Let’s Encrypt Vs Premium SSL : An Insightful Comparison
Back in 2014, an announcement was made by Google that the websites served through ‘HTTPS’ will secure better SEO rankings along with the call of ‘HTTPS everywhere’. This announcement gave rise to a lot of controversies between the web developers and website owners. Some people were quite happy with this idea because they agreed with the concept of generalized HTTPS use as it makes the internet a safer place; while there were other people that thought that this initiative was unnecessary, complicated and expensive. Another reason for people to be unhappy with this announcement was that they would have to re-code their websites to use HTTPS and also spend more money on purchasing SSL certificates that they didn’t need earlier.
At that time, people might not have thought that HTTPS will conquer the internet world so easily. Many non-believers might have dismissed Google’s decision; but here we are in the year 2017 where Google determines the non HTTPS websites that request passwords or credit card information as unsafe. This makes Google’s initiative more convincing and important and now it is inevitable to have an HTTPS website, especially if you accept online payments.
In order to comply with Google’s standards and to avoid getting your website flagged as ‘not secure’, every website owner should make sure that all the website pages are served through HTTPS. Many browsers have also made the switch to warn their users whether the website that they are browsing is safe or not.
The most important fact that you should be aware of is that – It is not enough to simply enable HTTPS on your domain, but it is important that every element of your page is loaded through HTTPS including images, CSS files, Javascript etc.
It is important to analyze your website to check if any third party services are integrated in the code of your website like analytics, social plugins etc. and ensure that they are configured in the correct way.
What Is ‘Let’s Encrypt’? And what makes it different from a traditional Certificate Authority?
Let’s Encrypt is an automated, free and an open certificate authority (CA) that runs for public benefit. This service is provided by the Internet Security Research Group (ISRG). While you might be allured by the ‘free’ aspect of this service, it is important for you to know the rest of the implications that are a part of using ‘Let’s Encrypt’.
Let’s Encrypt works with a simple principle – They provide support for the generalization of HTTPS and want to make it available for every website owner. However, as their business runs on a ‘non-profit’ concept and as they have a limited amount of resources, they have to focus more on sustaining the core principle that is creating easy and automated SSL issuance process. They are not driven with the goal of providing any end user support for certificate generation or renewals; given the nature of this initiative, this fact is understandable.
Let’s Encrypt is still comparatively a young service. They left Beta in 2016 – this means that they don’t have the credibility and experience of a proper established certificate authority. This is the reason why they lack an extremely important feature that is provided by the traditional certificate authorities that is ubiquity or omnipresence. All the browsers and operating systems comprise of a root repository that contains a list of approved or trusted certificate authorities along with their root certificates. The root certificate states which Intermediately Certificate should be trusted and the ones that shouldn’t be trusted; therefore being a part of this group is extremely important for every certificate authority.
To look at it in another way, as Let’s Encrypt is still a new company, the certificates issued by this authority are not 100% accepted by all the browsers, especially the certificates that were released before this organization came into existence. This is the reason why they reached out to IdenTrust that is another certificate authority trusted by the main browsers in order to cross-sign their CAs. Even though this solves most of the browser warnings, it still does not cater to some compatibility issues that are discussed further in this article.
On the positive side, Let’s Encrypt makes use of their self-issued root and intermediate certificates and the private keys are stored in accordance with their website on the hardware security modules (HSMs) and they are out of the reach of the hackers.
Benefits And Limitations Of Let’s Encrypt
Speed Of Issuance
As Let’s Encrypt certificates are free of charge and their issuance process is completely automated, the certificates are generated really fast if not instantly. The validation process is quickly performed with the help of an ACME protocol based software. Users can have a valid certificate effective on their domain within a few seconds.
In contrast to the traditional certificate authority, it is important for the user to put an SSL order first. Users can put the order directly on their website or through a reseller and then the users have to perform the validation steps manually. The validation process can take up to a few hours to several days depending on the type of certificate purchased.
Validation / Visitor Trust Level
The certificate types available through Let’s Encrypt include the basic or SAN (multi-domain) DCV SSL certificates. Recently established Let’s Encrypt, does not have any plans to offer ‘Organization Validated’ or ‘Extended Validation’ certificates in the coming future.
DCV stands for ‘Domain Control Validation’, this validation process states that the only thing that is checked before issuing the certificate is that the requester of the certificate has the access to the domain either by uploading a simple .txt file in the domain’s root folder or by adding a particular DNS record in the domain zone. As a result of this process, a lot of questions are raised over HTTPS credibility since anyone can get access to a free SSL certificate including the malicious organizations. The malicious organizations will not miss the opportunity to use the HTTPS padlock that is recognized for web security throughout the world to pass as ‘genuine’ business organizations.
Easy and free access to the trusted SSL certificates reduces the importance of HTTPS and this can trick the uneducated users more easily. How will the visitors differentiate between a genuine respectable business organization and a phishing website? This is where the ‘Organization Validated’ or ‘Extended Validation’ certificates come into the picture. The validation process is extended further for these types of certificates. In addition to the DCV step, businesses also have to prove their legitimacy. Businesses can do this either by showing a proof of the incorporation or by providing other important documents that state that the existence of the business as a bona fide trading entity. Moreover, for the Extended Validation certificates, the validation process goes even more deeper. In the case of Extended Validation certificates, the certificate authorities carry out independent checks to confirm that the information provided by the certificate requester matches the information available in the public registers.
Also check: Let’s Encrypt Accomplishes Its Promise with Free Delivery of “Wildcard” Certificates
The Organization Validated and Extended Validation certificates always comprise of some details about the website owner, on the basis of the level of validation and browsers display this certificate information to the website visitors. For instance, you may have seen a green address bar that includes the company name; this green bar substantially increases the trust level of the users. The OV/EV SSL certificates also provide branded website seals that further increase the user’s confidence.
Browser Compatibility
As stated earlier, Let’s Encrypt certificates are not completely compatible with all the browsers. With light to the fact that they are still a new certificate authority and the main browsers or operating systems do not recognize them. Let’s Encrypt publishes a list of incompatibilities mentioned below:
Possibly Incompatible:
- Sony PS3 and PS4 game consoles
Known Incompatible:
- Blackberry OS v10, v7, & v6 (Comodo support 4.3.0 + )
- Android < v2.3.6 (comodo – 1.5 +)
- Nintendo 3DS
- Windows XP prior to SP3
- Java 7 < 7u111
- Java 8 < 8u101
In practical terms, most of the website owners will find that Let’s Encrypt is compatible with the devices used by a majority of their clients. However, in the case of SNI, if your clients are still using the older operating systems, browsers or mobile devices, then there are chances of encountering some problems.
Purchasing a premium SSL certificate that is issued by an established certificate authority will generally avoid the compatibility issues. This is because the established certificate authority is already recognized and trusted by all the major software and hardware combinations – and this is not just a fact now, but this was the fact in the past as well (this means that even the older devices worked as expected).