Friday, March 23, 2018

Free HTTPS certificate availability

There's two main reasons why you want HTTPS on your website:

1. You want to provide communications privacy to your visitor, in other words: you don't want anyone to see what your visitor is doing in your site.
2. You want to prove your identity, which is important if you are selling things or handling sensitive data.

What many people don't know is that the main reason certificates are expensive is due to #2: these companies need to do some verification on their own, which costs money.

If you just need HTTPS for a blog, personal website, or a marketing site that is not handling purchases and/or sensitive information, a certificate that protects the communications is more than enough, and a full-blast certificate is overkill.

Enter the https://letsencrypt.org/ initiative.

These nice folks will happily issue you a free certificate that covers #1. That basically covers the lowest tier offered by all certification providers, which sell these for about $10/year.

The only problem is that these are almost not ready for prime time. It involves a minor amount of geekery involved, and it was embraced on the Linux side of the business before it was done for Windows. Still, it is now possible to install a small app on Windows that will happily generate a CSR, send it to Let's Encrypt, fetch a 3-month certificate, install it in the correct IIS website, and setup a task to magically renew it every 3 months. And it's free.

And of course, if you are dealing with Apache in Linux, everything I outlined in the previous paragraph will work for you too.

But wait, there's more! Google just added this capability to Blogger! Their approach is so simple that I actually screwed it up: you click a button, you wait 5 minutes and it's all done. You don't even see the phrase "Let's Encrypt" or "free certificate." It simply does it for you. If you want to see it in action, notice that this blog is using it. As you can see, it is only vouching that the channel is secure, it is not verifying the identity of the organization running this website.

Also noticed I have retired the HTTPS certificates from my products list. It's no point on selling a product that isn't needed, there are plenty of excellent providers that are offering fair prices. Unlike, say, domain names, which I will keep selling for as long as the big names use them as a way to sucker people into upselling them.

No comments:

Post a Comment