Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

SSL Will be Free Starting Summer 2015

This entry was posted in WordPress Security on November 18, 2014 by Mark Maunder   28 Replies

If you aren’t using SSL to have a conversation with a website, your traffic is readable by anyone on the Net who can see your network packets flying past. But more to the point, since the audience for this blog post is website administrators, if your website is not running SSL, you are talking to your customers in plain text.

If you are a site admin but haven’t played with network packet analysis, I’m going to give you some real-world insight into what this means:

When I ask my web browser to connect to news.netcraft.com which is an unencrypted (non-SSL) website, my traffic goes through about 18 ‘hops’, which is the techie word for routers, before I hit Netcraft’s firewall:

Screen Shot 2014-11-18 at 2.17.51 PM

Looking at the names of the routers, I count around 4 vendors that have access to my traffic including Wave, Spectrum Networks, XO Communications and BT (British Telecommunications). I also count two countries: the UK and USA.

Here’s what my traffic looks like when I import it into a packet analysis tool (I’ve blanked out personal info I don’t want the World to see):

Screen Shot 2014-11-18 at 2.42.42 PM

As you can see, everything is in plain text including:

  • The URL I requested.
  • Any cookies and their values including cookies that a hacker could steal and use to login as you.
  • Any other data I sent including form values which would include things like passwords and usernames.
  • The entire response is in plaintext and clearly readable. This might include email contents, documents, social security numbers etc.

It’s easy to automatically parse network traffic like this for valuable data using Linux tools like tcpdump and algorithms to look for specific kinds of data. For example, if you’re looking for card numbers, you just look for 16 digit numbers that conform to the Luhn algorithm. [Yes, it’s rare to pass card numbers via non-ssl connections, but this illustrates an algorithmic approach to data recognition and capture]

Besides private hackers, countries like the USA and China parse network data like this on an industrial scale using the best computer science minds on the planet. That is why there is a sense of urgency to move towards a completely encrypted web.

Historically you have had to pay anything from $10 dollars to over $1000 for an SSL certificate for your website. If you hunt around you can find free SSL certificates but they are either a paid ‘trial’ or part of some other commercial incentive to get you to sign up with a service where you will inevitably part with your money one way or another.

Yesterday, November 18th, the Electronic Frontier Foundation (EFF) announced a project that will make SSL and encryption on the web completely free. They have created a non-profit organization called the Internet Security Research Group (ISRG) in collaboration with Mozilla, the University of Michigan, Cisco, Akamai and Identrust.

The ISRG are launching a project called Lets Encrypt which will be making free SSL certificates available for any website starting Summer 2015. But they go further than that. It has always been fairly technical to install an SSL certificate and so Lets Encrypt are creating applications for platforms like Linux and other web hosting operating systems that let you install and activate SSL for your web server with a few keystrokes.

So the net result is that, starting Summer 2015, not only will SSL for any website on the Net be completely free, but you will also be able to install and activate SSL on your site with just a few keystrokes and no payment.

Below is the official Lets Encrypt video which does a great job of making it clear how easy (and cost free) it’s going to be to install an SSL certificate from the project.

Please share this post with other webmasters to raise awareness of the importance of enabling SSL on your website (and the excellent news that it will soon be free and easy to implement).

Did you enjoy this post? Share it!


Your rating:

28 Comments on "SSL Will be Free Starting Summer 2015"

Blaine Moore November 19, 2014 at 12:29 pm • Reply

This is great news! For those looking for free SSL in the short term, you can accomplish it now by using CloudFlare which started offering free SSL certificates to all customers (even free customers) about a month ago.

A self-signed certificate on your server combined w/the free CloudFlare certificate means you can have point to point encryption.

mark November 19, 2014 at 12:54 pm • Reply

Looks like there is some concern about how secure this is: https://www.agwa.name/blog/post/cloudflare_ssl_added_and_removed_here

Are self-signed certificates required? If not then most of the connection is unencrypted.

Blaine Moore November 19, 2014 at 1:01 pm • Reply

The way that they are setup, no, you don't have to have a secure connection between CloudFlare and your server.

In some cases, that's not a problem; for simple e-commerce using a service like Stripe, which requires the browser to have a secure connection but which uses Stripe's secure connection to handle any actual credit card data, you still provide protection from man-in-the-middle attacks at a public wi-fi hotspot. It would not provide protection from government or other intermediate snooping for non-secure pages that can look at traffic between the server and CloudFlare.

However, I wouldn't recommend setting your site up that way.

