Before I get to the free part, let's decide if SSL is really important or another of those "feel good" options. And speaking of options, depending on your banking arrangement – your merchant account may require that at least your shopping cart be SSL equipped. So you may not have a choice in the matter.
Other than a lot of mysterious and odd sounding terms and technologies, what does providing an SSL connection really do for you and your site visitor? It may be easier to explain by using a non SSL example. We are all Webmasters and site owners here, right? So, if we do not provide SSL to our site visitors, we a communicating with them in plain text. For you, this is likely a GEICO moment were "Everybody Knows That!" But did you know that SSL does a lot more than encrypting plain text?
Before I go to the extra things an SSL does, I need to add a new term. SSL is going away. It's twenty year old technology. I have neckties that are that old, so why change? The technology in SSL is showing its age. The POODLE vulnerability has shown that SSL is now completely insecure. I turned it off on my server, did you?
Enter TLS (Transport Layer Security), the replacement for SSL. TLS is old too, it's only four years younger than SSL. But it has undergone a number of lifetime improvements, the most recent being in 2008. As info SSL 3.0 was last updated in 1996. Enough ancient history, on to why TLS is more than encryption.
Not only does TLS provide secure data exchange, it also provides authentication. This means visitors can be sure they are sending info to your server not to a criminal’s server. Plus there's the often overlooked value of visitor trust. Online shoppers are trained to look for that padlock and if it's BIG and green it's even better!
Regardless if you are forced to provide TLS by your merchant agreement or if you pay for it because you believe it adds value to your visitor relationship – FREE is GOOD! It only took me a half page to get here but now I hope we can all agree TLS is a good thing. It's not just eye candy for your site visitors.
Enter the Electronic Frontier Foundation (EFF), or as I like to call them - the ACLU for Net issues. The EFF has just announced Let’s Encrypt, a new certificate authority (CA) initiative with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that in the words of the group "aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS." The group is scheduled to begin providing free certificates in the summer of 2015.
The "free" part may be music to your ears but this next part is a whole symphony to me if they can pull it off. I don't know about you but I don't install new or renew certificates often enough to have the process memorized. I admit the process has gotten a little easier over the years. My first attempts to install certs were nightmares. There were days and days of emails going back and forth from me, the certificate authority and my host. My last cert installation was in the 1 to 3 hour range – the same range that the Let's Encrypt article calls the average time for a webmaster to request and install a certificate.
The new process will use one command and take 20 to 30 SECONDS! Now, that is the stuff dreams are made of! Should you want to remove a cert; one command will reverse the process just as quickly.
Here’s a video provided by EFF:
I don't know about you, but I have a hard time thinking as fast as that guy talks! Where is the need for saying HTTPS so fast?
In my next post, I'll discuss some drawbacks with the Let’s Encrypt initiative and SSL/TLS in general. I'll also look at today's Commercial CAs and how they may be impacted by the free for everyone movement. Will the for profit SSL/TLS marketplace become a thing of the past? Stay tuned...