Ever since Google announced that it would give more weight in its search result rankings to encrypted websites (i.e. those using https), there’s been a debate amongst website owners about how best to do this. If your website doesn’t take payment information or allow users to login to the site, then there hasn’t been much need to secure your site up until now. But Google is encouraging encryption and it is generally a good idea, as a large number of security issues simply go away when using https to connect to a website.
Currently, the major certificate authorities (CA) charge quite a bit for doing very little. And while you can get free certificates, these usually come from less well known CAs and there is a risk that browsers may stop supporting them. Another problem with https is the number of steps and hoops you have to jump through to install the certificate and get your server configured for https. This all means that the average website isn’t going to bother.
Things might be a bit different next year through, thanks to the Let’s Encrypt initiative, who have the backing for the Electronic Frontier Foundation (EFF), Mozilla, Cisco, Akamai, IdenTrust and the University of Michigan. They plan on creating a new CA that will offer completely free domain validation certificates and to provide software for the major server platforms to automate the installation and setup of https websites. And because it has big backers, the new CA should be widely supported by browsers.
It is possible to offer free domain validation (DV) certificates as all they claim is that a certain domain has been issued with a certificate. It asks no questions about the person or organisation that owns the website. They other two types of certificate do on the other hand. Organisation Validation and Extended Validation certificates require people to check that the people operating the website are who they say they are. This costs money to do, so will not be offered by this new free CA.
So how will domain validation work? The server software Let’s Encrypt will develop will validated a domain by placing a file containing an encrypted code that came from the Let’s Encrypt CA. This proves that the server requesting a certificate actually controls the content on the public website. Without this check, anybody could obtain a certificate for any website. Not a good idea.
I think this is a really good idea and I will be trying out this new way to make this website use https when the new CA is ready next year.