Website security – Let’s Encrypt

Good news: the test website, test.openagua.org, is now secure. This means that the website is now https://test.openagua.org. Though this is a pretty banal detail, it is actually quite an important part of developing any website where people will log in, and is particularly important if users will log in to manage data that may be sensitive. Although we in the academic community would prefer all data to be open and public, the reality is that water, yes, is a scarce resource, and subject to competing sectoral and administrative interests. We want to make sure all sensitive information (passwords, potential future credit card numbers, etc.) are encrypted.

As part of the encryption process, a third party verifies that the website you are visiting is who it says it is. This is accomplished by the third party issuing a certificate to verify that it is the correct website. The third party then checks against this certificate when you go to that website, and indicates to you that the website is secure, by that lock to the left of your address bar. However, this process costs money to do, as there are significant computational resources involved, so certificates generally cost money. And they must be renewed regularly.

How did we do it, without burning through our seed money? Let’s Encrypt! Let’s Encrypt is a relatively new (just over 1-year old live) certificate authority: “Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).” It has the backing of many major organization that you have probably heard of: Mozilla, Cisco, Chrome, Facebook, Automattic (owner of WordPress.com, on which this blog resides), the Ford Foundation, and many others.

Since Let’s Encrypt does not charge for the service, they depend on donations. Therefore, I very much encourage you to donate to Let’s Encrypt. While this solution may not make sense for company with a revenue stream, this is ideal for the prototype stage we are in.

Though the core functionality of the website is our primary concern, it means nothing without security, and we are excited to add this to our prototype.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s