Many articles have been written in the past extolling the virtue and benefits of using SSL certificates on your website: Encrypt Sensitive Information! Establish Trust with your Users! Improve your Google Rank! Recent high profile events in the news, such as the FBI’s ability to bypass Apple’s encryption in the iPhone 5C, have raised public awareness about the importance of encrypting your information.
It is interesting to note then, that given all of these benefits of SSL encryption… the one obvious barrier to entry – at least for website owners – has been cost. Generally, a typical SSL 1-year “lease” of an SSL certificate will set you back about $50. In the past, this has been as high as $300 … want to protect an entire domain? That’ll cost you upwards of $500.
Thankfully, some fine folks at the non-profit Internet Security Research Group had an idea to bring affordable, transparent, secure and (relatively) painless SSL certificates to the masses. How affordable? Their product, Let’s Encrypt, is zero cost. Yep, as in free. One of the stated goals of the Let’s Encrypt project is to get 100% of web browsing using HTTPS. A progress update posted in June 2016 on their blog shows that 45% of page loads on the web used HTTPS and they had issued more than 5 million certificates between December 2015 and June 2016. The popularity of the Let’s Encrypt project is evidenced by the fact that in Q4 of 2016, the Let’s Encrypt Root Key will be trusted by default in Firefox 50. This means that the project is one step closer to being an independently trusted Certificate Authority, on par with Comodo, Symantec, GoDaddy, and Globalsign.
Of course, as the saying goes, there’s no such thing as a free lunch. And in the case of Let’s Encrypt certificates, there are a couple of concessions you have to make to enjoy free HTTPS for your website: first and foremost, all of the tools you use to get your certificate are Unix based. Sorry, but at this point, most windows tools are in the beginning stages, although there is a GUI called Certify which looks promising. So you’ll need someone who knows their way around a Unix shell to be able to use the tools Let’s Encrypt provides out of the box.
Next, you’ll need to be aware that unlike standard SSL certificates that are renewed once every 1, 3 or 5 years, the certificates issued by Let’s Encrypt are only good for 90 days. So you’ll be renewing the certificate every 4 months. Fortunately, the tools provided can be very easily automated, so this is less of an issue now (as opposed to when the project first started.) You might be asking “Why only 90 days” for a certificate when the standard is one year? They have written a blog post explaining this decision – by far, the best justification is that a 90 day renewal period limits the time period of compromised or mis-issued certificates.
Given these two concessions for the benefit of a free, widely accepted SSL certificate that you can use (almost) indefinitely, the Let’s Encrypt program has without a doubt leveled the playing field for getting HTTPS integrated into your website. The program is still in its beginning stages, but there is no doubt that its accessibility and ease of use will only continue to get better.