There are two basic, universal truths when it comes to SSL/TLS certificates: they cost money, and can be rather difficult to set up. Let’s Encrypt, a new project from a coalition of web companies and organisations, aims to challenge both of these.
There have been a few certificate authorities that have offered free SSL certificates in the past, but these haven’t always been supported by mainstream web browsers. StartSSL‘s free certificates don’t work in Internet Explorer, if I remember correctly. And very few web browsers accept CAcert.org certificates.
Let’s Encrypt, on the other hand, offers free certificates, and comes with tools that you can easily install on your web server to issue the certificates yourself. What’s more, these certificates should be accepted by almost all web browsers. The only major exceptions are some versions of Internet Explorer on Windows XP, and some older Android phones (more details here).
However, unlike paid-for SSL certificates, the certificates created by Let’s Encrypt are only valid for 90 days, rather than the usual year. The Let’s Encrypt software makes it easy to re-issue certificates though, so it’s not a major issue.
It’s hoped that Let’s Encrypt will allow more sites to support encrypted connections, to the point where encrypted connections are effectively the norm. This will hopefully have a major positive effect on web users’ privacy.
As an experiment, I set up a Let’s Encrypt certificate for the web site for BUSOM, which I host on this server. Whilst it should have worked fine under Debian Wheezy, I couldn’t get it to work fully until I had upgraded to Debian Jessie, as I mentioned yesterday. My hosting company posted specific instructions for getting Let’s Encrypt to work, and, on the whole, it was relatively easy to do. Note that you will get some mixed-content errors from the BUSOM web site as it hasn’t been shifted to HTTPS by default.
Let’s Encrypt is currently still in ‘beta’ but is open for anyone to set up certificates. Whilst I’ll probably stick with a paid-for SSL certificate for this blog for the time being, it’s nice to have a good, free alternative available.