Site hosting news, tutorials, tips, How Tos and more

Let’s (not) Encrypt. But let’s not ignore https either.

There is a lot of talk around using https “everywhere” these days, even on websites that do not do any financial transactions or accept user data input. Google already uses https as a factor in search results (though it’s a small factor, and not universally used in results everywhere in the world). But they have made it clear that their intention is to expand the use of https as a search results ranking factor next year.

All of which has a lot of people who may have never considered using an SSL certificate before looking in to making the move to SSL/https. The main barrier for a lot of people isn’t the technical issues around implementing an SSL certificate, but rather the price. SSL certificates cost money. Some of them (like those with “Extended Validation”) cost a considerable amount of money.

A group of security-minded people thought there should be a free alternative, so they got together and the open source Let’s Encrypt project was started (by the Internet Security Research Group, with support from the Electronic Frontier Foundation, the Mozilla Foundation, Akamai, and Cisco Systems). Let’s Encrypt is now up and running, issuing free SSL certificates to anyone who wants one.

Pretty great, right? Well, yes and no.

vault

For instance, if you want one of those Extended Validation certificates, you can’t get it from Let’s Encrypt. Organization Validation, Extended Validation and wildcard certificates are not available. Let’s Encrypt does not verify sites, so if you want a security “seal” to put on your site or order form, you can’t get it from Let’s Encrypt.

That’s right, Let’s Encrypt does not verify sites, which means hackers are building malicious sites using Let’s Encrypt certificates because they’re free and the bad guys can remain anonymous. Wait a minute, though – isn’t validation the whole reason for a security certificate in the first place? And what will become of the Let’s Encrypt certificates if their system becomes overrun with malware and phishing sites?

Even if you don’t care about any of those things, the Let’s Encrypt certificates have a major convenience drawback, because the certificates are only valid for 90 days. That means that every three months you have to request a new Let’s Encrypt certificate and install it on the server, and that process is no fun. Especially on Windows servers (like those at Winhost), since there is not any server-side automation available.

But increasing security is never a bad thing. And don’t forget, Google is going to look more favorably on https sites very soon, so an SSL certificate should be on your to-do list, no matter what kind of site you run. If you want to use Let’s Encrypt on your Winhost site, you certainly can. We support it. We don’t recommend  it – for the reasons we just mentioned – but if you’re up for going through the process every 90 days, you can.

But if you’re more of a set-it-and-forget it type, we offer a full range of SSL certificates, starting at as little as $39 a year. You can register a certificate for two years as well, meaning it’s not something you have to think about every 90 days, or even every year. If you want to secure your site (and don’t want to see your Google ranking drop) you may want to get yourself an SSL certificate soon.


8 Responses
  • Sam Matthews Reply

    That’s all well and good. I publish several games and host them on Winhost. I have no need for SSL but am forced to use it for many network based operations. I like Let’s Encrypt because it lets me fulfill that need without having to pay the ridiculous fees host like yours are charging.

    And now your awesome host has decided to not allow the installation of certs unless they upgrade to your upper tier plans. No announcement or warning. Great going. Time to find another host.

    • Sam Matthews Reply

      This turned out to be a bit of a misunderstanding. Winhost support staff was telling me I needed to upgrade to install a CERT, when in fact I had upgraded months prior. It was their mistake.

    • Michael Reply

      Just to clarify for anyone else who reads this, you can use Let’s Encrypt certs if you want to. They’re inconvenient since they have to be renewed every 90 days (no Windows server automation yet), and we’re limited in how much help we can give you if you run into any problems. But if you want to invest the time in them you can certainly use them.

      Also, we’re not a certificate authority, which means we don’t actually issue SSL certificates, so we don’t set the prices. We’re a reseller, and we offer them as a convenience, for those who want to keep all of their site-related billing in one place. Our prices are actually below what you’d pay buying the certs direct from the issuer in most cases, for what it’s worth. But I know they can be expensive, depending on what you need.

  • Michael Reply

    SharePoint developer Danny Jessee has written a great step-by-step article for anyone who wants to use a Let’s Encrypt certificate on a Winhost account: https://dannyjessee.com/blog/index.php/2017/06/installing-a-lets-encrypt-ssl-certificate-on-winhost-with-only-a-windows-10-workstation/

    It’s an involved process, but if you don’t mind poking around under the hood, it works.

