As a cybersecurity professional, I am responsible for the secure operation of a fair number of websites. Securing those sites and their services can be a tiresome task, which often requires a myriad of different tools to accomplish. Though each website presents its own set of challenges, there is one relatively simple step which is shared by each of these websites to ensure the confidentiality and integrity of the information they transmit and receive as it transits networks which may or may not be fully trusted; Transport Layer Security (TLS), or, for older systems, Secure Sockets Layer (SSL). I’ll save you the detailed description and instead point you at one of my older articles on the topic of SSL/TLS at a high level.
Google, the company responsible for the ongoing development of the popular Chrome browser, maintains an HTTPS Transparency Report, a set of open statistics which showcase many statistics around the usage and prevalence of Hyper Text Transport Protocol Secure (HTTPS) connections versus Hyper Text Transfer Protocol (HTTP) (secure vs insecure) connections in use by users of their Chrome browser from around the world which is collected from all types of devices including Android phones, Windows PCs, Macintosh PCs, and Linux PCs. According to this report, usage of HTTPS across the Internet continues to increase, with the most currently available data point showing Mac, Windows, Chromebooks, and Android devices all currently sit in the 90th percentile for amount of time spent browsing using HTTPS.
The widespread usage of TLS among modern websites speaks for itself in establishing the service’s absolute criticality in today’s modern internet. TLS, and its predecessor, SSL, made the process of securing communications between a client and a server relatively simple enough to propel the rise of services like online banking, e-mail, instant messaging, and a raft of other technologies which rely on the fundamental assertion that data confidentiality and integrity is maintained as it traverses between the two entities at each end of the connection.
So, you might ask, how does one go about enabling TLS for a website under your purview? The answer is, relatively, simple; you just need a TLS certificate and a server like Nginx, Apache, or HAProxy to serve that certificate. Sounds simple, doesn’t it?
A TLS certificate is issued by a Certificate Authority (CA), a known trusted entity which records the issuance, expiration, and revocation of licenses under its purview. A TLS certificate typically contains the following information:
- The subject domain name
- The subject organization name
- The name of the issuing CA
- Additional subject domain names, including subdomains (if present)
- Date of certificate issue
- Date of certificate expiration
- The certificate’s public key
- The CA’s digital signature (which verifies the certificate’s contents have not been modified since issuance)
All of this information serves as the public identity for the server upon which this certificate file is installed. When a client is presented with this site’s certificate, it performs a number of operations in order to ensure the server hosting this site is actually the server for which this certificate was generated.
Any CA can issue a TLS certificate for your website’s domain, for a fee. There are three types of TLS certificates in use around the internet: Domain Validation (DV) certificates, Organizational Validation (OV) certificates, and Extended Validation (EV) certificates. EV certificates are regarded as the most secure and most trustworthy certificates a website can possess, as they require the website owner to undergo a number of extra physical verification tasks to confirm not only their ownership of the domain in question but also their identity. In contrast, OV certificates only require the owner to prove that they are a legally registered business and that they own the domain in question. DV certificates are the most minimally validated of all three, only requiring the owner to prove they control the domain in question. Different TLS certificate types will cost more for CAs to issue, with EV certificates typically being much more costly than OV certificates which are themselves more expensive than DV certificates.
Now that we’ve taken a nice trip down the rabbit hole of what a TLS certificate is, I want to address the elephant in the room; how can we, as a community of open source developers, also open source the generation of valid TLS certificates? Enter Let’s Encrypt, stage left. Let’s Encrypt is exactly that, an automated, open source, and free CA which can issue a valid TLS certificate at no cost for any perspective website owner. If you want to see something magical, take another look at Google’s Transparency Report and look at the trends since the launch of the Let’s Encrypt service in April of 2016.
The trend there is unmistakeable; the widespread availability in freely available TLS certificates from Let’s Encrypt’s TLS certificate service was instrumental in enabling a more secure and trustworthy internet for all of us. In concert with Let’s Encrypt, the Electronic Frontier Foundation (EFF) launched a service for security minded website admins called Certbot which enables the creation of a free TLS certificate, which renews every 60 days, easily with only the need to run a simple script once to install the necessary components.
If you run a website, blog, or other connected digital service, please consider enabling encryption for it. Using Let’s Encrypt and Certbot brings the total time to implementation down to single digit minutes, and the ability to protect the confidentiality and integrity of your users’ and servers’ data is absolutely invaluable in this day and age.
Stay safe out there!