HTTPS for free
HTTPS protocol is becoming more and more popular lately. Some of us may be even unaware that there is some cryptography involved. If you want to use SSL or TLS protocol for your site you can do it for free.
Introduction
Please refer to documentation on how to configure Apache to use HTTPS. Just notice that for SSL setup two files will be required:
- Certificate file (usually signed by trusted 3rd party)
- Key file (secret and available only for HTTP server)
Start SSL
Start SSL is a trusted 3rd party, also known as certificate authority that signs up to five different domains certificates for free. They are valid for year. I have been using it for couple of years now.
But if you need more than five trusted certificates there is another option to try.
ACME
ACME stands for Automated Certificate Management Environment. The idea is to provide certificates infrastructure at low cost. Specification is available at ACME GitHub page.
ACME uses Let’s encrypt certification authority, which may be used to provide free certificate for your domain. The certificates are valid for three months, but they may be renewed automatically using automatic certificates renewal tools.
I have tested acme.sh and it works fine. I am still waiting for the end of the first three-months period to check if certificate will be automatically renewed.
Validation
To validate your SSL/TLS setup you could use one of the online tool:
- https://www.ssllabs.com/ssltest/analyze.html
- https://www.digicert.com/help/
- https://www.sslshopper.com/ssl-checker.html
Advanced coniguration for SSL
Refer to those links to increase security of HTTPS protocol:
- https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
- https://mozilla.github.io/server-side-tls/ssl-config-generator/
- https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
To sum it up
Don’t be lazy. Is it your personal site or company website — you should have no excuses for not using secure protocol.