Funky Afrika

Lets Encrypt

Are you a blogger, techpreneur or you run websites for own use and commercial use? Do you struggle with having your sites secure? Well, worry no more as Lets Encrypt is here to help you out.

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

As of the end of July 2018, the Let’s Encrypt root, ISRG Root X1, is directly trusted by Microsoft products. Our root is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With over 124 million domains running on their service, they have proved to be the go to place for free SSL certificate.

Encrypting the traffic to your website used to be a fairly expensive ordeal. Particularly for small business owners who want to do right by their website visitors, but don’t have a great deal of money to invest in HTTPS. Let’s Encrypt tackles this head-on, additionally eliminating the complexity of installing and maintaining the security certificates with automated processes.

Why use Let’s Encrypt?

The biggest selling point of Let’s Encrypt is obvious… It’s FREE!

It’s a fairly simple installation process, far simpler than traditional SSL certificates, designed to make HTTPS encryption accessible to any website owner. For Linux web servers where you have shell access, there are only two commands to be executed in order to acquire and install the Let’s Encrypt certificate. Many popular hosting companies, however, do not allow their customers root access but customers instead manage their website through a control panel with a graphic user interface, such as cPanel or Plesk. In this case, you may find that your hosting provider has already included built-in support for the obtainment and configuration of the free SSL certificate, as well as automating renewals, via a plugin in the control panel. They basically request the free certificate on your behalf, then automatically handle the maintenance themselves. Some web hosting companies now even automatically install the certificate on behalf of all their customers by default.

Certbot automatically fetches and deploys your Let’s Encrypt certificate, to immediately start serving over HTTPS. You can even enable features such as automatic HTTP to HTTPS redirects on Apache. As an initiative from EFF (Electronic Frontier Foundation), Certbot is part of a web-wide effort to encrypt the entire internet for the safety and security of its users.

It does what it says on the tin: it provides a secure connection between your site visitors and your site server.

Furthermore, they have respectable documentation available for those who need it, and a vast amount of community support when you need more specific information and advice.

Google Chrome are “platinum sponsors” of Let’s Encrypt, so there’s little chance that Chrome will distrust it anytime soon. Unlike Symantec certificates (operating under brand names: VeriSign, Equifax, GeoTrust, RapidSSL, and Thawte), which did not comply with CA/Browser Forum Baseline Requirementsand are therefore being distrusted by Google in future Chrome updates.

If you look at our Let’s Encrypt SSL certificate, you may notice the Period of Validity seems extremelyshort. It’s definitely on the shorter side when compared to other popular SSL certificates. The 90 day lifetime can be seen as a disadvantage as for some it’s an inconvenience, but it’s definitely pro-security as it requires a key change every three months.

Let’s Encrypt’s SAN certificates (Subject Alternative Name) allows for multiple domain names to be protected with a single certificate. The ability to add multiple SAN values to a single Let’s Encrypt certificate can be a time-saver for organisations with multiple websites or microsites. This is different from wildcard certificates that apply to multiple subdomains, but not entirely different domains. (More on wildcards later…)

There is also no downtime when issuing the certificate, due to the ACME protocol which performs the server validation.

Why shouldn’t you use Let’s Encrypt?

The biggest issue is that, although Let’s Encrypt provides the modern standard of website encryption, it doesn’t offer Extended Domain Validation (the green bar beside the URL, displaying the company name next to the padlock). There’s a difference. Not only does this mean that the identity of the website is not verified to the same extent as a website with Extended Domain Validation but, to the user (no matter how clueless), they may place less trust in websites that do not have the full “green bar” displaying the company name. As it is just domain validation, there are no additional checks on the owner of the domain or website.

What’s more, if Extended Domain Validation SSL certificates (EVs) or Organisation Validation SSL certificates (OVs) are important to you, you should be aware that Let’s Encrypt have no plans on making OVs and EVs available.

While Let’s Encrypt is now directly trusted by almost all newer versions of operating systems, browsers, and devices, there are still many older versions in the world that do not directly trust Let’s Encrypt. Some of those older systems will eventually be updated to trust Let’s Encrypt directly. Some will not, and we’ll need to wait for the vast majority of those to cycle out of the Web ecosystem. We expect this will take at least five more years, so we plan to use a cross signature until then.


You can support the cause here