 Tom here from one systems. We're going to talk about let's encrypt So if you're not familiar with let's encrypt and what they do, this is a good starter video I wanted to cover this topic because there's a lot of misinformation or misunderstandings people have about how certificate authorities work Or more specifically how let's encrypt works So they are very official and they've issued quite a few certificates and we're a big user of these certificates let's encrypt is a nonprofit certificate Authority run by the internet security research group that provides X 509 certs for transport layer security encryption at no charge The certificates are valid for 90 days during which renewal takes place at any time This offer is accompanied by automated process designed for the manual creation validation and signing installation and renewal of certificates So they are funded in November 18th of 2014. They started going live in 2016 And it takes a while to actually make all of this Happen and actually quite a big budget, but that is actually supported by a large number of sponsors So let's look at their website here Like they see right in front page a non-profit certificate authority providing TLS certificates for 190 million Websites and the sponsor list goes on and on you don't just have the electronic frontier foundation You have Mozilla Cisco Chrome Etc Facebook names you might have heard of in the world of the internet So in the early days as I've worked in tech a long time It was not easy to get certificates up It took a lot more effort than it does with the let's encrypt that extra effort It took to go through the signing go through the process Well, and of course the expense of it meant a lot of times you just didn't bother unless there was absolutely Imperative need you didn't bother installing a certificate on a website It was just easier to leave the website unencrypted going Hey, it's just a blog and who really cares that they can see what traffic's on there Well as Snowden let us know Lots of government of agencies cared a whole lot Matter of fact, we learned lots of people cared about what exact transactions Even if it was just your not financial but just general transactions going across websites Turns out there was a lot of snooping going on Man, this created a lot of problems and a lot of controversy of well How do we make it easy to encrypt and that's kind of the brainchild that came up with All right, how are we going to do this and how are we going to make it easy And automation is a key factor there, but you can't just build the automation tool If you built the automation tool and said hey look this will automatically install certificates The certificate authority is going we make money making it hard That is an entire industry in there and I'm not trying to just slam on the certificate Authorities some of them are legit and very good and they go through what they refer to as EV certificates or extended validation where they get on the phone or Validate you as a business to say that you actually own the certificate And the idea was to instill confidence in the end users that This certificate was issued and the end users can have the confidence that we verified Tom Lawrence is really Tom Lawrence when you go to Lawrence systems It's a valid website that we absolutely understand The reality is end users never look at that I can tell you end users never stop and check validation Now there was a short time where we seen little check boxes at the top where That information was there and you could validate that Lawrence systems and was Validated with extended validation by a cert authorization company That I was who I say I am but that was short lived and all the browsers now Are back to just having the little lock up there and that's what we really want to know Is do we have a secure connection to this website? Cool we may continue and with let's and crit by doing the automation on there They have now issued a billion of them So they have really moved the bar forward And that's one of the reasons I wanted to talk about them They are now through their automation tool Issuing certificates with only a 90 day certificate validation date Now in the past certificates could be longer and with the recent announcement from Apple It sounds like certificates are going to reduce down to only one year I believe in the earliest days of the internet they were eight years maybe And then they got down to like you know two year certificates And now we're going down to one year is the maximum length the certificate can be valid for Now just a little bit of overview of how this works Certificate authorities have to work with the operating system vendors and the browsers to Validate certificates so they have to be in the root store of those operating systems Phones whatever device you're using that has to go to a website and validate certificates It's not just a matter of setting up the encryption between you and a website It's having this kind of intermediary the certificate authority Be in there and play man in the middle to go all right this is valid with this Now they're not able to see within the encryption by being a CA They're able to validate the to the browser that yes when you go to launch systems.com Or you when you go to lezincrypt.com that is a valid certificate And it's valid between these dates and they used a signing key to sign and make sure that's valid That's great but One of the problems in the past where some of these CA's they abused it and they've been Removed in through the root store so it's not easy to get in It's certainly easy to get out you make some bad moves and they will kick you out And once they kicked you out any sites signed with it will go away as well So one of the more reputable places is DigiCert One of the oddly least reputable ones for a while there became Norton They were a certificate authority and they were just handling it very poorly and were Issuing certificates without doing the proper validation for who actually owned them Now the danger in that is if someone were to issue a certificate and claim to be Google and one of these certificate authorities actually accepted this In someone that google did not allow to accept that you could then impersonate google.com Right now if you were to try to set someone up to go to google.com But it wasn't really google the certificate authority said no the certificate you have Is not valid the only way to get a valid certificate is do that So this validation process is extremely important to the integrity That we have of what websites we're going to and whether or not they're secure And lezincrypt by completely automating the process made that a lot easier Therefore it's kind of the default now when we set up websites domains even just For basic wordpress blogs for clients it's really simple We have a lezincrypt cert automatically installed matter of fact with our hosting platform we use It is implicitly on and we have to turn it off if we didn't want it So it's actually installed by default and we don't have to do anything You just set up the domain and that's all they're doing is domain validation Going yep you own this domain we validated you own it and lezincrypt is automated You don't call someone you don't have to go through the process Now a little bit more about how this works So these are some of the common questions on there is it free Yes it's absolutely free is funded by the sponsors so that's