By Dan Moren
October 16, 2020 12:34 PM PT
Service Station: Let’s Encrypt and Certbot make HTTPS easy and free
Way back in the late ’90s and early 2000s when I was first creating websites on a relatively frequent basis, the view of security on the web was a little bit different than it is today.
Sure, you hardened access to your server and tried to write your code as tightly as possible, but unless you were a huge organization or were handling credit card details, you didn’t really bother implementing secure HTTP connections, in large part because getting a certificate was often a pain and cost you money. (If you were just a hobbyist creating a website, for example, you probably weren’t going to pony up the hundred or more dollars per year that it cost.)
Fast forward twenty years, and this is one place that progress has definitely been made, thanks in large part to the Let’s Encrypt project. Created by the non-profit Internet Security Research Group, Let’s Encrypt makes acquiring a digital certificate to secure your website not only easy, but more importantly free.
I’m a huge fan of Let’s Encrypt, and have used its service to set up HTTPS on pretty much all the websites I’ve built in the past several years. My personal website and many of its attached subdomains use Let’s Encrypt; Jason has used it for Six Colors, The Incomparable, and his personal domains as well.
Let’s Encrypt is an automated Certificate Authority that makes it easy for server administrators to request and implement a certificate for their domain. While setting up the system on your own website does require a little bit of technical knowledge—you’ll probably have to delve into the command line—it’s a relatively easy process, thanks to the Certbot tool created by the Electronic Frontier Foundation, which works with a variety of operating systems and web servers.
By default, Let’s Encrypt requires you to renew your certificates every 90 days, which falls well under the 13 month limit Safari is now enforcing. But, as with getting a certificate, renewal is an easy process, and can often be automated for your site.
All of this simplicity is important, both for the administrators securing their sites and for their users. As seasoned web surfers, we’ve all grown accustomed to looking for the little padlock in the address bar when we’re making an e-commerce transaction, or even just when logging into a site: it gives us a visible indication that our information is being secured. But it’s not just about those high-risk situations: HTTPS ensures that the information sent back and forth between websites and our computers are kept out of everyone’s prying eyes.1
While there are still plenty of sites out there that still lack HTTPS support, it’s increasingly become a basic necessity for websites of all stripes—not just those that handle information like credit cards. And though HTTPS isn’t the only ingredient for keeping a website safe and secure, it remains an important link in the chain.
Encryption has become a battleground topic in recent years, which is a real shame, because it’s a technology that is critical not only to the smooth and secure operation of the Internet, but to all of the huge number of devices that we use everyday. If you’re someone who maintains a website, and it’s not using HTTPS, I can’t recommend Let’s Encrypt highly enough.
- There are, of course, exceptions, since many websites themselves work with ad networks or trackers. HTTPS doesn’t necessarily protect you in that regard. ↩
[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Twitter at @dmoren or reach him by email at email@example.com. His latest novel, The Nova Incident, comes out in July and is available to pre-order now, so do it!]
This is a Six Colors members-only story that's been unlocked for all to read.
Become a member for access to exclusive articles, a members-only podcast, and other benefits.