DreamHost has just announced that they now support Let's Encrypt, a free, automated open certificate authority, to provide SSL Certificates to its customers at no cost. This is a great move by DreamHost, particularly since they are effectively giving up a whole section of their revenue, all in the endeavor to make things easier for their customers and to encourage TLS adoption on the internet as a whole.
Marcus Hildum, Lead Security Engineer at DreamHost, commented:
This isn’t just a technical win for customers, it’s a moral win for the internet at large. We saw not only an opportunity to help customers offer their users a more secure experience, but also an opportunity for DreamHost to help increase TLS adoption on the internet through a partnership with Let’s Encrypt.
There is quite an interesting story about how DreamHost came to support the Free SSL Certificates, which we will come to in a moment. First, though, it is useful to talk a little about the company behind the project.
About Let's Encrypt
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit provided by the internet Security Research Group (ISRG).
The fundamental principles behind the scheme are:
- Free: The service is available to everyone, free of charge.
- Automatic: By installing certain software on a web server, the whole process of obtaining the certificate, configuring it and even renewing it is done automatically.
- Secure: It will serve as a platform for advancing TLS security best practices.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The issuing and renewal protocol will be published and maintained openly, allowing others to adopt the technology.
- Cooperative: It is a joint effort to benefit the community and as such is beyond the control of any one organization.
How DreamHost got involved with Let's Encrypt
It is quite an interesting story about how DreamHost first got involved with Let's Encrypt. Marcus Hildum attended DefCon23, a popular hacking conference, in September last year. Yan Zhu was giving a talk about the new scheme and used a screenshot of the SSL page on the DreamHost Wiki as an example of how notoriously difficult SSL certificates can be to install. You can see the relevant part of the presentation below:
You can see the relevant part of the presentation below:
A transcript of the relevant part is as follows:
A second big problem of the world is that setting up TLS is still really tedious, even in 2015. Who here has done this process? A lot of you, so you know how bad it is, right. For instance, if you want to do this on DreamHost you go to their wiki, and it's a twelve step process, and you're not an Alcoholics Anonymous yet, but it's still 12 steps process. It is ridiculous.
A screenshot of the page referred to is below:
For a lay person, this looks complicated.
So, with Marcus embarrassed about Dreamhost's reference in the talk DreamHost got in contact with Yan, and immediately started collaborating on how to implement Let's Encrypt at their end:
I was embarrassed to see an article in DreamHost’s wiki used as an example of how TLS is still frustratingly difficult to set up. I personally talked to Yan after the talk was over to accelerate collaboration between DreamHost and Let’s Encrypt. After that, we started working on implementing the ACME protocol and tying it all together with our panel to make the process as seamless as possible for customers.
A few months later, in a subsequent talk at 32c3, DreamHost was yet again mentioned at a Let's Encrypt panel, but this time as a supporting partner.
How to Install an SSL at DreamHost via Let's Encrypt
It is useful to point out post-implementation how easy it is to install now a Let's Encrypt SSL at DreamHost, especially as they were originally called out as having a complicated system.
Instead of the 12 steps previously referred to, it can now be done very easily in just five steps:
- Firstly, go to the domain management page
- To the right side of your chosen domain, under the "Secure Hosting" column, click "Add link."
- Check the box next to "Signed Certificate" to confirm you wish to add the SSL to your domain
- Choose whether you would like a Dedicated IP
- Click "Add Now" button, and within a few hours, the new SSL will be configured.
So simple now!
Let's Encrypt Limitations
Before we all get carried away, by saying the premium SSL industry is doomed, we should point out the limitations of Let's Encrypt SSL Certificates. The SSL Store did quite an interesting article on the subject, which we will summarize as follows:
- These limited certificates only confirm the ownership of your domain, and not the owners identity (i.e. no EV SSL certificates)
- They won’t have support for Wildcard SSL certificates at launch.
- No Direct Support
- No website Seals, or Warranties
While we feel that these free SSL certificates will be more than adequate for a blog, or standard website, we do worry that they won't have the same authority as reputable companies such as Symantec, Comodo or Geotrust where reputable website seals supported by financial guarantees that financial or e-commerce companies rely on to instill trust in their website.
Despite these minor reservations, we are big supporters of this whole concept and very pleased to see DreamHost implement it.