Now With Encryption!
No doubt you've heard about the Government wanting to read everything you do online. From the Apple iPhone debacle to Microsoft suing the government over hidden warrants used to spy on you, you can't read tech news these days without stumbling on something about encryption.
My Views on Encryption
I certainly understand the Government's desire to spy on it's citizens. They feel it's the best way to keep us safe, and that's what we as voters have tasked them with doing. There's always a "good" reason to spy on you. Think of the children, right? And of course there's the argument that you're already posting everything to Facebook anyway, so why not let them? However not everyone posts everything publicly, even on Facebook, which makes that communication more of a conversation among friends.
Regardless of where you fall on the discussion, I believe it's everyone's right, in the absence of a carefully issued warrant, to a private conversation. Just think if England had been privy to every conversation George Washington and his friends ever had - chances are there'd be no United States. Or, if Martin Luther King Jr. had no privacy to organize his followers before they reached critical mass, where do you think we'd be with civil rights today? So you can easily see why governments fear privacy.
In order to make conversations private on the Internet, encryption is what we use. I've now enabled and enforced encryption on this site so all communication between your web browser and my server is encrypted. I do this because (A) I can, and (B) it's nobody else's business what you're reading on my blog.
I don't do this to hide what I say. In fact, almost anyone in the world can come to this website and read the exact same content that you are reading. There's nothing groundbreaking or divisive that's posted here, but I still believe it's nobody else's business that you're reading any particular article on this site.
Other websites should also be using encryption - anywhere that a login is required. This blog also includes a management interface that lets me write these awesome posts for you. My login credentials get encrypted now so nobody between my computer and my blog can capture my password. I trust my home internet provider about as far as I can throw one of their telephone poles. If any of their various routers, switches or servers were compromised, any of my data crossing their network is compromised. You don't want someone being able to see your username and password as it scuttles around the various connected computers that make up the Internet. Encryption assists with security by making sure only the originator of a message and the intended recipient can make sense of it.
Enter "letsencrypt" from the EFF and the ISRG
Typically for a web server to set up encryption requires purchasing an SSL certificate from a certificate authority on the Internet. These certificates could range from $50 to $1500 a year depending on the feature set and where you purchase it from. As a tech blog writer I get almost no revenues from advertising (you guys n gals just don't click ads, mostly because you're probably already blocking them.) As such, it really wasn't important to me to pay for security for the communication for what is essentially already a public blog.
The Electronic Frontier Foundation (EFF) and the Internet Security Research Group (ISRG) are providing these SSL encryption certificates for free through a project called letsencrypt. Letsencrypt is a combination of a client software to make generation of the certs easy, and a certificate authority online that issues certificates. Currently those certificates are good for 3 months at a time, but easy to renew.
Install the Client
Many web hosts with cpanel are starting to support it already built into their web interface, but if you run your own server you'll need to install the letsencrypt client. We use the git source management system to grab it, so install that first:
sudo apt-get install git
Next grab the software from github and store it under /opt with:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Once this is downloaded we want to test the installation, and grab the remaining prerequisites by running:
That should go through grabbing a package or two and verifying your setup and making sure you have the latest version. Then it will output the basic settings you can use.
From here we want to create a new certificate. Certificates will get stored under /etc/letsencrypt/ so you'll have to edit your nginx or apache configs to point to the proper certificate. Configuring the use of the certificate in your web server is beyond the scope of this tutorial. Just watch the output of letsencrypt though and it will tell you where those files get put.
One of the ways letsencrypt works (using the webroot plugin) is that it will put a special file on your website in the root directory to prove that you own the web server before it will issue a certificate. This means a non-SSL version of your site should already be active and DNS working for it. If you have multiple domain names you want on the same certificate, you specify the root for each prior to it's domain name in the command such as:
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/site1 -d www.example1.com -d example.com -w /var/www/site2 -d www.example2.com -d example2.com
Once the certificate is generated, make a note of where letsencrypt says it placed it and configure each website to make use of it. Don't move the certificate to a new location. Since certificates are only good for 90 days, you'll want to set up an autorenew task that will make sure it stays fresh without you having to do anything. If you move the certificate, that task will break.
Setting up automatic renewal of the certificates is easy using a cronjob like so:
# A sample Crontab file edited using "crontab -e": 10 1 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/logs/letsencrypt-renew.log 15 1 * * 1 /etc/init.d/nginx reload
Be sure to set up log rotation for the letsencrypt-renew.log file using logrotate, or you'll have to manually clear it out periodically.