Is the Free SSL Certificate from Let's Encrypt Safe? Short answer? Yes!
Every day visitors share sensitive information with many different websites. Details as important as your credit card number and bank credentials are entered. If the connection between the website and the visitor is not encrypted, then this information can be spoofed or spied on. That is where SSL comes in.
There are millions of websites which ask you to register and provide personal details to access them or even enter your email for a newsletter subscription. Most of the web uses HTTP protocol for the connection, which can be tapped into by hackers.
If you are a website owner, you may know the importance of an SSL Certificate. Basically, you should migrate from HTTP to HTTPS protocol. There are many advantages of doing this. To make this transition, you need an SSL certificate from a certified authority.
For many years, these certificates cost money. In order to get one, you mostly needed to be on a Virtual Private Server (VPS) or Dedicated Hosting.
However, there is a new authority in the market, which aims to provide SSL certificates for free to everyone. Yes! I am talking about the Let's Encrypt SSL.
Unfortunately, there are many misunderstandings and questions about this new service which I intend to address today. In this post, you will learn about what is an SSL, why you need it, how Let's Encrypt works and why you should trust their free SSL certificate.
What Is an SSL Certificate?
SSL (Secure Sockets Layer) is the standard encryption technology which establishes a secure connection between a web browser and the server. This ensures that all the data which passed during the connection remains private and encrypted. SSL is used by millions of websites to protect the sensitive information entered by visitors.
How to Implement SSL?
To implement SSL, you'll need an SSL Certificate. These typically contain your name, domain name, company name, and address. SSL certificates have an expiration, issuance date, and details of the Certificate Authority which issues them. Every such certificate is unique and assigned to a particular IP address. That is why mostly you need a dedicated IP address, VPS or dedicated hosting to be able to use it.
How SSL Works?
When a web browser tries to connect to a secure website, it checks to see if the certificate is expired or not. Before the connection is made, the browser verifies that the Certificate Authority is trusted and is valid. The data is secured and encrypted from prying eyes for as long as the certificate is active. Sites that use SSL have their URLs start with https, and a green padlock is placed beside the domain name by most of the latest browsers to help visitors trust the site.
What Is Let's Encrypt?
Let's Encrypt has gained a lot of popularity recently. It provides free SSL certificates to website owners. Previously, the only way of encrypting your website was through a paid SSL certificates except there were a few services that provided free shared SSL but Let’s Encrypt is different. With the advent of Let's Encrypt, you can now get a dedicated free certificate for your website.
Let's Encrypt is a certificate authority being run for the benefit of the public. It is supported by the Internet Security Research Group (ISRG), which is a California public benefit organization. It is a certified authority and can issue SSL certificates.
It is an open source project which aims to encrypt more websites on the internet. It protects the personal and sensitive information that a user enters. eCommerce, social network, forums and any website that receives sensitive information from the visitors can benefit from this new idea.
How Let's Encrypt Works?
Let's Encrypt is all about automation. For long, encrypting a website and managing HTTPS status was a huge pain. You have to get a CSR, verify domain ownership to the certificate authority, buy a certificate, install and configure the server to use it. It is a tremendously complicated process esp for old websites. Then comes Let's Encrypt which provides certificates for free.
The goal of Let's Encrypt is simple: Automate the issuance and renewal of SSL certificates.
How does it do that?
Let's Encrypt provides an API where you can apply for a certificate and get one. It employs a command line client called Certbot to offer certificates. Just install Certbot on your server, enter a few commands, and you get a free SSL certificate. This is the manual process, and it requires familiarity with a command line.
Several hosts provide built-in integration of Let's Encrypt, and you can generate a certificate directly through cPanel as well.
Siteground is one of those hosts from where you can get a free SSL certificate from Let’s Encrypt (even if you are on shared hosting environment). Everything is wrapped in a nice looking user interface hence making it easier for users to protect their data.
How Credible Is It?
In any industry, there is a standard way of doing things. The traditional way of getting an SSL certificate was to buy one and renew it after every 12-months. Suffice to say. Companies made tons of money through this paid SSL business.
