Is the Free SSL Certificate from Let’s Encrypt Safe?

Is the Free SSL Certificate from Let’s Encrypt Safe? Short answer? Yes!

Every day visitors share sensitive information with many different websites. Details as important as your credit card number and bank credentials are entered. If the connection between the website and the visitor is not encrypted, then this information can be spoofed or spied on. That is where SSL comes in.

There are millions of websites, which ask you to register, and provide personal details to access them or even enter your email for a newsletter subscription. Most of the web uses HTTP protocol for the connection, which can be tapped into by hackers.

If you are a website owner, you may know the importance of an SSL Certificate. Inevitably, to migrate from HTTP to HTTPS protocol, you must get SSL certificate for website. There are many advantages to doing this. To make this transition, you need an SSL certificate from a certified authority.

For many years, these certificates cost money. In order to get one, you mostly needed to be on a Virtual Private Server (VPS) or Dedicated Hosting.

However, there is a new authority in the market, which aims to provide SSL certificates for free to everyone. Yes! I am talking about the Let’s Encrypt SSL.

Unfortunately, there are many misunderstandings and questions about this new service which I intend to address today. In this post, you will learn about what is an SSL, why you need it, how Let’s Encrypt works and why you should trust their free SSL certificate.

What Is an SSL Certificate?

SSL (Secure Sockets Layer) is the standard encryption technology, which establishes a secure connection between a web browser and the server. This ensures that all the data which passed during the connection remains private and encrypted. SSL is used by millions of websites to protect the sensitive information entered by visitors.

How to Implement SSL?

To implement SSL, you’ll need an SSL Certificate. These typically contain your name, domain name, company name, and address. SSL certificates have an expiration, issuance date, and details of the Certificate Authority which issues them. Every such certificate is unique, and assigned to a particular IP address. That is why you mostly need a dedicated IP address, VPS, or dedicated hosting to be able to use it.

How does SSL Work?

When a web browser tries to connect to a secure website, it checks to see if the certificate is expired or not. Before the connection is made, the browser verifies that the Certificate Authority is trusted and is valid. The data is secured and encrypted from prying eyes for as long as the certificate is active. Sites that use SSL have their URLs start with https, and a green padlock is placed beside the domain name by most of the latest browsers to help visitors trust the site.

What’s the Difference Between SSL and TLS Protocols 

It takes time to make sense of the Internet security jargon. Besides SSL, you’ll also hear the term TLS a lot while searching for the best security certificate for your websites. 

Transport Layer Security (TLS) is a safer and more recent version of SSL. These terms are often used interchangeably, but there are a few crucial differences between them. 

• SSL utilizes the Fortezza cipher suite, while TLS relies on IDEA or RC4 cipher suites 
• TLS protocol uses a hash-based message authentication code (HMAC), and SSL authenticates messages with the message authentication code (MAC)
• SSL and TLS protocols send different alert messages 

These differences are highly technical but can still play an important role when choosing the site’s security certificate. Most importantly, Let’s Encrypt offers both protocol types for free!

What Is Let’s Encrypt?

Let’s Encrypt has gained a lot of popularity recently. It provides free SSL certificates to website owners. Previously, the only way of encrypting your website was through a paid SSL certificate, except there were a few services that provided free shared SSL, but Let’s Encrypt is quite different. With the advent of Let’s Encrypt, you can now get a dedicated, free certificate for your website.

Let’s Encrypt is a certificate authority being run for the benefit of the public. It is supported by the Internet Security Research Group (ISRG), which is a California public benefit organization. It is a certified authority and can issue SSL certificates.

It is an open-source project, which aims to encrypt more websites on the internet. It protects the personal and sensitive information that a user enters. eCommerce, social networks, forums, and any website that receives sensitive information from visitors can benefit from this new idea.

How Let’s Encrypt Works?

Let’s Encrypt is all about automation. For a long time, encrypting a website and managing HTTPS status was a huge pain. You have to get a CSR, verify domain ownership to the certificate authority, buy a certificate, install and configure the server to use it. It is a tremendously complicated process, especially for old websites. Then comes Let’s Encrypt which provides certificates for free.

This CA only offers Domain Validation SSL/TLS certificates suitable for blogs or similar sites with low security requirements. 

Obtaining a Let’s Encrypt DV certificate will ensure that the data of your site’s visitors can’t be hacked. 

