HTTPS & Let’s Encrypt

HTTPS is an important tool in protecting the privacy of patrons when they use library websites and services.  HTTP communication is vulnerable to potential eavesdropping and content hijacking from unauthorized third parties.  HTTPS helps protect against these problems by establishing an encrypted connection between the user’s browser and a library website or service, or between two library servers that are communicating with each other.  There has been a push by many organizations in recent years to move all websites to HTTPS:

  • Federal government websites are now required to be HTTPS
  • Google now gives a ranking boost to HTTPS sites in search results
  • Firefox and Chrome now warn users that HTTP sites as insecure
  • Freedom of the Press Foundation started the Secure the News project to track and promote the adoption of HTTPS by major news sites
  • Electronic Frontier Foundation launched an Encrypting the Web campaign
  • Library Digital Privacy Pledge encourages libraries and their content providers to adopt HTTPS

Let’s Encrypt

One of the most successful initiatives to promote HTTPS has been Let’s Encrypt, a new certificate authority that provides both free certificates and the Certbot client to easily install them. Let’s Encrypt has a number of sponsors including the Electronic Frontier Foundation, Mozilla, Chrome, Facebook, and the American Library Association.  ALA is a sponsor of this important initiative in order to help libraries move to HTTPS.

The free tools and certificates from Let’s Encrypt became available in November 2015 and adoption has been rapid. In January 2016, they supported 240,000 active certificates which grew to over 28 million by January 2017 making it one of the largest certificate authorities in the world. Approximate 50% of the web is now on HTTPS.

System administrators can usually install certificates by using the Certbot client in a matter of minutes on web servers running up-to-date operating systems.  In addition, Let’s Encrypt has been integrated into over a hundred web hosting platforms  so that certificates can be installed by customers from their control panel with just the click of a button.

Let’s Encrypt Cookbook for Library Servers

Here is a series of recipes for using Let’s Encrypt to install certificates on a variety of library servers.