Al­most a year ago, an ini­ti­at­ive to de­liver a free, se­cure and easy SSL/TLS to every­body on the web was an­nounced. That’s Let’s En­crypt. I’ve been fol­low­ing the pro­ject closely ever since and, yes­ter­day, have re­ceived an in­vite to test Let’s En­crypt through their closed beta pro­gram.

There­fore… my per­sonal web­site is avail­able through HT­TPS and SPDY1! This was the first time I had any­thing to do with set­ting up TLS and I can’t say it was a fun ex­per­i­ence. I don’t even want to think how bad set­ting up TLS is through tra­di­tional means.

Setup

Once Let’s En­crypt is made avail­able pub­licly, set­ting up a server to use TLS should be as easy as get­ting letsencrypt tool onto your server and an­swer­ing two or three ques­tions after launch­ing said tool. Ta-dah! TLS is up! However, this be­ing a closed beta and my server be­ing one of those low-end kind, I ran into some is­sues, and some manual fid­dling was ne­ces­sary to set the things up prop­erly.

In­stall­a­tion pro­cess of the letsencrypt tool com­piles some non­trivial nat­ive lib­rar­ies. 192MB avail­able on my server2 were not enough for GCC to deal with the task and I had to com­pile the ne­ces­sary lib­rar­ies else­where. I also op­ted to use the manual au­then­tic­at­or, be­cause the nginx au­then­tic­ator has a scary warn­ing about it not work­ing yet. Once the au­then­tic­a­tion pro­cess was com­plete, though, all the ne­ces­sary cer­ti­fic­ates were up and ready to go in /etc/letsencrypt/live be­fore I coun­ted to three. Awe­some!

Per­spect­ive

Provided the letsencrypt tool in­deed works as ad­vert­ised – there is noth­ing pre­vent­ing Let’s En­crypt from achiev­ing that – I see ab­so­lutely no more reason for a web­site without TLS sup­port ex­ist. On the other hand, there are plenty of reas­ons for non-TLS web­sites to im­ple­ment TLS: other than the “more se­cur­ity” pro­pa­ganda, some browser vendors are strongly en­cour­aging en­cryp­tion via mis­cel­laneous means too. For ex­ample, Fire­fox Night­lies now present web­site as in­sec­ure when a pass­word field ex­ists on a HTTP site and some browsers (Chrome and Fire­fox, at least) sup­port HT­TP/2 and SPDY over TLS only.

Suc­cess of Let’s En­crypt would also strongly in­flu­ence the mar­ket of SSL/TLS cer­ti­fic­ates – com­pet­i­tion would be forced to provide at least a single free or very cheap (sub­-€/sub­-$) op­tion for ob­tain­ing a cer­ti­fic­ate signed by them and to greatly im­prove the UX of gen­er­at­ing and man­aging said cer­ti­fic­ates. I hear things aren’t in a good shape cur­rently.

All in all, I’m now even more en­thu­si­astic about the fu­ture of the web and what Let’s En­crypt pro­ject is bring­ing to the table. Thanks for all the hard work!

  1. HT­TP/2 has been en­abled in nginx 1.9.5 and I will be en­abling that as soon as this ver­sion of nginx lands into Ubuntu re­pos­it­or­ies.↩︎

  2. In­ter­est­ingly, I could­n’t cre­ate any ad­di­tional swap space either, be­cause for some dumb reason the VPS pro­vider had re­moved per­mis­sions ne­ces­sary to use the swapon(2). Low-end servers, heh…↩︎