However, you’ll need an Organization Validation (OV) certificate if you’re selling products on your website. This type of SSL certificate is only issued to companies, and you cannot obtain them as an individual. 

Consequently, Let’s Encrypt is only a good option if you’re running a site that doesn’t feature email sign-up forms or store visitors’ credit card details. 

The CA issues DV certificates because it cannot automate insurance for OV and EV SSL/TLS certificates.

The goal of Let’s Encrypt is simple: Automate the issuance and renewal of SSL certificates.

How does it do that?

Let’s Encrypt provides an API where you can apply for a certificate, and get a free SSL certificate WordPress website.. Before submitting your application, you must first prove that you own or control the domain. 

Hence, you must install the ACME Protocol software on your web host and use it to verify you control the domain. You should also check if you have Shell Access to the server. 

SSH or (Secure SHell) is command line access that gives you access to a server, and enables you to acquire an SSL certificate without a cPanel.

So, here’s how obtaining an SSL certificate from Let’s Encrypt will look like if you have Shell Access. 

The CA recommends using Certbot ACME client to obtain its free SSL/TLS certificate. The tool automatically issues and installs SSL certificates, but it also features Expert Mode, which allows you to configure settings manually. 

Just install Certbot on your server, enter a few commands, and you get a free SSL certificate. This is the manual process, and it requires familiarity with SSH commands.

Over twenty hosts, including WordPress and Squarespace, support Let’s Encrypt and redirect from HTTP to HTTPS, automatically enabling you to generate a certificate directly through cPanel.

Siteground is among the hosts that allow you to get a free SSL certificate from Let’s Encrypt without Shell Access to the server (even if you are on a shared hosting environment). Everything is wrapped in a nice looking user interface hence making it easier for users to protect their data.

How Credible Is It?

In any industry, there is a standard way of doing things. The traditional way of getting an SSL certificate was to buy one, and renew it after every 12-months. Suffice to say. Companies made tons of money through this paid SSL business.

The free SSL certificates by Let’s Encrypt have put a great impact on the successfully running businesses. Free SSL is available to anyone who wants to get SSL certificate for website. Renewals are free too. Let’s Encrypt is run by a public benefit organization.

Since Let’s Encrypt poses a threat to the paid SSL businesses, some folks are kind of running an anti-marketing campaign against Let’s Encrypt. People looking to incorporate SSL in their websites are being misled into believing that the free certificates are somehow buggy and insecure. That is complete misinformation.

Still, you shouldn’t forget that DV certificates issued by Let’s Encrypt are considered entry-level as they’re obtained through the one-step domain verification process. 

However, this doesn’t mean Let’s Encrypt’s SSL/TLS certificates are unsafe, but rather that they’re only suitable for blogs or similar websites that don’t collect sensitive information from their visitors.

The resulting encryption by an SSL certificate depends entirely on your certificate & SSL/TLS configuration and does not depend on the Certificate Authority (i.e. Let’s Encrypt). As the official LE client creates 2048-bit certificates, I can say these are pretty much secure! Everything else depends on your config. On the other hand, Let’s Encrypt certificates are more transparent and auditable.

The question here is that of the credibility of Let’s Encrypt. Is it a trustworthy way of getting SSL certificates?

Do you know that Let’s Encrypt makes no money out of offering free SSL certificates? It is also an organization that relies on donations for its operations. The fact that this initiative is backed by companies like Automattic, Sucuri, Mozilla, Google, and Facebook, says plenty about the authenticity too!

What’s more, dozens of industry-leading web hosting services support Let’s Encrypt’s SSL/TLS certificates which speaks volumes about their credibility. 

CA’s certificates are valid for 90 days, which contributes to their safety as a short lifespan minimizes the risk of mis-issuance or compromising the key. 

Also, all certificates are updated automatically after 60 days, so there’s no need to handle certificate renewals manually.

