I'm doing some light research tonight to reflect on some of what I've learned about SSL both in the past and in the recent weeks.
Before working at my current company SSL was usually something I setup as a requirement for some other technology. An after-thought you could say. Let's Encrypt was previously my go to option. Recently I've just been using Cloudflare's easy SSL that you can get with their free DNS management. Reason being it is quick and they already have a really good DNS portal that lets you apply advanced rules (with free options!).
At my current company the situation is more complicated. SSL isn't just an after thought on a prototype or bootstrapped project. It's an essential aspect with insurance, branding, and legal considerations. That is why instead of using free certificates we are paying closer to 600USD for EV-SSL Certificate.
EV stands for extended validation. It means that from a legal and insurance point of view the company running the CA (Certificate Authority) has taken extra measures to ensure that our company is who we say we are. As you browse the web you can tell when you're on a website with an EV-SSL by an extra large green bar in the address input.
Now that I have said what is good about EV-SSL I will also say from a technical standpoint it doesn't actually add any benefit. If you already trust the website domain you are using and the message is encrypted with any HTTPS the data is secure. EV-SSL doesn't add any extra security only the verification that the CA took steps to verify the identity of the certificate holder.
Both EV-SSL and self-signed certificates have their place. We are using EV-SSL for our front-facing web-pages but recently my department noticed that we are using EV-SSL certificates for our development and staging addresses. In addition we will also be needing more certificates for other projects.
As a cost saving measure we are moving anything not front facing to use Let's Encrypt self-signed certificates. The green bar you get with EV-SSL is mainly to create confidence with the user/consumer. With the amount of certificates we need our move to Let's Encrypt should save us $1500 that we don't need to spend.
Let's Encrypt is the opposite of EV-SSL. Where as EV-SSL requires the CA to take several steps to verify the owners information Let's Encrypt requires none. Anyone can use the Let's Encrypt Certificate Authority to create an SSL certificate without verification and without waiting. This might sound bad or "unsafe" but really the opposite is true. Let's Encrypt has helped encourage the wide spread adoption of HTTPS being used everywhere. In fact that is their mission:
We do not charge a fee for our certificates. Let’s Encrypt is a nonprofit, our mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.
from Let's Encrypt FAQ
If everyone had to pay $500/yr just to use HTTPS it would be a lot less popular. You should always use HTTPS unless you are only reading. If you are sending information expect that HTTP connections can be intercepted and read.
I won't get into the technical details of how to use Let's Encrypt because it is already well documented here.
I will say one aspect you really need to keep in mind with Let's Encrypt certificates have a validity date of only 90 days. So if you're using it as a long-term solution you definitely want to find a method to automate the process. The reasons for this are as follows.
- They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
- They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.
I haven't taken the time to look at automating the renewal process yet. That's what I'll be looking at tomorrow.
I'm finding it's useful for me to write these little blogs on my daily readings as it helps me get back into the train of thought when I re-read later.
If anyone has advice, thoughts, questions, or comments about SSL leave a comment!
With letsencrypt the renewal process can be automated with a client like acme client. I used to use gandi for our company SSL certificates and I was very happy. They really live up to their slogan which is literraly:"No bs". :)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit