Let's Encrypt issues free certificates for website encryption to motivate website operators to secure their sites with SSI/TLS technology. What's the catch?Moritz Jäger
There are many reasons that companies would want to protect their websites. In addition to encrypted data transfer, Google is also a strong argument for using encryption: with its HTTPS Everywhere campaign the firm announced that websites with strong and active encryption would be given preferential ranking in searches. So businesses that want to stand out from their competitors have to take a look at encryption and protect their sites.
Website encryption is a complicated topic: Every company is well aware that they should use the SSL (Secure Sockets Layer) protocol or its successor TLS (Transport Layer Security) to protect their websites. But many are discouraged by the complex technology as well as the murky pricing models practiced by certification authorities. The Let's Encrypt project tackles both issues very pragmatically: Not only are its certificates free of charge, it also has a high level of expertise in simplified integration of certificates into web servers.
The "free of charge" part sounds too good to be true, when SSL certificates generally cost up to several hundred euros per year depending on their scope. But Let's Encrypt is absolutely real: It was begun by two Mozilla employees working with the Electronic Frontier Foundation (EFF) and the University of Michigan in 2012. Since then these founders have formed the not-for-profit Internet Security Research Group and the project has won over many prominent supporters, such as Akamai Technologies, Cisco Systems, Gemalto and Facebook.
The major advantage of Let's Encrypt is that the project has now been recognized as a root CA (certificate authority). This means its certificates have been countersigned by another certificate authority, in this case IdenTrust, and thus confirmed as legitimate. So browsers do not post error messages when you open a website encrypted with a Let's Encrypt certificate.
Matthias Simonis, security expert with eco Internet association, sums up the differences with previously existing solutions like this: "Let's Encrypt has the advantage of being very simple. You only have to demonstrate ownership of the domain to then integrate effective encryption with just a few commands."
Let's Encrypt issues X.509 certificates for TLS – domain validation certificates, which are subject to certain restrictions. One problem is the lack of support for wildcard domains. Let’s Encrypt issues single name or multi domain certificates, and no support for wildcards is currently planned, due primarily to the technical barriers.
Another possible drawback is the certificates' period of validity: They need to be renewed every 90 days. The project set this expiration period so that the impact of stolen certificates is limited in time, as well as to promote automated certificate renewal with its approach. Many other certification authorities require laborious manual certificate renewal.
Let's Encrypt certificates are also linked to domain names and not to IP addresses. This makes it somewhat more difficult to use Let’s Encrypt in a purely IP-based environment such as a corporate LAN. But this problem can be resolved by using a domain name within the LAN as well.
The biggest drawback currently is that the host needs to be part of the equation. For customers that are not using full servers with root access, including most subscribers to webspace packages, installing Let’s Encrypt certificates is often only possible if the hosting provider actively assists. While this is no problem with smaller hosts, many larger providers are reluctant – not least because they would often rather sell certificates from commercial providers at a markup for themselves.
The technical aspect of Let's Encrypt is easy. Because the solution relies on existing standards, it can be used with all known SSL implementations. The web server receives an encryption solution such as OpenSSL and the certificate is then integrated via a corresponding client. It is up to the company to choose the client they use. The official certbot client for Let’s Encrypt works just as well as a plugin for management solution Plesk or clients using Python or PHP. And there are instructions on the web for nearly every application, content management system and web server configuration.
Despite its limitations, Let's Encrypt has attracted enormous interest. A million TLS certificates were issued in the beta phase. And once beta ended in April of this year, the number continued to rise, with more than four million Encrypt certificates in place already in June.
Let's Encrypt has already shaken up the market for website encryption. And that is a good thing. Encryption was treated by many hosting providers as a premium option, and a way to earn good money.
In response to Let's Encrypt, prices for basic encryption of a website have fallen dramatically. 1&1 recently announced the addition of Symantec certificates to all hosting packages, while launching a full-fledged security campaign. This holds nothing but advantages for the web and its users. The time is ripe for wide-reaching encryption of data traffic in the Internet, and the conditions are in place to achieve it.