A Few Confusions About Let’s Encrypt / FAQ About LE

Any company coming up with a non-traditional route of operations springs many questions. Several queries need to be addressed for misunderstandings and myths to be busted. Here are some frequently asked questions about Let’s Encrypt:

• Is Let’s Encrypt completely free? Yes, all Let’s Encrypt is completely free. There are no hidden charges. If you are on Siteground, you can get your free SSL certificate WordPress certificate within 5 minutes.
• What about renewals? Traditional SSL certificates have a validation period of 12 months. However, SSL certificates from Let’s Encrypt expire every 90-days cycle. Don’t worry, though. The supported hosts let you renew automatically or with a one-click process. Mostly, these free SSL certificate WordPress renewals are automatic.
• Is this initiative authentic? Yes, absolutely. The organization behind the initiative is recognized by the IRS itself. Let’s Encrypt is a certified authority to issue certificates.
• Can I generate multiple free certificates? Absolutely, yes! You can get multiple SSL certificates for websites!

Let’s Encrypt is designed to help against a range of attacks and to push the generalization of TLS usage to have a globally safer and more private internet. It is aimed more precisely at removing technical and financial constraints which may prevent some webmasters from using TLS certificates more broadly.

What is an SSL Certificate?

Simply put, an SSL/TLS certificate is a protocol that encrypts the link between the server and the web browser. Its purpose is to protect all data a site acquires from its visitors, and prevent hackers from accessing it.

Certificates utilize a variety of algorithms to encrypt data traveling between the server, the website, and the visitor. The level of protection an SSL certificate provides depends on its type, validation method, and configuration. 

Besides DV, OV, and EV certificates, you may also encounter wildcard, multi-domain, and unified communications SSL certificates.  Each type utilizes a different validation process. 

How to Get a Free SSL Certificate 

Obtaining a free domain validated SSL certificate is usually a straightforward process that takes minutes to complete. Website owners must prove they’re controlling a domain for which they’re acquiring the certificate. 

The easiest way to do this is through the cPanel. Here’s what you need to do:

• Ensure all WHOIS data is accurate
• Choose the Certificate Authority (CA), and check if it’s compatible with your web-hosting service
• Log in to the cPanel once the CA sends you the SSL certificate details
• Go to SSL/TSL Manager, and locate the Security menu
• Choose the domain, and insert Certificate Authority Bundle, Private Key, and CRT information into the corresponding fields. 
• Click ‘Install Certificate’

Are Free SSL Certificates Safe?

Most free SSL certificates are of the DV (domain validated) variety. These SSL certificates utilize 256-bit encryption, and are compatible with all common web browsers. 

CAs usually check the admin’s email and information provided by the domain registrar when issuing DV SSL certificates. They’re best suited for websites that don’t utilize online payments or collect visitors’ data. 

Even so, all CAs issue safe free SSL certificates that protect sensitive data, but the level of security such certificates can offer largely depends on their configuration.

Should You Buy an SSL Certificate or Use Let’s Encrypt?

Should you get SSL certificate for website, and buy or renew it yearly? Or, should you take advantage of the free certificates?

Technically speaking, there is no difference between a basic domain level paid and a free certificate. Except for the certificate issuing authority, there is no other difference. In a nutshell, both certificates are the same and come from an authorized entity. There is no reason not to trust Let’s Encrypt with its initiative.

Paid domain level certificates cost $50-60 /year, which you have to pay yearly for renewals. Whereas, Let’s Encrypt certificates are free, and renewals are free too! There are many other benefits of the free initiative too. E.g.

• It is easy to manage.
• The certificates are compatible with major browsers.
• You can generate multiple free certificates.
• It comes built-in with many web hosts.

But, if you are going for an organization or extended validation SSL certificates, which are pretty expensive, then it’s a good idea to find paid SSL CAs.

Conclusion

So, is it really safe? Yes! As the official LE client creates 2048-bit certificates, and you can also generate 4096-bit certificates (To do this, run letsencrypt-auto with this flag: --rsa-key-size 4096).

LetsEncrypt has come roaring, out of beta, with new sponsors. A lot of these companies are banking on the success of Let’s Encrypt. They have grown to be the third largest Certificate Authority in the world. A lot of people have begun to trust them, and are seeking free SSL certificate WordPress websites. They currently have 1.93 million unexpired certificates in the wild, making them one of the largest Certificate Authorities in the world.

As a website owner, you have a big responsibility of keeping the privacy of your visitors intact. Enabling SSL encryption on your website through free WordPress SSL Certificate is a good start and prevents the interception of submitted information by hackers. In the past, many people dreaded encrypting their websites because it was expensive and difficult. Let’s Encrypt made it easy and free for whoever wants it!

What do you think of free SSL certificates? Is there any confusion, or further questions you have? If so, post a comment below.