While achieving a high level of security is an involved process that requires time and effort, one of the basics is about to get a lot less expensive.
That’s because this week, the Internet Security Research Group (ISRG), a non-profit organization with backing from companies like Mozilla, Cisco and Automattic, announced that its automated and open certificate authority (CA) has received cross-signatures from IdenTrust.
What does that mean in non-techie terms? SSL certificates issued by Let’s Encrypt will be trusted by all major browsers.
That’s noteworthy news because Let’s Encrypt offers SSL certificates at no cost. So starting in November, businesses will have a way of securing their websites using SSL without spending any money on a certificate, which can cost upwards of hundreds of dollars a year in some cases.
According to the ISRG: “Vital personal and business information is flowing over the Internet more frequently than ever, and it’s time to encrypt all of it.
“That’s why we created Let’s Encrypt, and we’re excited to be one big step closer to bringing secure connections to every corner of the Web.”
The ISRG is not the only organization pushing to drive greater adoption of SSL.
Last year, Google called for “HTTPS everywhere” at its Google I/O conference and even announced that it added HTTPS as a ranking signal…
…over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.
For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS.
But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
Google’s encouragement almost certainly helped convince some to use HTTPS, but there are a number of reasons many websites still don’t employ it.
For instance, many small businesses with limited access to technical know-how are less likely to understand how to acquire and install an SSL certificate.
But cost is also a barrier, and with a free option that works with all major browsers, it’s possible that we’ll see hosting companies and makers of server management software integrate with Let’s Encrypt to make certificate acquisition and installation practically painless.
Free SSL certificates won’t always be the best option
While Let’s Encrypt could very well be a game-changer in driving adoption of HTTPS – a small but important first step in promoting data security – companies will want to keep in mind that its free certificates won’t always be the best option for all websites.
Let’s Encrypt certificates provide domain validation but there is no verification of the organization behind a domain.
The most expensive SSL certificates frequently provide Extended Validation (EV), which involves verifying the organization behind a website.
When these certificates are used, web browsers highlight the organization’s name in a green address bar.
For companies operating certain kinds of websites, such as those that involve ecommerce and financial transactions, this level of validation and browser highlighting of trust is often desirable.
But for many websites, Let’s Encrypt’s free certificates should be a fine option and their availability will leave companies with little excuse for not securing their websites using HTTPS.