With Let's Encrypt it's cheaper than ever to host a personal website over HTTPS with a certificate that updates itself.
Due to Let's Encrypt, free hosting services like Netlify or GitHub Pages are now providing HTTPS certificates and installing it on your own server is pretty painless, if you're into managing your own server. And if your hosting provider doesn't support Let's Encrypt, you can always put Cloudflare in front of it.
So I don't really understand what you're talking about, when the price and ongoing maintenance of HTTPS certificates has gone significantly down for hobbyists.
My problem is with the crusade to make everything HTTPS - normal HTTP involved no ongoing setup, and didn't put the ongoing functionality of your website in someone else's hands. As I've said above, LetsEncrypt is sponsored by corporations and could disappear tomorrow.
To be reasonably fair Lets Encrypt makes it easy. I even have a $5 a year shared hosting account that gives me Lets Encrypt SSL certs through cpanel. I can't imagine this feature is unique only to this one random shared hosting provider.
"Let's Encrypt doesn't help people redirect to HTTPS, add HSTS, configure the versions of TLS they support or fix HTTP references in otherwise secure pages."
So, this is only true if you squint at the problem. In one sense Let's Encrypt is ISRG's Certificate Authority project, and it doesn't dice vegetables OR pick up dog hair. But the wider Let's Encrypt ecosystem does help you with lots of this:
* If you use Certbot (the hugely popular EFF maintained "reference" client for Let's Encrypt) with popular servers like Apache you get options to switch on HSTS and CSP: upgrade-insecure-requests
* If you use a bulk host, as a great many of Troy's target audience do, they either already have a single button push (easier than Cloudflare) "Get me free SSL" or they could but they've chosen for commercial reasons not to enable it (in the very popular CPanel a hosting company has to go out of their way to ensure this is disabled if they want to instead upsell customers to paid certs and squeeze a little more cash out). "Go to Cloudflare" and thereby centralise things even further is definitely the wrong choice in this scenario.
Let's encrypt works on the assumption that there is no reason why https certificate cannot be easy (not as cumbersome?) to use AND free of cost. They hope to start availability in the middle of this year. Free of cost is possible. We just need to make it easy, reliable, and repeatable for domain name owners to prove their ownership.
I watched a demo where they went from a vanilla apache install to an A scoring HTTPS site in sub 5 minutes at Libreplanet. It's a good idea to publicize the upcoming LARGE change.
thanks to Let's Encrypt, it is easy for someone running their own server.
But I think for regular folk running on a hosted service, who aren't comfortable with command line and who won't even have the necessary permission, they are going to be stuck with what they have, and probably have their domain held hostage, so will be forced to pay for some crappy cert if they even wanted https.
There's nothing stopping the shared-hosting providers from handling the Let's Encrypt process for their clients themselves, and then either just using the resulting certs for client sites automatically or exposing an interface for generating and applying a cert through their Web control panel.
They don't do that currently because customers aren't asking for it. If customers start asking, some will start. And once a few shared-hosting providers start providing HTTPS hosting, market pressure from educated customers can push the others into following suit.
I jumped to Netlify after I had my static site on s3 and thought to myself "securing it through letsencrypt could be nice" and after 3 hours I couldn't get it working, so I ported the site over to Netlify in ~15 mins including the lets-encrypt integration and pointing the domain over.
The one thing you can’t do with Let’s Encrypt is generate a certificate with a CN of localhost which, since browsers are getting really picky about mixed HTTP/HTTPS content, is a real issue with local development using certain web features.
I'd imagine lots of hosts don't allow users to setup Let's Encrypt so then the obstacle is first migrating to a host that does allow it (or includes direct support for it).
I use a cheap shared web host. My current and previous host both have LetsEncrypt implementations that take a couple of clicks. The former one was just default cpanel I think.
It is difficult if you want to understand the process, though no more so than, say, using Git IMO.
In short cpanel and other shared host panels make it as easy as the clicky-clicky Wordpress install
Like netlify (hosting a static site with build is super easy). Same with Cloudflare and a bunch of others.
As a user it’s all abstracted at simply the push of a button.
reply