You want to put your credit card number into a web site. You know to look for a secure web site. But what does that really prove? And now that so many electronic projects have Web servers (ok, I’ll say it… the Internet of Things), do you need to secure your web server?
There was a time when getting a secure certificate (at least one that was meaningful) cost a pretty penny. However, a new initiative backed by some major players (like Cisco, Google, Mozilla, and many others) wants to give you a free SSL certificate. One reason they can afford to do this is they have automated the verification process so the cost to provide a certificate is very low.
That hasn’t always been true. Originally, trusted certificates were quite expensive. To understand why, you need to think about what an SSL certificate really means. First, you could always get a free certificate by simply creating one. The price was right, but the results left something to be desired.
A certificate contains a server’s public key, so any key is good enough to encrypt data to the server so that no one else can eavesdrop. What it doesn’t do is prove that the server is who they say they are. A self-generated certificate say “Hey! I’m your bank!” But there’s no proof of that.
To get that proof, you need two things. You need your certificate signed by a certificate authority (CA). You also need the Web browser (or other client) to accept the CA. A savvy user might install special certificates, but for the most utility, you want a CA which browsers already recognize. Actually, it is a little more complicated than that. Your CA might be recognized by another CA. That CA might be recognized by yet another CA. This can go on for awhile. The browser just has to trust one of the CAs in the chain.
That means the CA effectively is vouching that you are who you say you are. In the old days this was a laborious process and required the CA to prove your URL, your company name, your address, and other details. Today, most certificates only validate the URL. It is up to you to go to the correct URL.
This makes CA verification much simpler, however. With the Let’s Encrypt verification, you must have the right to either configure a DNS record or place a file on the server — a process with which webmasters are already familiar. The automated process will verify that you actually made the change and, thus, prove you own the domain.
Let’s Encrypt will soon become part of the Electronic Freedom Foundation and will get a new name. However, they’ve issued over a million certificates. Most browsers and operating systems will work with the certificates, although there is some limitation with Windows XP.
The whole SSL system generally works well, but it isn’t perfect. We’ve covered some certificate security problems with Google before.
As Web servers become more prevalent in electronic projects, a source of free and trusted certificates will come in handy. You can watch a video of the installation process below.