Encryption on the web is like backing up your hard drive – we all know we should be doing it, but there is always something in the way. What are the common excuses? For some it is the cost of the certificate. For others it is the complexity of exporting then importing. In reality it is not that hard to encrypt your website using a certificate. Before we talk about certificates, let’s see what could happen if you don’t encrypt.
The primary reason for encryption is to protect your user’s data. If you do not encrypt your traffic your user’s passwords are sent in plain text, making it easy for someone to sniff WiFi packets and obtain their password. One of the most popular programs for capturing network traffic is WireShark. The program is free and cross platform, it even runs on a Raspberry Pi. After some minimal configuration WireShark can capture all the packets on a wireless network. The HTTPS packets are useless (because they are encrypted) but the HTTP packets are interesting. You can see everything being sent.
HTTPS uses asynchronous encryption. That means the key used to encrypt the data cannot be used to decrypt it. When using HTTPS there are four keys in play.
- The server’s public key. All clients have this key. The clients use this key to encrypt data they are sending to the server. The data can only be decrypted with the server’s private key.
- The server’s private key. Only the server has this key. This key is the only way to decrypt data sent to the server.
- The client’s public key. The server has this key. The server uses this key to encrypt data sent to the client.
- The client’s private key. Only the client has this key. The client uses this key to decrypt data sent from the server.
Ok, now I want to encrypt my site. How do I do it?
First you need a certificate. Luckily you have several options.
- Create a self-signed certificate. This solution is great for personal sites and sites with a small group of users. Your server creates its own certificate and your data is encrypted. However, the client’s browser knows the certificate did not come from a certified Certificate Authority and will warn the user.
- Buy a certificate from an authorized Certificate Authority. A Certificate Authority (CA) is a trusted organization that distributes certificates. Your browser has a list of trusted CA’s and will accept the certificate. Your browser will have some type of icon near the address bar if the site is using a certificate from a CA. (You should see one for this site!)
- Obtain a trusted certificate for free from Let’s Encrypt!
Number 3 sounds good! What’s the catch?
You really do get a free certificate from Let’s Encrypt, but there are a few gotcha’s you need to be aware of. The first is that the certificate is only good for 90 days. Most CA’s will sell you certificates good for at least 1 year. This is easy to work around because Let’s Encrypt provides tools for automatically renewing your certificate. The second gotcha for us Windows users is that Let’s Encrypt seems to favor Linux a bit. The process for obtaining a certificate for Windows is a bit cumbersome. You can Let’s Encrypt certificates on a Windows server, it’s just more of a manual process.
Some web hosts give you a one click option to use Let’s Encrypt. If that’s the case I would absolutely use Let’s Encrypt instead of paying for a certificate.
Get your free certificate here: https://letsencrypt.org/
OWASP is a great resource for learning about security best practices. See their TLS Cheat Sheet here: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
Bonus tip – HTTP/2 support has been growing since its release in 2015. Windows added support in Server 2016. The specification states that HTTP/2 does not require encryption, however browser vendors have opted to require HTTPS when using HTTP/2. Webservers have followed their lead and currently it is not possible to serve a site using HTTP/2 without HTTPS.