My point (as mentioned above) is that you can still get a CA-assigned certificate for free that resolves to CloudFlare, and you can use a self-signed certificate on your own server to encrypt traffic between CloudFlare and the server itself, so you can have end-to-end security without the expense of a CA-assigned certificate.

So, their service may not be perfect in all situations, and can be configured in a less than ideal way that only protects you from people in your physical location, but that's still better than not having any security for sites not passing overly sensitive data. And, if you have an administrator that is willing to spend a few extra minutes, you can have end-to-end security without any additional costs.

The EFF's solution is better. But CF's solution is available now. That's all I was saying.

mark November 19, 2014 at 1:09 pm • Reply

Thanks for the input Blaine. Yes interesting point re this helping protect the local and near-by networks of the visitor. And I agree that this is a tangible benefit if you're on public wifi.

So I think the main concern here, or at least what folks should be aware of is that if you don't have a certificate on your own server and you're using Cloudflare to provide SSL, then the connection between your web server and cloudflare is unencrypted. So in cases, for example, where the Cloudflare server is in China and the web server is in USA, the Chinese could eavesdrop on the unencrypted connection while the site visitor thinks their connection is secure.

The problem I think I have with it is that there's no way for the web browser to communicate to the end user that the connection between the cloudflare servers and the web server they're talking to is either unencrypted, or encrypted using a different method.

Sam November 19, 2014 at 12:35 pm • Reply

Great news BUT, being the doubter I am when it comes to anything internet related, the word 'free' just simply doesn't exist. They cannot invest their money and time and payroll for something they are just simply going to give away, without requiring 'something' in return. Sorry, this just isn't how capitalism works. Hoping I'm wrong so I will be watching this with anticipation and scrutiny.

Wendy November 19, 2014 at 4:10 pm • Reply

I use lots and lots of Open Source and free platforms like WordPress, ModX, Twitter, Facebook, Chrome, Firefox, etc. etc. Why do you think this is not possible?

Sam November 19, 2014 at 5:23 pm • Reply

Wendy,

You are correct but Facebook, Twitter, Wordpress, etc, depend on advertising or premium/custom theme purchases. Wordpress might be the exception but if Facebook or Twitter had no advertising, they would cease to exist, unless some very rich digital-philanthropist used his/her own money.

mark November 19, 2014 at 7:47 pm • Reply

A good primer to get your head around why people make free stuff and what free actually means. Hint: It's free as in speech, not free as in beer.

http://en.wikipedia.org/wiki/Gratis_versus_libre#.22Free_beer.22_vs_.22free_speech.22_distinction

In the case of making SSL free, sure the cert itself is free as in beer, but the concept of giving everyone the ability to encrypt web communications falls under free speech. In other words, you're liberating everyone to communicate freely on the web without fear of monitoring or reprisal.

Regarding commercial incentive: Cisco sells routers, Akamai sells web infrastructure, Mozilla sells browsers. They all have an interest in encouraging wider use of the web with increased web traffic which will drive greater revenue for each company. In other words, by simply using the web more, you're helping Cisco sell more routers. And so creating a better and more secure web which gets used more and grows faster benefits them commercially.

Akaahan Terungwa November 19, 2014 at 7:48 pm • Reply

Hi Sam,

You are not threading this path alone...while the concept of free may excite the world, no such thing actually exist - least of all in a capitalist economy.

What essentially this means is: 'hey, there's an opportunity to exploit here - let's tap in by offering free SSL...we'll monetize later when folks show interest on a large scale'.

Got that?

Always,
Terungwa

TonyW November 19, 2014 at 12:38 pm • Reply

What a wonderful idea!
I received the email from Wordfence and decided to stop by and read the entire article....This cannot get implemented fast enough.

annemarietobias November 19, 2014 at 12:54 pm • Reply

Which version of SSL are you going to implement. The POODLE vulnerability (an Oracle based exploit using SSL v 3.0) has been making the rounds lately and in fact PayPal just informed me that they are locking out the SSL v 3.0 protocol from their site access on Dec 3, 2014. They are instead using TLS. So does this in any way impact how you're be implementing SSL, and what protocols you'll be using (or not using?)

Mitch November 19, 2014 at 12:59 pm • Reply

Free Don't think so but we will see in the summer of 2015 what is required of us with this "Free" SSL

TonyW November 19, 2014 at 1:11 pm • Reply

I'll do some research as to which is best, but I believe this is something that is well needed across the internet.

John-Pierre Cornelissen November 19, 2014 at 1:28 pm • Reply

So will this also work for websites on a shared hosting plan?

thx
JP

mark November 19, 2014 at 1:36 pm • Reply

Yes, usually your host will have a way for you to install an SSL certificate and you can just get your certificate from "Lets Encrypt" which will be free.

