Securing your Web Server using Let's Encrypt and Certify-The-Web

The internet is not a secure place. If you’re not aware of this fact just google “computer security stories” or “data breaches” and click on the first few links that come up.

All content on the internet needs to be secured. This article focuses on the secure transmission of data between your browser and the website that you are connected to. This is known as Hyper Text Transfer Protocol Secure (HTTPS).  In order to secure communications certificates are used to encrypt data between you and the web site. A Certificate Authority (CA) is an entity that can issue, renew and manage these certificates.

Take a situation in which you are interacting with your bank via its web site. You expect: that:

  1. The transactions, balances and other information from the banks IT systems are for your eyes only and no one can intercept these transmissions by introducing themselves between your bank’s computer and your device. This is known as the man-in the-middle attack;
  2. No one can manipulate the internet traffic between you and your bank. For example, you fill in a form to pay Euro 1000 into account 12345678 but the account number is altered to another account in transit between you and the bank’s server.


From your end, all you need is a web browser that supports the HTTPS protocol. This isn’t an issue since the current breed of web browsers support secure communications out the box. Also many web browsers will automatically route to the secured version of a web page if both the secure and the unsecured versions of the web page are available. Some web browsers do it out of the box while others allow you to install (free) extensions that add this functionality.

The entity that owns the web site you are interacting with will need to install the certificate issued by the CA on its web server and flick a few switches.

In an effort to make the internet a little bit more secure, browsers manufacturers will be actively reporting sites that do not support the HTTPS protocol as not being secure. Browsers already issue a warning if a web pages requests credit card or password information within unsecured pages. Come July 2018, Google’s Chrome browser will be extending this functionality to all pages. Firefox has enabled this functionality. Also, since 2015 Google has been ranking non secure sites lower than secure ones.

Anyone with a web server who does not support the HTTPS protocol will be severely disadvantaged. Not only is it already more difficult to be ranked high in web searches but now visitors will get a warning telling them that the site is not secure. This warning will frighten visitors away.

Before Let’s Encrypt (https://letsencrypt.org/), security certificates cost money and required an annual certificate renewal subscription. Let’s Encrypt has changed that. This article explains what you can do to secure your web server using Let’s Encrypt and Certify-The-Web.

Let’s Encrypt is a non-profit backed by organisations such as Chrome, Mozilla, Facebook, Akamai, EFF and many others companies. As it points out on its web site, Let’s Encrypt “is a free, automated, and open Certificate Authority (CA)”.

Let’s Encrypt is different from commercial CAs in two main areas:

  • Let’s Encrypt’s certificates are limited to securing only HTTP connections while commercial certificates can be used to secure other internet traffic;
  • Let’s Encrypt’s certificates are only valid for 90 days at which point the certificate will expire and will need to be encrypted. Commercial certificates typically have a validation for a year (sometimes more). The reason for this short validity period is that if a certificate goes rogue it has a relatively short life span before it will expire.


Let’s Encrypt is Linux Foundation Collaboration Project. On Linux systems there are scripts that automatically renew the Let’s Encrypt certificate when it is due. This article describes how to automate this process on a Windows IIS platform.

Certify-The-Web (https://certifytheweb.com/) is a commercial company that has written a utility that automates the installation and renewal of Let’s Encrypt Certificates.  According to the company, more than 70,000 people and organisations use their tool. They list organisation such as NASA and web hosting sites as clients. The tool is free for up to 5 web sites.

In order to enable HTTPS functionality on your web site simply install Certify-The-Web on your web server and follow the prompts. The utility will guide you through the process of registering your account with Let’s Encrypt. After completing registration, Certify-The-Web will automatically list the web sites you have and, for each one, allow you to registration the domain, download and install the certificate on your IIS server and make the necessary adjustments to enable you to start pumping out secure content.

Certify-The-Web will also handle the automated renewals of the Let’s Encrypt certificates every 90 days. This function will considerably simplify your life. If you enter an email address in the Certify-The-Web utility it will alert you if there are problems that prevent the renewal of the certificate.



The entire process typically takes less than 5 minutes from start to finish.



The HTTPS protocol goes a long way to ensuring that communication between you and the web site is secure. It does not address the important topic of phishing. Phishing is the attempt to trick users into believing that they are on one website when in reality they are on another. The copycat web site is normally set up identical to the one it is copying and the reason for its existence is to trick users into typing in sensitive information such as usernames, passwords, and credit card details.  As secure web sites become the norm both the good and the malicious ones will sport security certificates making it impossible for a person to differentiate between the two based on this criteria.


Comments

  1. It seems that #google Chrome will soon start expiring non-secure session cookies after a few hours, not respecting the expiry value within the cookie.

    While the intention of Google is to drive web traffic towards HTTPS this action constitutes a deviation on how the RFC standard should work and ***will*** be problematic going forward.

    ReplyDelete

Post a Comment

Popular posts from this blog

HOWTO setup OpenVPN server and client configuration files using EasyRSA

HOWTO Generate password protected OpenVPN client configuration using EasyRSA.