Website Encryption has taken a speed run recently with now over 50% of all websites using SSLs. A big portion comes from Lets Encrypt, a free alternative to SSLs as we know it. Looking at the growth rates it seems companies like Comodo or Symantec are looking at fierce competition.
Well, the answer is yes and no.
Lets look at the benefits of Lets Encrypt.
Ease of use:
While a lot of the tools are still in Beta, installing a SSL from Lets Encrypt is terribly easy. Bamboozle offers now Lets Encrypt on all of its Shared Hosting Platforms, where clients have nothing else to do then click a button and select the domains they want to protect. The complicated combination of various files, renaming, adding lines to the webserver configuration and set rewrite rules simply does not apply. Also on any server a simple download and a short assistant do the rest.
Most SSLs are valid for a year. You might know that because you mostly forget that one server or website that expired a day ago and your clients get the warning messages in their browser. And renewing is with most SSLs going through the same pain again like when you ordered it. Let’s Encrypt certificates are valid for only 3 months, but like on realWeb most tools support automatic renewals right before they expire. This brings us two benefits. First we do not have to remind ourselves every tie to renew a certificate, go through the validation process and install it – it simply gets renewed. Second this allows using newer certificates every 3 months. Often SSLs get revoked cause keys get stolen or other errors happen. With shorted upgrade cycles you can be sure all is fine. The upgrade scripts also updates the web server so potential outdated ciphers etc get replaced.
So whats the downside ?
We Lets Encrypt is Domain Validation only. That means nobody checks of your Company Name is correct or your address, it simply checks if the Webserver you try to install the SSL has the correct DNS records. And you don’t get the green bar with your Company name on it. But frankly this is more a marketing decision than actual security since the idea of an SSL is to encrypt traffic between a client and the server, which Lets Encrypt does the same way, any expensive SSL does. And the green bar tends to get smaller and smaller. Also note while Google does now favor encrypted sites over the ones without SSL, it does not give you better SEO scores the more expensive the SSL is.
Now you can say that might allow attacks where people emulate the DNS records of a domain and pretend they are someone else. Let’s encrypt is quite clever in its validation process and also checks Reverse DNS records or PTRs that are nearly impossible to fake since they are bound to the Server IPs owner. And frankly – if your DNS would be hacked or changed, that attacker can easily forward mails and use another certificate.
Fact is that Let’s Encrypt has made the web a safer place and companies like us that support this standard will help securing the web even more. For commercial certificates. While Domain Validated Certificates are definitely outdated since they bring way less value compared to Let’s Encrypt at a hefty price point, large eCommerce shops might still rely on Commercial Extended Validation. But for the rest of us, Let’s Encrypt is the right choice.
Learn more about Let’s Encrypt here.