On the important of SSL in LEMP/LAMP environments

Ten years ago, SSL was viewed as a nicety provided by larger companies. Today, SSL/TLS adoption is largely viewed as a solved problem, with 96% of users' browsing time on Google Chrome spent on HTTPS websites. The rate of progress, spurred largely by the efforts of our sponsee Let's Encrypt, has been truly incredible.

SSL/TLS certificate statistics

As the stewards of a privacy-focused VPS platform, we at BitLaunch are very aware that there's always more work to be done in SSL/TLS configuration and education. At the time of writing, 28.7% of the internet's top 150,000 websites do not have adequate SSL security. Outdated protocols, low-key exchange strength, and poor configuration have all contributed to a landscape where various popular websites are more vulnerable than they need to be.

We're also acutely aware that such studies on SSL adoption stats primarily focus on indexed websites with meaningful content. According to some (mostly old) estimates, the unindexed web is up to 550 times greater than the indexed web. Out of all indexed pages, ahrefs estimates that just 0.07% get more than 1000 visits per month.

The state of SSL on VPS servers

Our personal feeling as a VPS provider is that SSL/TLS often isn't the first priority for users who self-host applications. Those looking to create a teamspeak server, personal search engine, or personal cloud storage don't usually feel like paying for a domain or self-signing certificates to get HTTPS working. The same applies in the early stages of web development.

Certificates, however, are a core part of the security of any system accessed over the web. In an ideal world, they would be built into every public-facing application from the start rather than seen as an afterthought. With that in mind, it's worth going over what SSL/TLS is, why it's important, and how we've made it easier is for you to launch a LEMP server with SSL.

Why is SSL/TLS important in LEMP/LAMP setups?

An SSL or TLS certificate allows a client to establish an encrypted channel to a web server and confirm that its identity is genuine. This encryption and authentication is integral to modern internet security. Without it, attackers snooping along the traffic's route may be able to perform man-in-the-middle attacks, as well as intercept passwords, messages, website content, and credit card details. In fact, standards such as PCI-DSS require websites processing card data to implement SSL to be compliant.

But this encryption doesn't just keep data safe from hackers — it helps to keep it private from internet service providers (ISPs) and intelligence services. While ISPs can see the domains you visit through your DNS requests, SSL/TLS is what prevents them from deciphering the specific pages you visit and the content on them. While this may seem like a minor distinction, it's potentially the difference between an ISP knowing that you visited the webpage of a messaging service and being able to read every message you sent and received.

Less crucially, enabling SSL on a site increases user trust and even search engine rankings to an extent. When users visit a site without SSL, their browser warns them that the site is not secure. This makes it more likely for users to leave the website again immediately (bounce). This, along with Google's own SSL ranking factors, causes websites without SSL to be pushed lower down in the results.

Join BitLaunch to create an Amsterdam VPS with LEMP + SSL in seconds.

LEMP + SSL with BitLaunch

At BitLaunch, we saw an opportunity to make SSL/TLS security even more user-friendly by building it into our existing one-click LEMP app. We already had a way to deploy Linux, Nginx, MySQL, and PHP, and were directing users to Let's Encrypt's certbot to issue SSL certificates. The LEMP + SSL app was about marrying these disparate scripts into an inuitive single-command tool that handles everything from deployment to configuration and renewal.

BitLaunch's LEMP with SSL app makes it trivial for anyone to set up and manage a web server protected by SSL. Building on cerbot, our install-ssl script:

Generates a free, auto-renewing Let's Encrypt certificate using certbot
Automatically adds SSL to Nginx configuration files at /etc/sites-available/yourdomainname.site and enables HTTPS
Inserts a cron job to renew your certificates automatically
Restarts Nginx so your site immediately uses HTTPS

Crucially, our LAMP + SSL script avoids major vulnerabilities and configuration issues, scoring an A- on Qualys SSL Labs test.

Not yet a BitLaunch customer? Get started with LEMP + SSL for free by talking to our support after sign up.

How to quickly set up LEMP with SSL on BitLaunch

Before you set up SSL/TLS with our tool, you'll need a domain. If you don't have a domain, buying one may be cheaper than you expect. An .xyz domain can be yours for just $2/year and is perfectly fine for self hosting.

Here's the step-by-step process to set up your web server using the LEMP + SSL app using your domain:

Point your domain's name servers to BitLaunch in your registrar control panel (or add an A record to your server later).

2. In your BitLaunch control panel, press "Create a Server". Choose BitLaunch as the host and select "LEMP" under the "Apps" tab. Enter a memorable name.

3. In the "DNS" tab of your control panel, select your domain. With the A record selected, enter "@" for the hostname and select your server name in the "Points to" field. Press "Add record".

4. While you wait for the DNS records to propagate, connect to your VPS server and update your packages with sudo apt update && sudo apt upgrade.

5. Connect to your server via SSH and run install-ssl.

Self-signed certificates: what you need to know

An alternative to Let's Encrypt is using OpenSSL to create a self-signed certificate. These can even be created without a domain name. However, we do not recommend using self-signed certificates on your BitLaunch server or in production in general.

Self-signed certificates can save time and enable basic encryption between a client and web server. However they aren't signed by a trusted certificate authority and users therefore cannot use them to automatically validate the identity of your server. This lack of third-party validation increases the risk that malicious actors will be able to execute a man-in-the-middle attack by using their own self-signed certificate to impersonate your server. Adding to this, there's no practical way to revoke a compromised self-signed certificate should something go awry.

In general, then, we only recommend using self-signed certificates:

For internal-only authentication
For validation/experimentation in a test environment

Our advice? Just buy a cheap domain you can use with your VPS servers. It takes five minutes and only costs a few bucks.

The cost of bad SSL: The Equifax breach

We don't want to harp on forever about the dangers or poor/non-existent SSL, but it's worth highlighting a high-profile case to underline how it can play out in practice. Many of you will remember Equifax's huge breach that leaked the sensitive information of 143 million people. What you may not realize is the significance of SSL played in it.

While reporting focused on the main Apache vulnerability that led to the breach, the 300+ SSL certificates Equifax had failed to renew greatly exacerbated it. The expiry of the certificate for a monitoring tool that allowed Equifax to decrypt outbound traffic was particularly damaging. It enabled attackers to operate undetected for 76 days while they secretly exfiltrated records.

The eventual renewal of this certificate allowed Equifax's IT admins to notice the breach and act. Without the expiry, it's likely the attack would have been spotted within hours, potentially saving hundreds of millions of people from the threat of identity theft.

Moving forward with TLS/SSL

While our cron job will take care of renewal and Nginx configuration for you, SSL still isn't a set-and-forget feature. Going forward, there are a few things to keep in mind:

Consider enforcing HSTS. This forces all browsers to connect exclusively via HTTPS, even if a user manually enters http://. You can do so with the add_headerStrict-Transport-Security directive in your config file.
Monitor your renewals. Our cron job will renew your certificate automatically, but it could still fail if your server is offline at the time of renewal or if there is another other external issue.
Build your applications for HTTPS. You'll want to make sure that your web app doesn't have mixed HTTP and HTTPS content, or users will get a "partially insecure" warning. Load images, scripts, stylesheets etc. over HTTPS to avoid this.
Keep your server (and SSL version) updated. Doing so will ensure that known vulnerabilities are patched and the latest security features are used.

BitLaunch customers who need help setting up, configuring, or updating their SSL can reach out to around-the-clock expert support via live chat. Not a BitLaunch customer? Sign up today and have your LEMP + SSL server up and running in minutes.