However as part of this project, Lets Encrypt is launching a protocol called ACME which is a way for web servers to automatically get SSL certificates from them and to verify that the web server is associated with the owner of the domain. This protocol will let folks like us, other developers and hosting providers create applications that automatically install your SSL certificate for you with only a few clicks.

So the impact of this program is not just that SSL will be free, but that it will become very easy to activate it, including on shared hosting plans.

Camping Girl November 19, 2014 at 3:56 pm • Reply

I hope it comes to pass, having free SSL certificates that are actually useable, and without major faults like OpenSSL will definitely help the web with security. I have my doubts that most hosting companies will embrace this until they are well proven.

Alastair Dodwell November 20, 2014 at 3:03 am • Reply

This is good news. We always recommend SSL certificates to clients but most decline due the prices involved. Plus hosting companies make it complex to host multiple SSL sites on the same server. If both areas are addressed then this is indeed an excellent plan.

Michael Fraase November 20, 2014 at 5:34 pm • Reply

I've got my fingers crossed for two things:

1. Wide acceptance as a trusted root CA in the major browser software and operating systems
2. Wildcard certificates

#1 would seem to be quite a reach, except Mozilla has two board seats and is the executive director of the CA

#2 seems plausible

jack November 23, 2014 at 8:36 am • Reply

Free SSL, But you still need to pay your host for Dedicate IP , for the SSL to work...

WCB November 23, 2014 at 9:00 pm • Reply

Great info! In the meantime, I use an offshore VPN
for encryption. I never go on web without it. Yes,
I do sacrifice some speed, but I sleep well knowing
that all of my traffic is encrypted, even from my ISP.
Thanks again!

mark November 23, 2014 at 11:04 pm • Reply

Remember that your traffic is only encrypted between you and the VPN gateway. From there to the destination if you're using an unencrypted protocol like HTTP then it's not encrypted.

Zach November 24, 2014 at 10:51 am • Reply

Here's what my VPN service said about your comment...

"All of your traffic, including your browsing, IM, VOIP, IP TV, Skype etc, is encrypted from your computer onwards and online. Your entire internet is encrypted as well. So your router or any other device doesn't see your data on the way to its destination. Your IP, Header and DNS are changed as well to our own server IP. You can be confident that your personal data will not be hacked or stolen and that neither your ISP nor any other third party can monitor your internet activities."

What do you think?

mark November 24, 2014 at 12:16 pm • Reply

Ask them this: "I understand that the connection between my PC and your servers is encrypted, which protects me from someone monitoring me on public WiFi for example. But what I'd like to know is this: When I connect to an external web server using your VPN, is the portion of the connection from your VPN servers to a non-SSL website encrypted? Or is the data sent plaintext?"

Zach November 25, 2014 at 12:28 pm • Reply

Here's their response...

"Data is not sent as a plain text. Encryption is not an option. Our VPB provides an encrypted connection ALL of the time. It cannot and should not be turned off.
We are now using 2056 bit OpenVPN, 2056 bit SSH-2 (Secure Shell 2), and 2056 bit SSL/TLS respectively, network and tunneling protocols that allow data to be exchanged over a secure channel between your PC and our server. They are based on public-key cryptography to authenticate the remote computer and provide improved security through Diffie-Hellman key exchange and strong integrity checking via MACs. We are using AES-256 encryption to protect the confidentiality of the data. The algorithm has been analyzed extensively and is now used worldwide. As of 2007, no attacks that attack the underlying cipher itself have ever been found. In June 2003, the U.S. government announced that AES may be used for classified information: “The design and strength of all key lengths of the AES algorithm are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either key lengths.” This marks the first time that the public has access to a cipher approved by the NSA for encryption of TOP SECRET information.

If you want to turn off our VPN, please click the Disconnect button. Then you will be back on your ISP connection. To close our VPN software completely, click Quit.

We advise you to check the traffic with this tool http://www.wireshark.org/download.html and you should get a report about the encrypted packets. You should first install this tool and run it. Then connect to one of our servers, start browsing. The report you get through Wireshark will contain all the information about your data traffic, and you will be able to verify that with VPN4ALL ON all your traffic is in fact encrypted."

Comments?

John Perryn December 1, 2014 at 2:21 am • Reply

Would that be Northern Hemisphere Summer 2015 or Southern Hemisphere Summer 2015? There's a six-month difference....

mark December 3, 2014 at 1:55 pm • Reply

Darnit, keep forgetting about time dilation between hemispheres.

Fete Hot December 7, 2014 at 10:39 pm • Reply

This also work for websites on a shared hosting plan?

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.