Video: Microsoft's new open-source tool helps web devs secure sites
Companies have been delaying securing their websites for years. It's too much trouble, they think. It will cost too much, others say. Too bad. Google isn't putting up with these excuses anymore.
Come July 2018, with the release of Chrome 68, any site not protected with Secure-Socket Layer/Transport Layer Security (SSL/TLS) will be marked with the red-triangle of an insecure site. Unless you secure your site, you can kiss your web traffic goodbye.
This has been coming ever since 2010, when Firesheep showed your login could be stolen over a Wi-Fi connection. We knew then the only way secure the web was for every website to support encryption.
To secure your website, you must install an X.509 Digital Certificate, generically called an SSL certificate, on your server. A trusted third party, called a Certificate Authority (CA), guarantees the Digital Certificate's authenticity with a Digital Signature, so your visitors can be sure they are where they thought they were going.
There are many CAs. Some of the best commercial ones are Network Solutions, Entrust, and Symantec. Prices for certificates from a major provider range from $50 to $500. You can also get a free certificate -- that's every bit of good for most purposes -- from the non-profit Internet Security Research Group (ISRG)'s Let's Encrypt. The big business difference between the commercial CAs and Let's Encrypt is that commercial businesses back up their security with a warranty of between $500,000 and $1 million. With Let's Encrypt, you're on your own.
You can also self-sign your own certificate. That's fine, if it's just you connecting to your site, but self-signed certificates are useless for visitors who can't be sure your site is really the one they intended to visit.
Web Security Certificate Types
Before deploying any certificate you must know there are three different SSL certificate types. These are, in order of business capability: Domain Validation (DV) SSL Certificates, Organization Validation (OV) SSL Certificates, and Extended Validation (EV) SSL Certificates.
These certificates vary with how much encryption they use. While you can find discount certificates with 256-bit encryption, for real-world purposes, you need at least a 2048-bit certificate.
In the past, a DV was often, but not always, a self-signed certificate. Now, thanks largely to Let's Encrypt, DV certificates commonly come from a CA. Censys.io records over 300 million DV certs and 63 million self-signed certs, so the scale has definitely tipped.
DVs are also offered by some CAs, such as GeoTrust and RapidSSL. All a DV means is that the site has been registered by someone with admin rights to the site. If the certificate is valid and signed by a trusted CA, a web browser connecting to the site will inform you that it has successfully secured an HTTPS connection. You can use a DV to secure a simple website.
An OV validates the domain ownership and includes ownership information like the site owner's name, city, state, and country. This is the minimum certification level for a commercial website. This middle-tier of certificates is seldom used.
For a serious website, your best choice is an EV SSL certificate. These legally validate the domain's owners. Depending on the CA, it can take weeks to get one, so it's past time to start the processing of getting one. Sites with a SV SSL certification have a green address bar in most browsers.
The first two certifications come in two flavors. The first is the inexpensive single domain certificate. As the name suggests, it protects a single website. Its brother, the wildcard certificate, protects multiple sub-domains.
EV certificates are always a single-domain certificate. If you need to cover multiple sub-domains with EV certificates, you can often get a volume discount, but you can't get a wildcard that will cover all your sub-domains.
The easiest and cheapest way to get a certificate is to use Let's Encrypt with its DV certificates. Let's Encrypt is a free, automated, and open security certificate authority (CA) for everyone. It does not offer, nor will it ever offer, OV or EV certificates. Still, if you're not doing e-commerce from within your site, a Let's Encrypt DC may be all you need.
- Free: Anyone who owns a domain name can use Let's Encrypt to get a trusted certificate at zero cost.
- Automatic: Software running on a web server can interact with Let's Encrypt to painlessly get a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let's Encrypt will advance TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the internet protocols themselves, Let's Encrypt is a joint effort to benefit the community, beyond any one organization's control.
Technically, Let's Encrypt's management software uses Automated Certificate Management Environment (ACME) to:
- Prove: Automatically prove to the Let's Encrypt Certificate Authority (CA) that you control the website.
- Obtain a browser-trusted certificate and set it up on your web server.
- Keep track of when your certificate will expire, and automatically renew it. Since the service's certifications automatically expire every 90 days, you must renew the certificate frequently. To make sure, you're never caught short, you should automatically renew it every 60 days.
- Help you revoke the certificate if that ever becomes necessary.
If you're running an e-commerce site, use an EV SSL certificate from a well-regarded CA. To find the right commercial certificate for you, check out SSL Shopper's recommendations. For the rest of us, a Let's Encrypt certificate should work just fine.
To get started with Let's Encrypt, first update your server operating system and web server, and then download and install Let's Encrypt. If you're using a hosting site for your web server, use its in-house instructions or services.
If you're running your own web server on Linux, the easiest way to do this is with Certbot. This site provides detailed instructions for the most popular Linux server distributions and for the following web server programs: Apache, NGINX, Haproxy, and Plesk. If you're running on Microsoft Azure, you can use the GetSSL - Azure Automation PowerShell script. Still running your web server on Windows Server? Then, check out ACMESharp, which uses .NET and PowerShell.
For more details, see How to use Let's Encrypt to secure your websites.
Let's Encrypt will add wildcard certificates at the end of February 2018. However, you can still cover all your site's subdomains -- e.g. mail.example.com, www.example.com, preproduction.example.com -- by requesting a certificate using Subject Alternative Names (SAN).
So, what are you waiting for? Get on with securing your site, whether with Let's Encrypt or an EV from an established CA. If you don't, you'll be in a world of hurt this summer when people stop coming to your site because it's insecure.