Lightspeed is excited to announce the release of free Automatic SSL™. Beginning today, we will configure and maintain SSL/TLS connections for free on websites and email hosted by Lightspeed. Moreover, we will configure every certificate as per the best practices advised by the Cyber Security Agency of Singapore (CSA) Internet Hygiene Portal . We commit to continue doing this in the future even as the best practices continue to evolve.
We believe that this takes all our customers one (big) step closer to that elusive IHP 100% Hall of fame rating, as figuring out which ciphers to omit or include is more complex than anyone would like.
How does it work?
We will issue all customers with a free domain validation (DV) SSL certificate for email servers and websites they are hosting with Lightspeed. Unfortunately, Organisation Validation (OV) and Extended Validation (EV) certificates cannot be automated (yet!). Perhaps more importantly, these are unlikely to ever be free as the validation overhead is substantial.
In the email space, we support SSL not just for our servers (e.g. smtp.lspd.net) but also your on premise servers – those with both dedicated IPs as well as dedicated MX records (e.g. smtp.your-domain.com.sg)
In the website space, this notably includes origin sites – even if your CDN has an SSL cert, that only protects website traffic between the CDN and the website visitor. Having a certificate for the origin is equally important so that you can encrypt traffic between your origin and the CDN. This is often called “Full or Strict SSL mode” by CDN providers and provides a higher level of security than just the CDN’s certificate can.
Challenges
Whilst we try to think and behave like a startup, we’ve actually been securing websites, email and everything else for 25 years. To turn on SSL work at our scale we needed to ensure it wouldn’t overwhelm our servers. Why is this you ask?
Well, providing content over HTTPS connections requires more CPU load than over HTTP. Likewise with SMTPS vs SMTP. The additional load varies depending on the particular cipher suite used – generally, the stronger the cipher, the more computationally expensive.
Solution
These challenges required us to limit SSL support to modern browsers on our Basic and Free Hosting tier. Modern browsers include support for ECDSA, whereas many legacy browsers do not. Modern browsers also support an extension to the SSL protocol called Server Name Indication (SNI). SNI sends the site name before encryption kicks in. The server then uses the correct certificate using that site name (even though multiple sites share that IP).
Generally, if your browser is under 5 years old, it is modern enough and Automatic SSL will work for you. The two notable exclusions are a) Internet Explorer on Windows XP (or older) and b) Android pre-Ice Cream Sandwich
Stronger and Faster
For our Basic and Free tiers, we use ciphers based on ECDSA which are both stronger and faster than RSA. However, not everyone is ready to abandon RSA as there are older devices that may never support ECDSA. Lightspeed commits to continue supporting legacy browsers (at minimal cost) on our Priority and Enterprise plans.
Conclusion
We hope you find these changes beneficial. We certainly have thought long and hard about how to make this possible at a low cost (mostly FREE!). This is so we can simplify encryption to afford smaller businesses, non-profits and even individuals access to security best practices.