▶ General
On April 12th, 2016 the internet changed forever

Let's Encrypt free SSL certificates now available for all websites

As the whole internet moves gradually towards total end-to-end encryption, Let's Encypt gave this process a massive boost on April 12th 2016 when they announced their free SSL certificate program left beta.

This is crucially important for various reasons. So many current and future attacks are immediately rendered null and void the instant SSL is enabled that it's worth doing as a matter of urgency.

Furthermore, Google recognize this so announced some time ago that if a site is SSL secured, it will feature higher in its search engine rankings. When determining how high a site gets, it uses various "signals", and with encryption joining mobile-friendliness it's something every site owner needs to be aware of.

So why hasn't everyone done it already?

There are two reasons why ordinary web traffic isn't encrypted already.

The first is cost - up until now, each certificate has had to be paid for, and this payment isn't a one-off. It's usually an annual fee, and although it's been getting lower and lower in the past few years, hadn't quite reached the ultimate low cost of zero with Let's Encrypt. For ecommerce or other security-sensitive websites, this small fee is not a problem because encryption for them is essential, but for every site it's just been seen as an optional extra that doesn't affect visitors if not implemented.

The second reason for avoiding it is complexity. This boils down the the arrangement of the web server provider, and the skills/knowledge they have in handling the administration. For owner/manager servers, a default installation (e.g. Linux) provides a webserver by default. Many users see this up and running and are happy to keep things as they are. To implement SSL, they have to find a certificate provider and have the skills needed to customize their installation. Many don't. When hosters say they can do this for them, they always charge more than the cost of the certificate itself as an admin fee. Let's Encrypt have made it as easy as possible for site owners to install and renew their free certs for all popular operating systems.

rusty padlocks 700x250

The Let's Encrypt project began in 2012 and was founded by Mozilla employees Josh Aas and Eric Rescorla, along with with Peter Eckersley at the Electronic Frontier Foundation and J. Halderman from the University of Michigan. The company behind Let's Encrypt, Internet Security Research Group, was incorporated in May 2013. One of the problems preventing widespread adoption of a free SSL certificate is credibility - putting it bluntly, if no-one trusts you, you're dead in the water. Fortunately that's not the case for Let's Encrypt - check out some of the sponsors: 

letsencrypt supporters 500x640

Let’s Encrypt is free, automated and open. It is a certificate authority from the Internet Security Research Group (ISRG),  a California public benefit corporation, and is fully recognized by the IRS as a tax-exempt operation under Section 501(c)(3) of the Internal Revenue Code. The ISRG’s mission is to reduce financial, technological, and educational barriers by enabling secure communication over the Internet.

The EFF is reporting 2M+ certificates have now been issued. Almost all of them are protecting domains which had never used SSL before. Since many of the issued certs can cover multiple domains, this means the total  number of sites protected is far higher than this figure.

letsencrypt activity 500x496

In order to remain transparent, Let's Encrypt will regularly publish security reports, use open standards and free software as much as possible.

The getting started guide is here.