HTTPS encryption allows websites to protect end users, encrypting traffic between browsers and the site’s web servers. Browser developers plan to add new warnings for end users when they surf to websites not encrypted with HTTPS, before eventually phasing out HTTP in favor of HTTPS. Yesterday, Google became the first major browser developer to implement an extra notification warning, as part of the roll out for Chrome version 68, warning users that HTTP-only sites are “Not secure” in the address bar, next to the domain name:
This additional warning encourages website owners to adopt HTTPS, and it is a positive step toward making the Web a more secure environment for end users.
Certificate Authorities Separate HTTPS from HTTP
The distinction between HTTPS and HTTP to a web browser is based on certificate authorities (CAs) that come pre-installed in the browser software. CAs are entities that cryptographically sign TLS/SSL certificates to vouch for their authenticity. Browsers and operating systems have a list of trusted CAs that they use to verify site certificates.
Until recently, most CAs were commercial operations that charged money for their verification and signing services. Let’s Encrypt has made this process free for users by completely automating the procedure, and by relying on sponsorship and donations to fund the necessary infrastructure.
Explaining Let’s Encrypt
Let’s Encrypt is an open and automated certificate authority that uses the Automatic Certificate Management Environment (ACME) protocol to provide free TLS/SSL certificates to any compatible client. These certificates can be used to encrypt communication between your web server and your users. There are dozens of clients available, written in various programming languages, and many integrations with popular administrative tools, services, and servers.
The most popular ACME client, Certbot, is now developed by the Electronic Frontier Foundation. In addition to verifying domain ownership and fetching certificates, Certbot can automatically configure TLS/SSL on both Apache and Nginx web servers.
How Let’s Encrypt Works
Let’s Encrypt’s ACME protocol defines how clients communicate with its servers to request certificates, verify domain ownership, and download certificates. It is currently in the process of becoming an official IETF standard.
Let’s Encrypt offers domain-validated certificates, meaning they have to check that the certificate request comes from a person who actually controls the domain. They do this by sending the client a unique token, and then making a web or DNS request to retrieve a key derived from that token.
For example, with the HTTP-based challenge, the client will compute a key from the unique token and an account token, then place the results in a file to be served by the web server. The Let’s Encrypt servers then retrieve the file at http://example.com/.well-known/acme-challenge/token. If the key is correct, the client has proven it can control resources on example.com, and the server will sign and return a certificate.
The ACME protocol defines multiple challenges your client can use to prove domain ownership. The HTTPS challenge is similar to HTTP, except instead of a text file, the client will provision a self-signed certificate with the key included. The DNS challenge looks for the key in a DNS TXT record. You can learn more in our introductory tutorial for Let’s Encrypt.
What can I do to enable HTTPS on my sites hosted on DigitalOcean?
If you have websites that have not implemented HTTPS and you expect this new warning to impact your site usage, here are some simple and relatively inexpensive recommendations.
A simple and powerful option is to use a DigitalOcean Load Balancer, which creates and automatically renews SSL certificates from Let’s Encrypt for you. Load Balancers cost $20 per month and are highly available. In addition to offloading HTTPS traffic, you gain additional performance with support for HTTP/2, and you can easily manage traffic across your servers. If you choose this option, our new Product Documentation center has a helpful tutorial.
A second option is to follow one of our Let’s Encrypt tutorials to implement HTTPS directly with your web servers. We have over 50 tutorials, such as how to secure Nginx with Let’s Encrypt on Ubuntu 18.04 as well as product documentation on how to set up Let’s Encrypt certificates on Load Balancers. This is a good option to prevent additional monthly costs if you have time to configure and maintain your TLS certificates.
A third option is to use a CDN like Cloudflare, which has an integration with Let’s Encrypt to handle HTTPS traffic on your behalf. Adding a CDN can result in additional costs, but may be a good option if you need faster content delivery and HTTPS support. Cloudflare has a blog post that describes some of the history behind these updates and what to expect in the coming months.
These Changes Will Help Keep Users Safer
Yesterday’s change is only the beginning of a series of tweaks by Google: in September, for version 69, sites using HTTPS will no longer show the green “Secure” text in the address bar, and in October, for version 70, the “Not secure” label for HTTP-only sites will turn red. In the future, these types of warnings will also happen on the mobile version of Chrome.
Securing websites is important, and Google adding this new warning in Chrome is a strong move toward encouraging more developers to do so. Ultimately, this will keep all internet users a little safer.