A new free tool allows practically any site owner to serve encrypted website and web app connections, and prove it with a green padlock validation icon in the browser address bar.
What is SSL encryption?
SSL represents the “s” in “https.” It stands for “Hyper Text Transfer Protocol” plus “Secured socket layer.” Web pages that use https are encrypted, those that use plain old http are not.
Two days ago, the nonprofit Let’s Encrypt released the tool, letting anyone create and deploy free SSL certificates. Some certificate sellers charge hundreds of dollars per site, per year, for that service. After reading the breaking news in ARS Technica, we made a strong move to the hoop, and behold the green padlock.
Why does the lock icon matter?
Encryption helps to protect user privacy, and Google is championing the goal of securing the internet.
- In Chrome, unsecured web pages that collect credit card and password information are now flagged “Not Secure”
- In Google Search results, unencrypted sites will appear lower
- In Firefox and Chrome, unsecured web sites are flagged with an “i” inside of a circle (currently not differentiated by color, although that will probably change soon). A user clicking on that circle sees “Connection is Not Secure” in big red letters.
- Google’s plan is to continue escalation of user alerts until every unsecured page is flagged, at the front of the address bar, using the same red warning triangle as pages with broken https.
In other words, the informational alerts that users are ignoring right now will become warning alerts by default, requiring users to click on a button to acknowledge that their data may be stolen.
Is the Let’s Encrypt tool easy to deploy?
After reviewing the installation procedure and requirements, we determined that our web host supports Let’s Encrypt’s “wildcard” certificates but doesn’t support a means to automate validation. No matter, a search revealed instructions and comments on manual installation. Our final configuration differed from the instructions since we use WordPress:
- In the WordPress Admin panel, change the link in Settings/General/WordPress URL and Site URL to begin with “https://” instead of “http://”
- If the page is still flagged as insecure in Firefox (or Chrome, if you like), open the web developer tools to view the source and search on “src=http:”. That highlights links to images with proper https addresses in the media library description, while the source html shows up as an unsecured link in the page; the browser flag disappeared after each offending image is deleted and replaced with the same image from the library.
- .htaccess may require a 301 redirect
- CloudFlare in cPanel can cause the browser to throw an encryption error when a user types, “www.sitename.com,” instead of “sitename.com”
- The process takes a few hours to install and troubleshoot
- Certificates expire in 90 days
Is the SSL certificate truly free?
Your time is not free, but the tool is well documented. Automatic certificate renewals are available for those with shell access, or hosting providers that support this effort. Manual renewal is not recommended, so check the list of supporters. Greengeeks is listed as “Planned,” we’re happy to see, as they provide us excellent service. is Otherwise, Paypal your donation to Let’s Encrypt and call it free as in “free speech.”