Let's Encrypt: Just What App Makers Need To Secure Their Apps

Written by: Reinder de Vries, December 9 2015, in App Development

It’s a rainy afternoon and one of your app’s users, let’s call her Alice, is having a coffee in a café. She’s using your app for communication with her research supervisor. Unaware of a gaping security hole in your app she uploads recent changes to her paper via your app. Before she could send them over to her supervisor, the app synced her address book over an insecure HTTP connection. It’s all for the sake of convenience: now Alice can use her phone’s contacts in your desktop web-app too.

Convenient for the hacker sitting at the table next to her. He’s got a “Pineapple” WiFi sniffer in his backpack. Every coffeeshop visitor thinks they’re secure on the password protected WiFi, but unfortunately the hacker has that password too. Without effort he intercepts Alice’s address book, her paper, pictures of the party last night, and a whole bunch of digital loot.

If only the app makers had encrypted their app’s network communications with SSL! Their decision to not use HTTPS came from “convenience”: SSL certificates are hard to set up, often expensive, and on occasion even insecure.

Thanks to Let’s Encrypt, that’s going to change.

What Is SSL?

SSL is a standard security technology for establishing an encrypted communication link between a server and a client. In your case, as an app maker, the server is your online API and the client is your app. Communication with a web resource without an SSL (Secure Sockets Layer) certificate cannot be considered safe and secure.

For this reason SSL is considered an integral part of any webserver or web resource. Particularly for public web APIs that transport personal information such as names, addresses, mobile phone numbers, and credit card information. SSL helps protect against hackers who try to gather information about an app’s users.

SSL works by encrypting the data that’s being sent. On the internet you can’t control which nodes send and receive your data, so you can’t be sure someone is reading it. It’s like sending that secret message across the classroom. You ask your friend to give your message to Alice, but now Bob’s got hold of it and the whole classroom knows you’re secretly in love with Alice.

Why Should You Care About SSL?

So how can your app keep your users’ information secret? SSL encrypts the communication with an algorithm and only you and the receiver can decrypt it. It’s been an online standard for many years and although cumbersome to work with, it’s incredibly safe.

Whether you’re an online business owner or app maker, you need to secure your data transport with SSL/HTTPS encryption. If you’re working with a custom REST API, public file transfers or a Platform-as-a-Service that doesn’t have SSL, you need to encrypt your data. It helps keeping your customers’ data safe and avoids it falling into the hands of hackers. It’s your responsibility to keep your data secure. But what about all those pricey and overly complex SSL certificate providers?

That’s where Let’s Encrypt comes in. Let’s Encrypt is one of the first open certificate authorities (CA) that operates with the benefit of the public in mind. Run by the Internet Security Research Group (ISRG) and backed internet heavy-weights including Mozilla, EFF and CISCO, it’s the first sane approach to encrypting the internet for the rest of us.

Using Let’s Encrypt has several advantages:

  • It is free. Let’s Encrypt is available to anyone who owns a domain. You can request a certificate for your domain at no cost.
  • It is automatic. Enrolling is a hassle-free and fast process, because Let’s Encrypt can install and configure itself on its own. Renewing automatically occurs in the background.
  • It is transparent. The great thing about Let’s Encrypt is that they provide all of their certificate issuance and revocation records for anyone who’d like to inspect them.
  • It is open. Let’s Encrypt provides an open standard for automated issuance and renewal protocols.
  • It is cooperative. Let’s Encrypt is composed of a team of individuals working hard to provide their services to the public. Instead of one single authority keeping all the secrets, there’s a transparent team of experts to ensure reliability.
  • It is secure. The best part about Let’s Encrypt is that it provides a secure platform for modern day security practices in the online world.

Let’s Encrypt Is Trusted

By upholding their ideals for a secure internet, Let’s Encrypt has received cross-signatures from IdenTrust. Major browsers trust the certificates of IdenTrust, which is a big advantage.

Compared to major certificate providers, Let’s Encrypt makes it incredibly easy for app makers to obtain a certificate and secure their webserver. With the help of some command-line magic you can install and activate HTTPS encryption for your web API. There is no need for editing a complicated configuration file or jumping through ten hoops to get a validation email. You don’t have to worry about renewing your certificates on time, because that’s all taken care of.

Fun fact: the website letsencrypt.org uses a certificate they issued themselves!

Installing and activating your SSL certificates is all explained on this page, but the process is roughly as follows:

  1. Install the letsencrypt tool on your server. It’s currently only available on GitHub as a private beta (public beta from December 3rd 2015 on).
  2. Execute the letsencrypt run command to configure a certificate for your web server. Currently, Nginx and Apache are supported. Additionally, you can manually request a certificate with the letsencrypt -d example.com auth command.
  3. Renewing is done automatically, but you can prompt a renew by executing letsencrypt renew --cert-path example-cert.pem.
  4. Revoking certificates is a matter of running letsencrypt revoke.

It’s that easy!

How To Get Started

As of September 2015, Let’s Encrypt has become available to the public as a private beta. The first certificate has been issued, which was a big milestone for the non-profit. Just a few months after and they were able to obtain their cross-signature from IdenTrust. Up until now over 11.000 certificates have been issued. On December 3rd 2015 Let’s Encrypt entered a public beta, which means anyone can request certificates and use them on their servers!

Let’s Encrypt is big news for app makers. It simply means it’s has become easier than ever to encrypt your server to app communication. There’s no reason to not do that: Let’s Encrypt is free, easy to use, trusted and open. Make sure to tune into their blog to stay updated, and read up on the exact technology they use on LetsEncrypt.org.

And what happened to Alice? Thanks to Let’s Encrypt her data is secure. Hacker Bob’s out of luck: even if he intercepted the data, he wouldn’t have the computing power to decrypt it.

Further Reading

Image credit: GotCredit / jakerust

Reinder de Vries

Reinder de Vries is a professional iOS developer. He teaches app developers how to build their own apps at LearnAppMaking.com. Since 2009 he has developed a few dozen apps for iOS, worked for global brands and lead development at several startups. When he’s not coding, he enjoys strong espresso and traveling.

Leave a Reply

Required to post: Your real name and email address, and a pleasant demeanor. Your email address will not be published. Markdown is supported.