The free SSL certificates by Let's Encrypt has put a great impact on the successfully running businesses. Free SSL is available to anyone who wants it. Renewals are free too. Let's Encrypt is run by a public benefit organization.
Since Let's Encrypt poses a threat to the paid SSL businesses, some folks are kinda running an anti-marketing campaign against Let's Encrypt. People looking to incorporate SSL in their websites are being misled into believing that the free certificates are somehow buggy and insecure. That is complete misinformation.
The resulting encryption by an SSL certificate depends entirely on your certificate & SSL/TLS configuration and does not depend on the Certificate Authority (i.e. Let's Encrypt). As the official LE client creates 2048 bit certificates, I can say these are secure. Everything else depends on your config. On the other hand, Let’s Encrypt certificates are more transparent and auditable.
The question here is that of the credibility of Let's Encrypt. Is it a trustworthy way of getting SSL certificates?
Do you know that Let's Encrypt makes no money out of offering free SSL certificates? It is also an organization that relies on donations for its operations. The fact this initiative is backed by companies like Automattic, Sucuri, Mozilla, Google and Facebook says plenty about the authenticity too.
A Few Confusions About Let's Encrypt / FAQ About LE
Any company coming up with a non-traditional route of operations springs many questions. Several queries need to be addressed for misunderstanding and myths to be busted. Here are some frequently asked questions about Let's Encrypt:
- Is Let's Encrypt completely free? Yes, all Let's Encrypt is completely free. There are no hidden charges. If you are on Siteground, you can get your certificate within 5 minutes.
- What about renewals? Traditional SSL certificates have a validation period of 12 months. However, SSL certificates from Let's Encrypt expire every 90-days cycle. Don't worry, though. The supported hosts let you renew with a one-click process. Mostly, these renewals are automatic.
- Is this initiative authentic? Yes, absolutely. The organization behind the initiative is recognized by IRS itself. Let's Encrypt is a certified authority to issue certificates.
- Can I generate multiple free certificates? Absolutely, yes!
Let's Encrypt is designed to help against a range of attacks and to push the generalization of TLS usage to have a globally safer and more private internet. It is aimed more precisely to remove technical and financial constraints which may prevent some webmaster to use TLS certificates more broadly.
Should You Buy an SSL Certificate or Use Let's Encrypt?
Should you buy an SSL certificate and renew it yearly? Or should you take advantage of the free certificates?
Technically speaking, there is no difference between a basic domain level paid and a free certificate. Except for the certificate issuing authority, there is no other difference. In a nutshell, both certificates are same and come from an authorized entity. There is no reason not to trust Let's Encrypt with its initiative.
Paid domain level certificates cost $50-60 /year, which you have to pay yearly for renewals. Whereas Let's Encrypt certificates are free and, renewals are free too. There are many other benefits of the free initiative too. E.g.
- It is easy to manage.
- The certificates are compatible with major browsers.
- You can generate multiple free certificates.
- It comes built-in with many web hosts.
But if you are going for an organization or extended validation SSL certificates, which are pretty expensive, then it’s a good idea to find paid SSL CAs.
So is it really safe? Yes! As the official LE client creates 2048 bit certificates and you can also generate 4096 (To do this, run
letsencrypt-auto with this flag:
LetsEncrypt has come roaring out of beta with new sponsors. A lot of these companies are banking on the success of LetsEncypt. They have grown to be the third largest Certificate Authority in the world. A lot of people have come to trust them. They currently have 1.93 million unexpired certificates in the wild, making them one of the largest Certificate Authorities in the world.
As a website owner, you have a big responsibility of keeping the privacy of your visitors intact. Installing an SSL encryption on your website is a good start and prevents the interception of submitted information by hackers. In the past, many people dreaded encrypting their website because it was expensive and difficult. Let's Encrypt is easy and free.
What do you think of free SSL certificates? Is there any confusion or question you have? If so, post a comment below.
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.