Let's Encrypt: Just What App Makers Need To Secure Their Apps
It’s a rainy afternoon and one of your app’s users, let’s call her Alice, is having a coffee in a café. She’s using your app for communication with her research supervisor. Unaware of a gaping security hole in your app she uploads recent changes to her paper via your app. Before she could send them over to her supervisor, the app synced her address book over an insecure HTTP connection. It’s all for the sake of convenience: now Alice can use her phone’s contacts in your desktop web-app too.
Convenient for the hacker sitting at the table next to her. He’s got a “Pineapple” WiFi sniffer in his backpack. Every coffeeshop visitor thinks they’re secure on the password protected WiFi, but unfortunately the hacker has that password too. Without effort he intercepts Alice’s address book, her paper, pictures of the party last night, and a whole bunch of digital loot.
If only the app makers had encrypted their app’s network communications with SSL! Their decision to not use HTTPS came from “convenience”: SSL certificates are hard to set up, often expensive, and on occasion even insecure.
Thanks to Let’s Encrypt, that’s going to change.
What Is SSL?
SSL is a standard security technology for establishing an encrypted communication link between a server and a client. In your case, as an app maker, the server is your online API and the client is your app. Communication with a web resource without an SSL (Secure Sockets Layer) certificate cannot be considered safe and secure.
For this reason SSL is considered an integral part of any webserver or web resource. Particularly for public web APIs that transport personal information such as names, addresses, mobile phone numbers, and credit card information. SSL helps protect against hackers who try to gather information about an app’s users.
SSL works by encrypting the data that’s being sent. On the internet you can’t control which nodes send and receive your data, so you can’t be sure someone is reading it. It’s like sending that secret message across the classroom. You ask your friend to give your message to Alice, but now Bob’s got hold of it and the whole classroom knows you’re secretly in love with Alice.
Why Should You Care About SSL?
So how can your app keep your users’ information secret? SSL encrypts the communication with an algorithm and only you and the receiver can decrypt it. It’s been an online standard for many years and although cumbersome to work with, it’s incredibly safe.
Whether you’re an online business owner or app maker, you need to secure your data transport with SSL/HTTPS encryption. If you’re working with a custom REST API, public file transfers or a Platform-as-a-Service that doesn’t have SSL, you need to encrypt your data. It helps keeping your customers’ data safe and avoids it falling into the hands of hackers. It’s your responsibility to keep your data secure. But what about all those pricey and overly complex SSL certificate providers?
That’s where Let’s Encrypt comes in. Let’s Encrypt is one of the first open certificate authorities (CA) that operates with the benefit of the public in mind. Run by the Internet Security Research Group (ISRG) and backed internet heavy-weights including Mozilla, EFF and CISCO, it’s the first sane approach to encrypting the internet for the rest of us.
Using Let’s Encrypt has several advantages:
- It is free. Let’s Encrypt is available to anyone who owns a domain. You can request a certificate for your domain at no cost.
- It is automatic. Enrolling is a hassle-free and fast process, because Let’s Encrypt can install and configure itself on its own. Renewing automatically occurs in the background.
- It is transparent. The great thing about Let’s Encrypt is that they provide all of their certificate issuance and revocation records for anyone who’d like to inspect them.
- It is open. Let’s Encrypt provides an open standard for automated issuance and renewal protocols.
- It is cooperative. Let’s Encrypt is composed of a team of individuals working hard to provide their services to the public. Instead of one single authority keeping all the secrets, there’s a transparent team of experts to ensure reliability.
- It is secure. The best part about Let’s Encrypt is that it provides a secure platform for modern day security practices in the online world.
Let’s Encrypt Is Trusted
By upholding their ideals for a secure internet, Let’s Encrypt has received cross-signatures from IdenTrust. Major browsers trust the certificates of IdenTrust, which is a big advantage.
Compared to major certificate providers, Let’s Encrypt makes it incredibly easy for app makers to obtain a certificate and secure their webserver. With the help of some command-line magic you can install and activate HTTPS encryption for your web API. There is no need for editing a complicated configuration file or jumping through ten hoops to get a validation email. You don’t have to worry about renewing your certificates on time, because that’s all taken care of.
Fun fact: the website letsencrypt.org uses a certificate they issued themselves!
Installing and activating your SSL certificates is all explained on this page, but the process is roughly as follows:
- Install the
letsencrypttool on your server. It’s currently only available on GitHub as a private beta (public beta from December 3rd 2015 on).
- Execute the
letsencrypt runcommand to configure a certificate for your web server. Currently, Nginx and Apache are supported. Additionally, you can manually request a certificate with the
letsencrypt -d example.com authcommand.
- Renewing is done automatically, but you can prompt a renew by executing
letsencrypt renew --cert-path example-cert.pem.
- Revoking certificates is a matter of running
It’s that easy!
How To Get Started
As of September 2015, Let’s Encrypt has become available to the public as a private beta. The first certificate has been issued, which was a big milestone for the non-profit. Just a few months after and they were able to obtain their cross-signature from IdenTrust. Up until now over 11.000 certificates have been issued. On December 3rd 2015 Let’s Encrypt entered a public beta, which means anyone can request certificates and use them on their servers!
Let’s Encrypt is big news for app makers. It simply means it’s has become easier than ever to encrypt your server to app communication. There’s no reason to not do that: Let’s Encrypt is free, easy to use, trusted and open. Make sure to tune into their blog to stay updated, and read up on the exact technology they use on LetsEncrypt.org.
And what happened to Alice? Thanks to Let’s Encrypt her data is secure. Hacker Bob’s out of luck: even if he intercepted the data, he wouldn’t have the computing power to decrypt it.
- Let’s Encrypt: Entering Public Beta
- Why ninety-day lifetimes for certificates?
- Technical Overview Of Let’s Encrypt
Image credit: GotCredit / jakerust
Join 11.000+ app developers and marketers
- Get a weekly curated list of app development tools, articles and resources in your inbox
- 10x your app installs with relevant App Store Optimization and app marketing strategies
- BONUS: Grab a free copy of the App Toolbox 2017 to supercharge your next app project
Most Popular Content
Grab the App Toolbox 2017 to learn how to save time building your app,
and how to 10x your app installs in the App Store. With the toolbox, you'll immediately know how to move forward to build better, more profitable apps.
Comments & Thoughts
On The Blog
Grand Central Dispatch: Multi-Threading With Swift 3
Multithreading is a mechanism computers can't live without. You know why? CPUs are kinda dumb – they can only do one thing at a time! Fortunately, as an app developer you can use Grand Central Dispatch to make your app execute multiple tasks concurrently. How?
App Success: Steffi and Jonas and the Problem of Picking Places for Lunch
In my pursuit of compelling stories about successful App Makers, I ran into Steffi and Jonas during my 3-week retreat in Portugal. They are both web developers from Berlin (Germany) and decided to create an app together. What makes them and their app successful?