HTTPS for Free
For those wishing to serve their website securely over HTTPS (Hypertext Transfer Protocol Secure) via SSL/TLS, there is now a free option for obtaining the necessary certificates.
So you want to secure your website? That’s great, but there are a few steps involved before it will work. One of the most important steps is to obtain and install a certificate from one of the certificate authorities. Whilst there are a number of names for these certificates, I shall hereafter refer to them as SSL certificates.
SSL (Secure Sockets Layer) is the name given to one of the earlier protocols that enabled secure web encryption to work over HTTPS. It’s not used any more, but the name has stuck (sometimes the term TLS [Transport Layer Security] is also used). SSL Certificates are small data files that digitally bind a cryptographic key to an organisation’s details. When installed on a web server, the certificate activates the browser padlock and the HTTPS protocol (over port 443) that allows secure connections from a web server to a browser.
Until recently, SSL certificates were available at a cost ranging from about AU$15 right up to AU$1300 for an extended validation (green bar) certificate – ouch! In August 2016, Let’s Encrypt was launched. Let’s Encrypt is described as a free, automated, and open certificate authority which is managed by the non-profit Internet Security Research Group (ISRG). They issue free SSL certificates.
What’s the point?
We all know that encrypting sensitive data such as credit card transactions, email and social media is standard over HTTPS these days, but what about the rest of the internet’s traffic? There’s a growing movement across the internet to utilise all-site HTTPS; that is to encrypt every page on a website rather than just the sensitive bits. Once upon a time, this would have been extremely expensive and significantly slowed down a website but improvements in technology mean that HTTPS is almost as fast as HTTP. As more people use public wi-fi to access websites (insecurely most of the time), there’s a lot of sense in encrypting all of the traffic to and from your website. It nothing else, it builds trust with your website’s audience.
The all-site HTTPS movement really gained momentum after Google announced in 2014 that HTTPS would be considered a “ranking signal” on Google. The United States government has also led the way by mandating that all USA government websites must be served over HTTPS by 2017. Many major websites are heading in that direction. In fact, Mozilla announced in 2015 that Firefox would eventually work towards marking all HTTP websites as insecure and Google Chrome announced something similar in 2016. Already there have been some changes in how browsers treat certain HTTP web pages.
Now is clearly the time to act. Others have made the move, such as The Guardian and Washington Post with good reason.
Let’s Encrypt with Let’s Encrypt!
In my own case, I decided to migrate my Coding Blog from HTTP to HTTPS and trial a Let’s Encrypt certificate. Whilst normal paid certificates will generally last for a year, Let’s Encrypt certificates have a life of 90 days (there are several reasons for this). Let’s Encrypt don’t offer wildcard certificates, so if your website takes resources from multiple subdomains (eg: https://static.yourdomain.com.au) then a certificate will be required for each subdomain to avoid mixed-content warnings.
The instructions for obtaining and installing certificates on Let’s Encrypt are complicated. They rely on shell access (which is not available to many) or integration with a hosting provider (also uncommon) or the use of desktop software called Certbot.
Thankfully some enterprising folks have come up with SSL For Free, a website that makes the process of validating your website and accessing the certificates quite easy. SSL for Free uses FTP (or SFTP if available) to install a small file on the target web server to authenticate its identity before issuing the Let’s Encrypt certificate.
The website is easy to use, and generating certificates took only a few minutes. I had seven domains to cover and it didn’t take long. Creating a free account is the best way to manage certificates and I recommend this. The other benefit is that the website will send a reminder email when the certificates need to be renewed.
Once the identity of my website was confirmed, SSL For Free provided the public key, private key and certificate authority bundle.
Activating the certificate(s) via cPanel
To activate the certificate on a website, log into cPanel. Under “Security”, click on “SSL/TLS”.
Click on “Install and Manage SSL for your site (HTTPS)” and then scroll down to “Install a SSL website”.
Choose the domain from the drop-down menu and then paste the public key, private key and certificate authority bundle in the appropriate boxes.
Click on “Install Certificate” and the certificate will be installed within about five seconds. Once this is complete, it should all work. Check the website within the browser to ensure the certificate is working correctly.
Finally, ensure that your website users are forced to use HTTPS.
The certificates have worked well on this and my other websites.
When the time came to renew my certificates, I was sent a reminder email from SSL For Free. The renewal process itself was fairly simple: I logged back into SSL For Free and renewed each domain via the same process as described above. The website showed that each certificate had been renewed.
The only failing was in the emails that followed. I renewed my certificates about three days in advance but on the last day received an email advising that my old certificates were about to expire and then that they’d expired. It seems that the SSL For Free system couldn’t identify that old certificates for a domain had been replaced with new ones.
Other than that, the system worked well.