  • Gregory Smith Reply

    There are far greater and more devastating arguments to make against Let’s Encrypt than the 90 day renewals, which are intended to be automated. I recently ran into this post, which lays out some interesting arguments against using Let’s Encrypt: http://cubicspot.blogspot.com/2015/11/lets-not-encrypt-critical-problems-with.html

    Also, domain validated (DV) certificates ARE more reliable than any other type of cert especially when the whole process is strictly automated (i.e. no human element). Multiple CAs over the years have issued EV certificates for the wrong party *because* of the human element involved. DV is really the only type of certificate to be trusted since those certificates can be completely automated from request to signing to installation to renewal.

    • Michael Reply

      Yeah, there are a lot of technical reasons that I could have gone in to in the article, but for most people, the Let’s Encrypt issue comes down to ease (or difficulty) of implementation. It’s easily automated on *nix, not (yet) so on Windows.

      That article is interesting, but ironically the author demonstrates the underlying reason Let’s Encrypt was created, since he uses Let’s Encrypt certs himself. He uses them for the same reason everyone who uses them uses them: they’re free. I think the companies that got behind Let’s Encrypt recognized the reality that most people who weren’t selling something – processing financial transactions – were not going to pay for a cert. And it sure seems that Let’s Encrypt has been pretty successful so far at doing what it was designed to do, which is encrypting a lot of sites that wouldn’t have otherwise been encrypted.

      The overall message of the article, that SSL/TLS should be scrapped, is 100% correct. But I fear we’ll all be old and gray (or grayer) before that even begins to happen. He talks about spam, and that’s a perfect example, because we’ve had more than 20 years to fix email (which can only really be “fixed” by scrapping the traditional protocol), but we haven’t done it. For all its touted speed of innovation, the Internet moves extremely slowly on a lot of basic issues.

      It’s certainly true that domain validation being automated may make it less prone to human error or social engineering, but it also subverts one of the original tenets of SSL/TLS, which was authentication (the kind of authentication that is considered “Extended Validation” these days). Anyone who was around in the mid 90s might remember that getting an SSL cert was a slow and involved process (as was registering a domain name). But that original authentication idea kind of went by the wayside very early on, mainly because it’s impossible to do any kind of authentication at the scale necessary to keep up with the growth of the web.

      So it probably shouldn’t be too surprising that we’re seeing the cracks in SSL/TLS. It’s been broken for a long time.

  • Eric Eskildsen Reply

    I get that WinHost has a vested interest in this, but Let’s Encrypt is really the perfect option for smaller sites that just need to guarantee to the end user that their data is encrypted and the domain is who it says it is.

    You can renew in under 5 minutes using ZeroSSL’s web interface. Add some scripting to the mix and it’s set-and-forget.

    The article gives a good overview, but a more neutral tone to me would make more sense lest your customers get the impression you don’t have their best interest in mind.

    • Michael Reply

      We do have a vested interest in the subject, since we sell SSL certificates. Buy them here! 🙂

      But I still believe that Let’s Encrypt is not a perfect option for people who don’t want to renew their cert every 90 days (and it’s not an option at all if you need something Let’s Encrypt doesn’t provide). Renewing the cert may only take a few minutes, but updating it for your site in the Winhost Control Panel adds to that time, and that can’t currently be automated or scripted. If you’ve figured out a way around that, write it up and we’ll link to it. We’ll make it a blog post here if you’d like.

      We aren’t discouraging anyone who wants use Let’s Encrypt. Like anything else, it’s a matter of convenience. When its use can be reliably automated on a production shared Windows server, I assume we’ll support that, and if/when that happens, this will be a different conversation, for sure. But as things stand now for Winhost (and most shared Windows server) customers, using Let’s Encrypt involves considerable time and effort. And the more sites you manage, the more considerable that time becomes.

      For what it’s worth, I think Let’s Encrypt is a great idea, and eventually no one will pay for SSL certificates anymore – they’ll just be another “invisible” part of how the web works. Eventually. But we aren’t there yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.