Securing a website used to be an expensive process. Although certificates have been slowly getting cheaper, they’ve still on par with the cost of the domain name that they’re protecting, and getting one issued was often complex and error prone. Furthermore, in a pre-SNI world, HTTPS connections needed to be terminated at a unique IP address, making it prohibitively expensive for hosts to offer low cost encryption to their users.
In an attempt to unwind some of the mistakes that were made around security in the earlier ages of the Internet, browsers are starting to prod service providers in the right direction. For example, in the near future Chrome will start shaming websites that aren’t encrypted and Firefox will start red flagging login forms that come in over HTTP.
The good news is that we’re now living in a golden age of secure connections. The price of CA-signed certificates is trending toward zero, and if you’re a savvy user who knows where to look, you can easily get one for free already today. Support for SNI is now widespread enough that hosts have a cheap mechanism for offering secure termination for all their users. Encryption may be especially critical for banks and Facebook, but it belongs on every site online: shopping sites (even pre-checkout), blogs, marketing landing pages, personal websites, and everything in between. Hopefully by reading this guide, you’ll realize that there aren’t any excuses for running an insecure website anymore, so come on, let’s encrypt!
Although CloudFlare is largely known for being a CDN, they’ve been more quietly offering a great certificate-issuing and TLS terminating service for some time now. It’s easy to use, and is especially ideal for anyone who’s hosting content on another service that already offers secure termination (like Heroku or GitHub pages), but who would like to have a custom domain name. You also get the added benefit of CloudFlare’s CDN services, which can be had for free.
I should also note for the pundits that CloudFlare’s magic works by by SNI, and as such may not work for clients that are using absolutely ancient technology for browsing. As of today, “Can I Use …?” estimates support at 97+% globally, so an SNI-based solution is probably appropriate for you as long as you’re running an operation that’s smaller than Google.
Let’s Encrypt is free CA run by the ISRG (Internet Security Research Group) with the charter of providing free certificates in an open and transparent way to help secure the Internet. They’re been making waves lately, and the turning point that we’re seeing around the cost of CA-signed certificates on the Internet could reasonably be attributed to their work.
A brand new entrant is AWS Certificate Manager (ACM), which finally gives us the missing link for building secure services on Amazon. ACM is AWS-only, but is easy to use through either their API or web console, and plugs right into a CloudFront distribution or ELB (Elastic Load Balancer).
Important update (2018/03/12): I’ve left this section in place for historical reference, but StartSSL is no longer issuing certificates after a series of questionable practices led to their root certificates being revoked from Chrome and Firefox. You can read more about the sordid details on Wikipedia.
Event though StartSSL is probably not what most people want to use to get certificates created these days, I’m still going to give them an honorable mention because they were the original free issuer, and really helped to get the ball rolling towards a better future.
There’s a lot of information above, so here’s a simple heuristic that should do the trick for most people:
For example, this site runs on Heroku. I have my domain terminated by CloudFront at “https://brandur.org”, and CloudFront securely transports content from my HTTPS Heroku address at “https://brandur-org-next.herokuapp.com”.
That’s it! Now please go out and secure your web properties.