Good to hear Protonmail, next to their own encryption, now also supports PGP.

You don’t need encryption you say? Apart from that itself being debatable (after all you do expect encryption for a wide range of your online transactions), think of it as herd immunity. If only those who need encryption to be safe (investigative journalists for instance, or dissidents) use it, that in itself makes them a visible target. The more normal it is to use encryption, the more it helps those whose lives depend on it. Don’t think that is a remote issue. In the EU for instance, journalists do get murdered when investigating corruption and fraud.

Getting a SSL/TLS-certificate for your website has always been a hassle as well as costly. However increasing the amount of default encrypted web traffic is important both in terms of website safety as well as in terms of privacy (when you submit information to websites). The cost and hassle kept most non-commercial websites from using certificates however. Until now. Because now there is Let’s Encrypt, which makes it very easy to add certificates to your website. For free.

When I started using a VPS two years ago to serve as my cloud and as a Dropbox replacement, I needed a certificate to make sure the traffic to my cloud was encrypted. The VPS originally came with one, but that expired after a year. Since then I’ve added a renewing certificate from Comodo (the largest provider at the moment), which I got for a one-time payment as a lifetime service from my VPS provider. But for a range of other domains I use, both hosted on my VPS as well as in various hosting packages with a Dutch hosting provider, I never bothered getting a https certificate, because it was too much work and too expensive to keep up. There already were free certificates available, such as through the Israeli StartCom which I used for one or two domains, but I never felt certain it was secure as a service (it turns out it’s small buth 7th globally, and has received some serious criticism).

Symantec has a certificate problem...
Arranging and renewing certificates can be a pain, even if you’re Symantec, the world’s second certificate provider. (image Lars K. Jensen, CC-BY)

Let’s Encrypt changes all that. Because they are strongly community driven, amongst other with support by the Electronic Frontier Foundation, and because they are going the route of getting their root certificate independently recognized and be a full certificate authority. Currently they use IdenTrust’s (5th globally) existing trusted root certificates, but the Let’s Encrypt root certificate has now been recognized by Mozilla, and they’re working to get it recognized by Google, Apple, Microsoft, Oracle et al. This would increase the independency of Let’s Encrypt. Let’s Encrypt says the growth rate of https traffic has quadrupled since the end of 2015, in part through their efforts. Their certificates are used at over 8 million websites now.

I’ve added a range of my own sites to those 8 million. For the domains on my own VPS that didn’t have valid certificates yet, they were easy to install. I used SSLforFree to generate the Let’s Encrypt certificates, based on me providing proof I have full control over the domains I seek to protect. Then I added the certificates to the domains using the WHM control panel of my server. Certificates are valid for 90 days, but I can set them to auto-renew, although I haven’t done that yet.

For the domains not hosted on my VPS, such as this one for my blog, I depend on my Dutch hosting provider (as I don’t have root access to install certificates myself, although I have full control over the domains such as its DNS settings.) Luckily recently they have started offering auto-renewing Let’s Encrypt certificates (link in Dutch) as a free service for each of the domains you host with them, because they recognize the importance of secure web traffic. All it took was opening a ticket with them, listing the domains I was requesting certificates for. Within two hours eleven certificates were created and installed.

So, from now on you can get my blogpostings from https://zylstra.org/blog.

this blog now with https

Wuala alpha
Wuala: From alpha in 2007, acquisition by LaCie in 2009, to being deadpooled 2015
(Image by Chris Messina, CC-BY-NC-SA)

Wuala, the Swiss cloud storage service, is closing down. You need to switch services by 30 September when Wuala will become read-only, and remove all your data by 15 November when Wuala will shut down. If you need to move and want an alternative that is end-to-end encrypted (and you should) then Wuala suggests another Switzerland based company, Tresorit.

Last year I briefly contemplated and tested Wuala when I wanted to get out of Dropbox (which is unencrypted and under US law). At the time I wrote

“Wuala, incorporated in Switzerland, is owned by LaCie (incorporated in France) which in turn is owned by Seagate (incorporated in Ireland). Their data centers are geo-redundant and in France, Switzerland and Germany. Although that looks good on paper Seagate HQ is in the US, placing Seagate under the Patriot Act, and thus Wuala ultimately too. Wuala for the desktop requires Java, which is a bad thing. Their encryption and syncing however are a plus, as is the ability to work in teams.”

Wuala was my first two steps away from Dropbox, as it provided client side encryption removing most of the key privacy concerns:

For now I have started using Wuala, as it is at least two steps up from Dropbox because of its encryption and their data centers in Switzerland, Germany and France. Their service is not ‘patriot act proof’ (and they know it, judging by their consistently vague and indirect answers in support fora), but the encryption helps address that. Of course there is no real way to check their encryption either.

My Wuala use lasted all of 1 week. Then I switched to OwnCloud through an Austrian provider, OwnCube, and a month later I started running my own VPS with OwnCloud on it, removing me from using third party services except for the server itself. (I must say OwnCloud does not support end-to-end encryption yet, and uses server side encryption. Hoping to see that change in the future.)