How to set up an SSL certificate and secure your website for free
This is the tale of how I learned to set up a free SSL certificate after being "scammed" into buying one. Yes, scammed. And I usually pride myself in avoiding that.
Like a lot of new things that creating ironeko has required me to attempt, it's been a learning experience. And as with most learning experiences, screwing up once in a while is unavoidable.
But let's start from the beginning.
What is SSL?
Unless you are a webmaster, it's likely you won't know what a Secure Sockets Layer (SSL) certificate is. The explanation is pretty simple. Have you ever noticed how some websites have
http:// at the start of their URL while others seem to have
https://? In Layman's terms,
https:// means your connection to the remote server of the site you're visiting is secure.
https immediately makes your website more legitimate, because it means that it's been trusted by a Certificate Authority (CA). A C.A. is essentially a company that, following an extensive set of rules, can verify that you own your site. When you ask a C.A. to verify that you're the owner of a domain, you'll receive an SSL Certificate that browsers can use to verify your site.
Enabling https also protects the user from man-in-the-middle attacks. These are usually situations in which two parties think they are communicating directly with each other, but in reality a third party is accessing (and sometimes changing) the information sent and received.
If, for example, you sent a form containing your password over http rather than https, someone could potentially intercept that and know your password.
How I got "scammed"
I began my front-end career as a webmaster in the mid-2000s. And to say that the landscape of the internet has changed since then would be an understatement. Back in those days you would build a site, put it online, and that would be you done.
In 2019 however, things are quite different. A lot more people have access to the web and so, naturally, malicious attacks have become more common. I knew this of course, and knew I had to have some sort of SSL set up, but failed to completely educate myself on it. After all, I hadn't had any experience in senior site management since 2012.
When I bought a domain from Namecheap (who are a great company by the way, despite the SSL troubles), I was offered an SSL certificate for a discount. Not knowing any better, I fell hook line and sinker and bought one.
This is a scam
The activation process
This was probably the most annoying part. After spending £7 (which I now know is extortionate) on an SSL certificate, I was asked to:
- Log into my server via SSH
- Use console commands to generate a key and CSR file
- Send the CSR file to a company
- Wait one frustrating week before being verified
I'd thought the process was going to be immediate, or at the most take a couple of days, so the week-long wait was excruciating. I had content written, edited and ready to go! Friends were asking about ironeko, and I was aware that my delay made it look like I wasn't ready to share. After a while I ended up launching without it.
Enter 'Let's Encrypt'
It was at this point that a friend mentioned Let's Encrypt. Free SSL? That you can set up automatically? Is he having a laugh? Why would Namecheap sell me something when it's that easy to get a free SSL certificate? It has to be a scam I thought.
But curiosity got the better of me and I tried it. I logged into my server console, ran a single command, and there it was. I didn't have to change complex Apache configurations; didn't have to redirect http traffic to https; I didn't have to spend £7. My free SSL certificate was working.
Naturally, I commenced a mission to get my money back. In the end, I had bought two certificates: one for ironeko and one for the site the data was being served from (essentially the one I edit through). That £14 hurt. I only got back £7 in the end, so if you do decide to pay for SSL, make sure you definitely want it, as you might not get a full refund.
Money aside, I was glad. My site was secure, and I'd learned a valuable lesson for the future.
How is this possible?
Certificate Authorities operate based on trust. It doesn't matter what kind of authority issues your certificate. The guidelines CA have to follow are set by browser vendors. This means no CA is more or less trustworthy than another.
A certificate issued by Let's Encrypt is just as valid as one issued by Comodo, even though Comodo will have you pay a whopping £7 per certificate. It just happens that Let's Encrypt has made it their mission to make it as easy as possible to have a secure internet.
The obvious question pops into your head: how could companies sustain a business while asking for money for a service that is offered for free?
Well, there are many different types of certificates.
What Let's Encrypt issues is a DV (Domain Validated) certificate. This certifies that you are the owner of that domain and that you can be trusted. Aside from that there are also OV (Organization Validated) and EV (Extended Validated) certificates which require much more thorough checks to be issued.
A DV certificate will protect your site as well as show a padlock next to your URL. On the other hand, a EV certificate will do all that as well as showing your URL in green and sometimes even show who the site belongs to.
These types of certificates can cost hundreds. However in the end they do little more than the standard ones and the difference is largely aesthetic. In the end, they're only as effective as how much the end user cares about them. If the user doesn't care, then the pricier options are worth as much as a free SSL certificate.
As I said, unless you create websites, it's unlikely that you'll know the difference.
There are of course downsides to getting a free SSL certificate. Hypothetically, the main drawback to securing with Let's Encrypt is that your certificates are only valid for three months.
I say hypothetically because this has been easily circumvented by the Let's Encrypt team creating an automatic re-issuing script that runs at regular intervals. So, while your certificate is expiring quickly, it is also being re-issued automatically before it can actually expire.
Apart from that? No downsides. If you're still scared it might be a scam, Stackoverflow (the go to resource network for anything web related) uses Let's Encrypt certificates. If that's not enough to convince you, I don't know what could.
If you have a website that still uses
http, I highly suggest you check Let's Encrypt and their Getting Started guide. Enabling
https will not only make your site more professional and secure, but it will also give your site a massive SEO boost.
If your site is hosted on a VPS that you can manage from a terminal interface, using Let's Encrypt is definitely a lot easier, but they do also have a list of hosting providers that they support.
I've learned a lot about SSL through this process, and it's definitely worth delving into if you have a free afternoon. Maybe you're having that afternoon right now and this article has helped. If so, good luck for your webmastering venture!