Why set up SSL

This other post covers how to set up SSL for free with Let's Encrypt - and here I wanted to explain why it should be set up - even for say an innocent static html site, and simply define some terms.

Why use HTTPS?

HTTP is of course HTTP with TLS or SSL. Confidentiality (where communication encrypted), integrity (where information is not changed between source and user) and authenticity are all reasons to use it over just HTTP! So that is the reason to set up SSL.

TLS and SSL

TLS, transport layer security, and its predecessor SSL, secure sockets layer, are web protocols used to wrap normal traffic in a protected, encrypted wrapper.

Using this technology, servers can send traffic safely between servers and clients without the possibility of messages being intercepted by outside parties. The certificate system also assists users in verifying the identity of the sites that they are connecting with.

Self signed SSL certificates

Note that by default, Ubuntu 18.04 comes with OpenSSL, which can create a self-signed private key and a certificate key pair.

Using this way, we would see a certificate warning near the browser URL bar - this is because we are using a self-signed certificate that is not on the list of the browser’s trusted authorities. Sites like this do not provide all of the security properties that certificates signed by a certificate authority provide - and the warning lets us know this - visitors who bypass such warnings are exposed to a risk that a third party could intercept traffic to the website using the third-party's own self-signed certificate.

Let's Encrypt

Let's Encrypt is simply a non-profit certificate authority run by the Internet Security Research Group (ISRG) that provides X.509certificates for Transport Layer Security (TLS) encryption at no charge.