Every week brings more articles about the dangers which can be faced online, and lots…
The origin of the SSL certificate dates all the way back to the dark ages of the web, 1995. Back in those heady days of dial-up and Netscape, the Internet had a problem; it was built as a trustless decentralized network where everybody could get online and share information. Needless to say, it didn’t stay that way. Instead, it quickly became a powerhouse for digital commerce and so there had to be a way for people to secure their surfing. Cryptography soon followed, and it was good. Except … cryptography secured connections between surfer and server; it made connections impervious to snooping, but it didn’t actually guarantee that a surfer connected to the website they thought they did.
Enter the SSL certificate
An SSL is purely a digital signature proclaiming the identity of a site operator. By itself, all it provides is proof that the server with whom a user is connected is under the same control as the owner of the SSL certificate. In the early days of the web, getting an SSL certificate meant an actual audit by an independent SSL auditing firm, which would attest to the physical person behind a site, their city and country, their business incorporation, and so on. In exchange for issuing a certificate, they would charge hundreds or thousands of dollars. It was a good time for auditors. For site operators? Well, there’s a reason SSLs were only used by big sites during this time.
As time went on, however, a new kind of SSL was introduced, the domain validation SSL. A domain validation SSL actually proves what most people want to know, that the website they’re visiting is really in the control of the domain owner. This validation is easy because when the SSL is issued, all the site owner needs to do is prove that they own the domain name, for example, by putting up a specific file on their website. This process is fast and easy, and the actual validation can be done by a computer with little or no human interaction. As I’m sure you would expect, the big SSL providers dropped their prices to near zero because of the savings from automating the process. Haha! Of course not, they charged almost as much for DV SSL certificates as they had been and pocketed the profits.
Over the 2000s prices did gradually fall, but SSLs remained annoyingly expensive into the 2010s. Some of the SSL vendors even tried to make a more expensive “extended validation” SSL that would turn the browser bar green. This was even supported for a few years, but then the browser vendors wised up, and so EV SSLs are completely worthless now. Seriously, if you still have an extended validation SSL in 2021 it’s time to let it go and save hundreds of dollars a year.
Time to “Let It Go”
Back in the 2010s, 2014 came along, and brought with it the song “Let it Go” from Frozen. Despite a common misconception, this song was not about a magical princess at all, but rather an instruction to site owners paying for SSL certificates: let it go. You see, in 2014, after years of lobbying by the Electronic Frontiers Foundation and Mozilla (the makers of Firefox), the board that sets the standard for SSLs finally approved Let’s Encrypt, a totally free certificate authority that will issue you an SSL on demand. Absolutely free!
Of course, nothing is quite that simple. When Let’s Encrypt launched they were not supported in all browsers, and not supported at all in older browsers. In addition, in order to appease the existing SSL providers, they were not able to issue wildcard SSL certificates (where one certificate covers a.example.com and b.example.com). Moreover, their certificates were limited to 90 days of validity, so you had to set up and run a job on your server that would renew the certificate periodically, which was not an easy process at the time. Naturally, the big SSL vendors spread quite a bit of doubt with blog posts decrying the perceived security failings of Let’s Encrypt certificates.
Despite a rocky start, nothing beats free, and Let’s Encrypt quickly became a roaring success, taking up a significant percentage of all SSL certificates issued. In the early years, there were many users for whom Let’s Encrypt wasn’t a fit, but it quickly became the de-facto standard for issuing SSL certificates.
Fast forward to 2021, when the free ecosystem has matured. A number of other entrants provide SSLs for free and the vast majority of websites no longer have to pay for an SSL. Browser support for these free certificates is excellent, meaning they work everywhere. The clients for renewing the SSLs every 90 days have matured considerably, and they now work everywhere. And remember that 90 day duration? It turns out that’s been great for security, creating a whole ecosystem of software that updates its security keys regularly instead of letting them rot for years at a time. Best of all, wildcard certificates are now supported by free SSL providers as well (some for free and some for a very modest fee). There’s still a small handful of use cases for paid certificates, such as systems that are difficult to update and where a longer SSL is beneficial, but these use cases are very rare, and the prices for such paid certs are now no more than a few dollars.
There is another great benefit to the proliferation of free SSL providers. Before these providers, any certificate authority could issue certificates for your site. The hundreds of certificate authorities trusted by browsers included not just the big commercial players, but also shady offshore organizations and even authorities owned by repressive governments. Any of these certificate authorities could issue a certificate for your site and use it to intercept your users. They weren’t supposed to, but they could and occasionally did. Finally, to end this, a new DNS record type was added, the Certification Authority Authorization.
How CAA DNS works
The CAA DNS record allows a site operator to publish a list of certificate authorities who are allowed to issue certificates for their site. If some other provider tries to fraudulently issue a certificate for your site, it’s immediately apparent that they don’t have that authority and the certificate should not be accepted by the major browsers. By deciding on what certificate authority you’ll use, and then publishing a CAA record, you can significantly reduce the possibility of a fraudulent SSL. Many SSL providers are moving to require a CAA record specifically authorizing them in the near future.
So, if you’re still paying for SSL certificates or you haven’t set up CAA records to protect your site, what are you waiting for? It’s 2021, protect your site and save some dollars by taking advantage of a true public good on the Internet. If you need help with this, don’t hesitate to reach out to MojoHost, we’ve been helping our customers to free SSLs for years, because protecting our customers and saving them money – #ThatsGoodMojo!