This website is now served over HTTPS using a certificate from Let’s Encrypt, a project that aims to provide free, trusted certificates for websites along with tools that make the certificates easy to get, install, and renew.

An HTTPS connection requires the server to be secured with a certificate that proves its identity. For basic Domain Validation certificates, the identity is just the domain name (e.g. tristancaulfield.com). For more advanced certificates, such as EV certs, identity can mean a particular company or organization.

Traditionally, these certificates are obtained from one of a number of trusted Certificate Authorities (CAs) that typically charge a fee to issue the certificate and verify that the person requesting the certificate is indeed the same person who owns the domain the certificate is for. The web browser has a list of trusted CAs. When it connects to a website using HTTPS, it checks to see if the server’s certificate has been signed by a trusted CA. If so, it assumes the server is the correct one for that domain and the connection proceeds. If not, the browser alerts you with a warning message.

This is why the verification step in certificate issuance is important: incorrectly issued certificates can allow attackers to impersonate legitimate websites or to perform man-in-the-middle attacks which the browser will not detect. It will appear as if the connection is secure and that you are connected to, say, mybank.com when in reality you are connected to a third party that is impersonating the real website. As a brief aside, this is also why things like Dell installing a trusted root certificate on its laptops or Lenovo installing superfish to inject ads are such a bad thing: because the root certificates are trusted by the browser, anyone who possesses the private key for the certificates can impersonate any website or snoop on any (supposedly) secure traffic.

Let’s Encrypt acts as a trusted Certificate Authority (CA) and issues certificates using an automated process. Part of this processes is verifying that you have control of the domains you are requesting certificates for. The Let’s Encrypt tool can handle this automatically, either by running a standalone webserver or by placing files on an existing webserver to prove ownership of the domain to the CA. The actual protocol for this is described here. I used the standalone webserver version, and obtained my certificates with no problem. There’s also an alternative, manual method for completing the verification.

Once I had the certificates, I just had to install them and then I was ready to go. The tool can also attempt to automatically configure existing webservers to use the new certificates, but I did not try this.

The idea behind Let’s Encrypt is to enable HTTPS to be used in as many places as easily as possible because of the growing realization that standard, unsecured HTTP is not sufficient anymore. Regular HTTP traffic is vulnerable to surveillance, the content of web pages can be altered en route from server to client, ads can be injected, cookies can be tracked, and passwords can be captured. The public beta of Let’s Encrypt is starting soon. If you run a website then check it out and enable HTTPS on your site.



Comments

comments powered by Disqus