “growing-pains” kinds of issues that were timely resolved. In the future we anticipate that these will be obviated by the addition of redundancy to their network as they grow. But that means that if you are running enterprise class, mission-critical websites right now, you might consider whether Let’s Encrypt is the right option at this point in their development.

Our Experience With Let’s Encrypt SSL Certificates

It is a normal part of our work at ICG to manage the set-up and maintenance of security certificates for our customers. Sometimes our customers have a built-in preference for certificate vendor. That’s just fine with us since we usually consider this a part of the overall service we provide. But most of the time, our customers ask for our recommendation and we are happy to help (since we do not resell certs we can remain objective).

This means that we have worked with dozens of different certificate vendors. This includes some of the big names you might have heard about, such as Network Solutions, Comodo, and DnSimple among others. But we have also worked with individual hosting providers who sell certificates as resellers. We recently had the opportunity to use Let’s Encrypt on a production project and found the process to be simple and clean. The certificate was easily installed and the test authentications went through without a hitch. The production server went live in Q1 2017 and there have been no issues.

All things considered, we are becoming enthusiastic about the results, value, and performance so far. The technical experience was equal to or better than all the other services we have used, the technology worked as expected, and … it was and remains free of charge. In short, you can still go to the “paid-for” websites and buy your basic website TLS/SSL security certificates. But if you have the technical skill, why would you ever do that again?