why there's no payment Involved in the lezincrypt so anyone who has a domain name can use lezincrypt To obtain a trusted certificate at zero cost automatic This was the key if they had just built the automation tool like I said the Domain authorities probably certificate authorities would have never really Adopted this so by building and they built an open framework by which you can automate this Now other companies have the ability to use it but lezincrypt being an authority is The easy one to use on there and this is all open source by the way So automatic software running on a web server can interact with lezincrypt to painlessly obtain a certificate securely configure it and automatically take care of renewal Secure lezincrypt will serve as a platform for advancing TLS security best practices Both on the ca side and by helping site operators properly secure their servers Transparent all certificates issued or revoked will be publicly recorded and available for Anyone to inspect and I've actually got to know a lot about this from talking to my friend phil He's on the podcast with me and he published his blog post on November 20th of 2019. He has Done all of this. He's a site reliability engineer and lezincrypt launched a certificate transparency log this past spring We're excited to share how he built this in hopes that others can learn from what we did once again They're fully open source and I'll leave a link to this so you can see how the entire log works But what this does is lets you know when a certificate was issued when that certificate expired What other search were issued by that particular entity? So it can be very transparent and the ability to revoke it So for some reason we need to revoke a certificate in that does happen if we change the IP address Something the certificates are tied to that we can do a revocation and Change where that goes by redoing the cert So that you can track the history and figure out what's going on if something needs to happen Not all the companies are fully as transparent as lezincrypt is and this is really moving the bar forward They want to set the standard for this in the air And the misconceptions I see on lezincrypt are people think well just because it's free must be less secure So we got to go get a certificate somewhere else and go through the trouble in the process And that's simply not true lezincrypt is every bit as secure as the other authorities Now do they go through the extended validation cert? No, but are those really as relevant? I don't really feel they are anymore EV certs for extended validation with the whole concept of providing Trust in the end users going to your website just doesn't feel good anymore because well It's so much work for them to go through and look who issued the cert And I don't really feel end users before doing something really do that it's kind of It was a good idea But not really practical to implement over the long term And even the browser companies have now removed the little extended validation search And yeah, I mean you can click on it and figure out who issued the authority on there But I don't think they're really taking the time to check it And especially when you start looking at a business Well, I'm going to maybe some store to buy something Their corporate headquarters may or may not match where I think their location is So now you have this extended confusion not extended validation as far as I'm concerned About how that works So The last little piece I'll talk about this is the cert bot system So the cert bot system and they have a lot of different options in here This is part of the automation so you can look for What software your my HTTP website is running HA proxy plus or none of the above And then you can choose the operating system and they have a massive amount of support So cert bot is part of the automation tool on here And like I said, this is an open framework in order to do this Now to go a step further and I'm going to be doing some upcoming videos Which is also I wanted to cover this on PF sense and HA proxy which has let's encrypt built in The automated protocol also has ways you can do validation with DNS So I'll be doing some of those type of videos and I wanted to mention Yes, it's secure and I'll reference this video There is not any lessening of the security when you use a let's encrypt The TLS encryption the encryption you use to encrypt the things that you're doing with Let's encrypt is up to you that is your handling of the back end security They're just handling the certificate part of this that component And what a lot more people are well You're kind of almost needing to do is have everything needs a cert And we're even seeing some IoT devices come with this FreeNAS has added it to the latest 11.3 version As well to issue full fully qualified domain name certificates for different servers Now these servers don't even have to be public facing when you do this So hence the reason they support things like DNS certifications And like I said as I start making videos on this I want to assure people and clear up any confusion Just because you get the certificate of free because of the methodologies And the fact that this is run by sponsors So it's not exactly just some free cert system It's actually a legit business that is part of the whole certificate Authority system and trusted by operating systems and browsers and devices It is fully fine to use and perfectly secure So I'll as I do videos and as people say I don't want to use it because it's less secure This will be my generic reply I give to them But I also want to raise a bit of awareness about let's encrypt And say that yes it is absolutely an amazing project Yes, it's a very secure project And that whole post here I mean a billion certificates issued is Well, that's just incredible So we issued a billion certificates on February 27th and wow That is a whole lot of certificates there And this I will tell you I spent some time talking to Phil You know when he did that after he did that blog post It takes a lot to run a whole certificate authority at the volume at which they issue certificates So also read that right up he did Because it's pretty interesting read of how they built a system At the scale that this operates at to maintain this log Maintain the volume of traffic that comes into it And all the servers that are and done already talk about the technology in there And it's a great it's a great service I definitely recommend it I don't see any reason not to use it So if the opportunity comes up to set up something to let's encrypt Don't have any worries about it You can have full confidence that it's fully encrypted and a well-trusted system Make sure you do the back end right that part's still up to you They at least will do the validation right over at let's encrypt All right, thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button And hit the bell icon if you like YouTube to notify you When new videos come out If you'd like to hire us head over to laurancesystems.com Fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Or we can carry on the discussion about this video Other videos or other tech topics in general Even suggestions for new videos They're accepted right there on our forums which are free Also, if you'd like to help the channel in other ways Head over to our affiliate page We have a lot of great tech offers for you And once again, thanks for watching and see you next time