Let’s Encrypt SSL certificates for AtoM hosted sites

Let's Encrypt SSL certificates for AtoM hosted sites
November 2, 2016

As part of our AtoM 2.3 hosted site upgrade Artefactual is deploying Let’s Encrypt SSL/TLS certificates as free upgrade to all of our AtoM hosting plans.  We are also making HTTPS the default for all browser connections to AtoM sites hosted by Artefactual.  We’ve invested in this change because we believe ubiquitous HTTPS makes the Internet better and safer, and because major Internet players such as Google are taking steps that penalize websites that do not use HTTPS connections.

Let’s Encrypt is a “free, automated, and open” Certificate Authority (CA) provided by the Internet Security Research Group (ISRG) and sponsored by a number of major players in the Information technology landscape including Google, Mozilla, and Facebook.  

Let’s Encrypt is part of broader push by Google and others towards ubiquitous Transport Level Security (TLS) via the HTTPS protocol.  In 2014 Google started slightly boosting search results for sites using the HTTPS protocol. In 2015 Google went further and began to preferentially index HTTPS web pages.  And in 2017 Google Chrome will start rolling out more prominent warnings for all websites using insecure HTTP connections. Other major Internet stakeholders such as Apple and Mozilla are also taking steps to increase the prevalence of HTTPS on the Web.

It’s also worth noting that there is a subtle but important distinction between Let’s Encrypt certificates and a traditional SSL/TLS certificate: a Let’s Encrypt certificate is a “domain validated certificate”.  This means that while Let’s Encrypt certificates provide end-to-end encryption of data passed between a browser and the server, they do not make any claims about the identity or the trustworthiness of the owner of the certificate.  More simply put, a Let’s Encrypt certificate does not tell you who owns the webpage you are browsing, just that any data sent or received can not be intercepted or read by a third party. For some applications a traditional organization validated or extended validation (EV) certificate may be preferable to allow users to reliably determine who owns the website.  If you are interested in using an organization validated SSL/TLS certificate for you AtoM hosted site Artefactual offers this as an optional upgrade for $150/year.

Please note that Let’s Encrypt certificates are not supported by some old operating systems, such as Windows XP.  Please see this list of Let’s Encrypt compatible browsers if your browser is having problems loading an AtoM site using HTTPS.

David Juhasz,
Director, AtoM Technical Services