Many in the security, web hosting, and web development communities are in favor of implementing SSL encryption on as many sites as possible. Even for sites that at first glance don’t have any strong reason to encrypt data or validate their identity, there are advantages to implementing SSL: it promotes user trust, it helps — in a small way — with search engine ranking, it prevents bandwidth providers from injecting content into pages, and it promotes the principle that users have a right to privacy on the web.
The major obstacle to SSL everywhere is complexity. For those of us who know what we are doing, implementing SSL is far from a walk in the park, and for those without technical knowledge, it’s practically impossible. Cost is also a significant barrier. As Troy Hunt points out, SSL is a premium service.
“As soon as someone is faced with the option of doing something cheaply and easily versus with more money and more effort, the former is going to be the default position unless they can readily justify the friction of the latter and that’s where SSL frequently is at the moment.”
Let’s Encrypt is a new certificate authority that aims to solve both the complexity problem and the cost problem in one fell swoop. An initiative of the Internet Research Group, which includes members from the Electronic Freedom Foundation, Mozilla, Cisco, the University of Michigan, and Akamai, among others, Let’s Encrypt makes it both easy and free to register, generate, and install a domain-validated SSL certificate.
Implementing SSL encryption for a standard site is surprisingly easy with Let’s Encrypt: install a small tool and its dependencies, run it, answer a few questions, and voilà — if you’re running Apache or Nginx, the process is that easy. It takes a few minutes and afterwards your site will have a CA-backed Domain Validated (DV) certificate. It’s worth noting that Let’s Encrypt only offers DV certificates; if you need EV certs you’ll still have to go via an SSL provider with more exhaustive identity validation (which constitutes the bulk of the cost of an SSL certificate).
Let’s Encrypt will enter public beta on 3rd December, at which point anyone can use it to create a certificate for their site.
How successful Let’s Encrypt will be in its aim to facilitate SSL everywhere is yet to be seen, but since cost and complexity are the two major reasons site owners avoid implementing SSL, there’s a good chance that we’ll see an increase of SSL adoption among site owners who would otherwise have chosen to go with plain HTTP.
However, I suspect that a significant number of site owners simply don’t see the point of implementing SSL, and for them, Let’s Encrypt won’t be a compelling option. What do you think?