Let’s Encrypt and Certbot: simple and free HTTPS for every website

But, it’s too simple?

http://www.commitstrip.com/en/2016/06/13/the-end-of-an-expensive-era/

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. 
The idea being that it’s high time more websites had a simple, easy to manage method to offer https encryption:

The key principles behind Let’s Encrypt are:

Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.

Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.

Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.

Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Before Let’s Encrypt, obtaining a certificate for https meant spending a fair sum of money through trusted CA (certificate authorities) to acquire an SSL certifcate for your website.

Let’s Encrypt has completely changed this process: they have made access to a certificate completely free, they’ve also made sure both the installation process and the ability to update your certificate is as simple as possible. This means website owners can offer the benefits of https to their site visitors, without spending extra cash or time.


The biggest problem of Let’s Encrypt?

It permits access to https for any website! 
No, i’m not bipolar!
Most people (techs and not tech) consider and HTTPS as trusted and reliable.

When Let’s Encrypt providing encryption for a website, people that visiting it will give it the same level of trust as websites with the Extended Domain Validation, which includes the company name near the address bar.

So, even site identity isn’t actually verified, most visitors consider it reliable: it permits to make phishing and malicious websites with a more official look.

There are also tools provided to make installing and setting up a certificate as simple as possible.


On a Linux/OSX server, for example, one can rely on Certbot to install a Let’s Encrypt certificate by simply copying and pasting a few lines of code:

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.

While there are many other clients that implement the ACME protocol to fetch certificates, Certbot is the most extensive client and can automatically configure your webserver to start serving over HTTPS immediately. For Apache, it can also optionally automate security tasks such as tuning ciphersuites and enabling important security features such as HTTP → HTTPS redirects, OCSP stapling, HSTS, and upgrade-insecure-requests.

Certbot is part of EFF’s larger effort to encrypt the entire Internet. Websites need to use HTTPS to secure the web. Along with HTTPS Everywhere, Certbot aims to build a network that is more structurally private, safe, and protected against censorship.


The poor figure is just around the corner

The project is still young, and recently it has become the protagonist of some clamorous SNAFU :

https://community.letsencrypt.org/t/github-api-key-leak-may-16-2016/16032


https://community.letsencrypt.org/t/github-api-key-leak-may-16-2016/16032


Resources

https://community.letsencrypt.org/t/github-api-key-leak-may-16-2016/16032
https://community.letsencrypt.org/t/github-api-key-leak-may-16-2016/16032

Comments