Let’s Encrypt for Free!

This is an account of how I went from no encryption, to almost getting a paid SSL certificate to finally making and installing a free one on my domain. It started with me setting up an ownCloud server on my hosting account to access and sync my data on the cloud after going from Dropbox, to Copy to Mega and finally to pCloud over a span of five or so years.

Why ownCloud?

Mainly because I have a shared hosting account with Arvixe (an excellent hosting service) with unlimited data storage, and I was curious as to how much of an effort it would be to set up my own cloud storage since hearing about ownCloud a couple of months ago. It turns out that it wasn’t much of an effort after all. I simply contacted the support team at Arvixe who made the ownCloud app available on my cPanel and then it was just a matter of filling a simple online form with little details such as where to store your data, which address to access the ownCloud web interface on, etc. The ownCloud project is fantastic! And from what I’ve seen, it has most (if not all) features that any other company like Dropbox or Mega has to offer. It took me 15 minutes to set things up, install the (Linux) client and sync my cloud storage (a folder on my hosting account) with a local folder.

So is that it? Turns out that there’s more. Since now I’m transferring data to and from my domain, it is preferred that the connection to the domain is secure. And the connection can be secured with SSL Encryption.

SSL Encryption

I won’t go much into TLS/SSL encryption here as there are plenty of resources online that explain it. It would suffice to know that it is a way for a website to secure the connection between itself and a visitor so that any data exchanged between the two is encrypted and not visible to a (potentially malicious) third party that is eavesdropping on the connection. This is necessary to prevent what is known as a man-in-the-middle attack where a hacker intercepts the connection between the website and its visitor and collects the data being transmitted between the two (which may sometimes be confidential, such as credit card numbers, personal identification numbers, etc.) without either the website or its visitor knowing about it.

The Chromium Browser address bar when the connection to the page is not secured (note the “http://”).

There has lately been a growing interest on the web to adopt SSL (or its successor TLS) to secure connections between them and their visitors. Google has even proposed to blacklist websites that don’t adopt the SSL protocol. At a first glance, one can know whether or not a website is secure by keeping an eye out for a green lock next to the address bar, and the fact that it says https://   (with the green lock symbol) in the addres bar instead of http:// . The s here stands for secure. And if you click on the green lock, it pops up a little window that shows who the site has been secured by.

The Chromium Browser address bar when the connection to the page is secured (note the “https://”).

All this stress on security and privacy is, in my opinion, justified. So given that now I’m transmitting my data between my local machine and my domain I decided it would be a good idea to adopt SSL encryption on my domain. This can be realised by obtaining an SSL certificate from a Certification Authority.

SSL Certificates and Certification Authorities

In order to obtain an SSL certificate for your domains, you should purchase it from a certification authority (CA) or a reseller who sells it at a cheaper rate sans some extra benefits of support that the CA would be able to offer for a higher price. Some of the most popular CAs around are Symantec, GeoTrust, GlobalSign, DigiCert and GoDaddy. Each of these CAs sells you a certificate for a fixed period of time – typically 1 to 3 years – and offers different packages such as Extended Validation, Wildcard domain certification, etc. For instance, have a look at what Symantec, GeoTrust and GlobalSign have to offer. These are very similar options but priced differently depending on the CA’s credibility (which apparently is a major factor in deciding whom to go with) and what is contained in the option.

On the other hand, there are companies that purchase certificates from the CAs in bulk and re-sell them at a cheaper rate. These are websites such as SSL Shopper, or even your own hosting company. I know my hosting company Arvixe re-sells certificates purchased from GlobalSign. Depending on whether you are purchasing your certificate from a re-seller or directly from a CA, the price varies between $17 (the lowest I could find for a RapidSSL certificate from SSL Shopper) to a few thousand dollars.

A CA or a re-seller issues you a certificate following a verification procedure that confirms that you are indeed the owner of the domain and that your company is a legitimate one whose credentials have been verified by this issuing authority. And the verification process is either manual or fully automatic and depending on how thoroughly it is done, the issuance of a certificate can take anything between a few minutes to a few weeks. I did not complete this process myself (for reasons explained below) but I do recall abandoning a few applications midway because it seemed like a hassle to provide them with information I didn’t even know the meaning of. And although an expensive, time-consuming and thorough process might make sense for a big company that is dealing in a lot of financial transactions and exchange of information with its customers with a lot at stake, I felt like it was an overkill in my case when all I wanted to secure was my personal domain and communications with my ownCloud server (remember?).

Now this all sounds good, and I was almost convinced that I should buy myself one of the cheaper certificates for a few dollars a year from SSL Shopper. And I gathered all this information over a week of looking things up in my free time. I was quite sure that I had covered all viable options but I couldn’t help wondering whether it’s possible to get an SSL certificate for my personal domain for free. One final DuckDuckGo search led me to a StackOverflow post that answered this question in affirmative!

Let’s Encrypt

The StackOverflow post pointed me to the Let’s Encrypt initiative which essentially offers means for one to generate SSL certificate oneself via a fully automated verification process. Not just that, it offers you with a host of ways in which this can be done depending on your level of comfort with using the command-line, cPanel or any other means through which verification can be carried out. I was skeptical that something like this is too good to be true, but it isn’t. Also, the project is sponsored by several well-known organisations such as the Linux Foundation, Mozilla, EFF and CISCO. And the certificate is accepted by all mainstream browsers. As a coincidence, I later found out that The Site Wizard, which I had referred to several times in the past while choosing a hosting provider, website templates, etc. is also secured by a certificate from Let’s Encrypt!

Now this was exactly what I wanted, i.e. to secure my personal domain so that I can transfer data between my location and my ownCloud server. It does not matter to me (at least for now) how much extra assurance a seal from a known CA such as DigiCert or Symantec gives a visitor to my website. Plus, it’s absolutely free. In my case, I had the certificate generated within minutes through ZeroSSL with an automated ACME verification process that involved me creating two files with specific content on my domain that were verified by this website. There are many alternatives to ZeroSSL, any of which can  be used as per one’s convenience. One thing to note is that the certificate issued by ZeroSSL is valid only for three months, but I don’t mind repeating the very simple process again when my current certificate expires.

Last Words

So to conclude, securing one’s website with a TLS/SSL certificate is not as hard or expensive as it may seem at first glance thanks to Let’s Encrypt. I’m very impressed by this initiative, and found it to be a perfect alternative for my needs given all other options known to me. The Let’s Encrypt team is currently seeking funding for their operations and I’m about to donate to it as a token of my appreciation. So if you are in a similar situation as I was before my research that led me to Let’s Encrypt, I hope you benefit from reading this post!

Leave a Reply

Your email address will not be published. Required fields are marked *