Here at Social Strata, we are always looking for ways to increase security for our customer communities, and today we are announcing a new offering to allow our customers to use HTTPS (i.e. "SSL")at no cost.
Both of our community platforms, Hoop.la and Eve Community, have supported Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", for several years. SSL adds a layer of security to the original HTTP protocol by encrypting all communications between a visitor’s browser and the website. This means that all our customers can switch to HTTPS (the ‘S’ at the end stands for “Secure”) and have the traffic to and from their website fully encrypted. HTTPS requires an SSL certificate which, until now, our customers had to purchase. The cost varies depending on what Certificate Authority (CA) the customer purchases it from and requires some manual work to setup and install. This setup and installation process has to be done every time the certificate needs to be renewed, as well.
There are three types of certificates that can be used currently:
- Domain Validation (DV) certificates provide privacy and data integrity between a internet user and the site they are visiting.
- Organization Validation (OV) certificates provide the same privacy and data integrity as the DV certificates, but give the visitor a higher level of assurance about the company or organization they are interacting with.
- Extended Validation (EV) certificates uses the same encryption as DV and OV certificates, but there is increased security due to a thorough identity validation process.
Let’s Encrypt is a free, automated, and open Certificate Authority. It is a service provided by the nonprofit Internet Security Research Group (ISRG), and their mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. As a result, their service offers free DV certificates.
Social Strata is pleased to announce that our customers can now request Let’s Encrypt certificates on their communities at no charge! The benefits of enabling HTTPS on your community are numerous:
- Improve search engine ranking: Search engines (like Google) have previously announced that they give priority in search results to sites that use HTTPS. This will give our customers that have not yet switched to HTTPS a boost in their community’s SEO. If you look carefully at the results of internet searches, you will likely notice that the links on the first result page are primarily HTTPS sites.
- Protect visitors: By using HTTPS, all data sent to and from our your community is fully encrypted. This will protect your community and increase confidence of the members using your community.
- Eliminate security warnings: Several browsers (like Chrome and Firefox), in an effort to protect internet users, already display warnings when they visit a site that does not use HTTPS. Google announced that beginning in October 2017, Chrome will show the “Not secure” warning in additional situations. With HTTPS, this will not happen.
- Full automation: Social Strata is providing a fully automated process so that the request and renewal of the certificates does not require any work by you, our customers. Let’s Encrypt certificates will be automatically renewed every 90 days.
- Free certificates: The certificates provided by Let’s Encrypt are completely free.
- Full transparency: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
Frequently Asked Questions:
Can Social Strata also provide free OV and EV certificates?
It is not possible to offer full automation for OV and EV certificates, so these can’t be offered for free at the moment unfortunately.
What is the difference between the free and the paid DV certificates?
The main difference is between the free and the paid DV certificates is the validation period. Free DV certificates are (at the moment) valid for 90 days and paid DV certificates can be valid for up to 3 years. The 90 day limit of Let’s Encrypt certificates is used to limit the damage from misuse and to encourage automation. The shorter validity period does not represent any inconvenience to our customers because the renewal process is completely automated.
What information will be used in the Certificate Signing Request (CSR) to create the DV certificate?
Because Let’s Encrypt only issues DV certificates only the domain control is verified. The only relevant information is the Distinguished Name (DN), i.e. the fully qualified domain name to secure. All the other fields of a regular CSR are discarded because the automated process that Let’s Encrypt uses has no way to check if information is accurate.
Can SAML Single Sign-On (SSO) customers use Let’s Encrypt certificates?
Due to the 90 day expiration, Let’s Encrypt certificates are not currently supported for SAML SSO usage. The SAML metadata XML exchange process requires engagement between Social Strata and the customer’s SAML server that is not reasonable to complete every 90 days.
Where can I find more technical details about Let’s Encrypt?
You can visit this page for further information.