A normal step for us when developing and deploying web applications or APIs for our clients is to add HTTPS certificates to the finished application when it is deployed Live.
Putting certificates in place has a cost in both time and money as they typically need to be purchased from providers such as Comodo or Verisign and put in place by a developer.
Putting secure certificates in place is often frustrating for a developer, as either an email address needs to be set up specific to the domain and a notification acknowledged by the domain owner or in some cases DNS records can be used to verify ownership, both of those can take time to resolve.
From today we will be using Lets Encrypt to place HTTPS-only access on all client sites, including development work on staging servers too.
Any new client projects will get certificates from the beginning of the project and for existing client sites, Lets Encrypt certificates will be put in place instead of renewal of existing certificate providers.
What is Lets Encrypt?
Lets Encrypt is a new certificate authority which entered public beta on December 3rd 2015, with major sponsors such as Mozilla, Cisco and Facebook.
Lets Encrypt is free and since there is no cost for us to purchase the certificates, then there will be no cost passed on to our clients.
For more information on Lets Encrypt, check out their site at https://letsencrypt.org/
If you are a developer and want to know how to install certificates, check out their “How it works” page https://letsencrypt.org/howitworks/ which shows 3 easy steps on how to get up and running.
Some good reasons to have HTTPS only access to your website or application include:
- Security – without HTTPS, its possible for cyber criminals to intercept data in transit to and from your site.
- Google Ranking – Google may place your site higher in their results if you have HTTPS access in place.
- HTTPS Access to a site makes a site slower is no longer true, The SSL performance Myth