Back in 2014, an announcement was made by Google that the websites served through ‘HTTPS’ will secure better SEO rankings along with the call of ‘HTTPS everywhere’. This announcement gave rise to a lot of controversies between the web developers and website owners. Some people were quite happy with this idea because they agreed with the concept of generalized HTTPS use as it makes the internet a safer place; while there were other people that thought that this initiative was unnecessary, complicated and expensive. Another reason for people to be unhappy with this announcement was that they would have to re-code their websites to use HTTPS and also spend more money on purchasing SSL certificates that they didn’t need earlier.
At that time, people might not have thought that HTTPS will conquer the internet world so easily. Many non-believers might have dismissed Google’s decision; but here we are in the year 2017 where Google determines the non HTTPS websites that request passwords or credit card information as unsafe. This makes Google’s initiative more convincing and important and now it is inevitable to have an HTTPS website, especially if you accept online payments.
In order to comply with Google’s standards and to avoid getting your website flagged as ‘not secure’, every website owner should make sure that all the website pages are served through HTTPS. Many browsers have also made the switch to warn their users whether the website that they are browsing is safe or not.
It is important to analyze your website to check if any third party services are integrated in the code of your website like analytics, social plugins etc. and ensure that they are configured in the correct way.
What Is ‘Let’s Encrypt’? And what makes it different from a traditional Certificate Authority?
Let’s Encrypt is an automated, free and an open certificate authority (CA) that runs for public benefit. This service is provided by the Internet Security Research Group (ISRG). While you might be allured by the ‘free’ aspect of this service, it is important for you to know the rest of the implications that are a part of using ‘Let’s Encrypt’.
Let’s Encrypt works with a simple principle – They provide support for the generalization of HTTPS and want to make it available for every website owner. However, as their business runs on a ‘non-profit’ concept and as they have a limited amount of resources, they have to focus more on sustaining the core principle that is creating easy and automated SSL issuance process. They are not driven with the goal of providing any end user support for certificate generation or renewals; given the nature of this initiative, this fact is understandable.
Let’s Encrypt is still comparatively a young service. They left Beta in 2016 – this means that they don’t have the credibility and experience of a proper established certificate authority. This is the reason why they lack an extremely important feature that is provided by the traditional certificate authorities that is ubiquity or omnipresence. All the browsers and operating systems comprise of a root repository that contains a list of approved or trusted certificate authorities along with their root certificates. The root certificate states which Intermediately Certificate should be trusted and the ones that shouldn’t be trusted; therefore being a part of this group is extremely important for every certificate authority.
To look at it in another way, as Let’s Encrypt is still a new company, the certificates issued by this authority are not 100% accepted by all the browsers, especially the certificates that were released before this organization came into existence. This is the reason why they reached out to IdenTrust that is another certificate authority trusted by the main browsers in order to cross-sign their CAs. Even though this solves most of the browser warnings, it still does not cater to some compatibility issues that are discussed further in this article.
On the positive side, Let’s Encrypt makes use of their self-issued root and intermediate certificates and the private keys are stored in accordance with their website on the hardware security modules (HSMs) and they are out of the reach of the hackers.
Benefits And Limitations Of Let’s Encrypt
Speed Of Issuance
As Let’s Encrypt certificates are free of charge and their issuance process is completely automated, the certificates are generated really fast if not instantly. The validation process is quickly performed with the help of an ACME protocol based software. Users can have a valid certificate effective on their domain within a few seconds.
In contrast to the traditional certificate authority, it is important for the user to put an SSL order first. Users can put the order directly on their website or through a reseller and then the users have to perform the validation steps manually. The validation process can take up to a few hours to several days depending on the type of certificate purchased.
Validation / Visitor Trust Level
The certificate types available through Let’s Encrypt include the basic or SAN (multi-domain) DCV SSL certificates. Recently established Let’s Encrypt, does not have any plans to offer ‘Organization Validated’ or ‘Extended Validation’ certificates in the coming future.
DCV stands for ‘Domain Control Validation’, this validation process states that the only thing that is checked before issuing the certificate is that the requester of the certificate has the access to the domain either by uploading a simple .txt file in the domain’s root folder or by adding a particular DNS record in the domain zone. As a result of this process, a lot of questions are raised over HTTPS credibility since anyone can get access to a free SSL certificate including the malicious organizations. The malicious organizations will not miss the opportunity to use the HTTPS padlock that is recognized for web security throughout the world to pass as ‘genuine’ business organizations.
Easy and free access to the trusted SSL certificates reduces the importance of HTTPS and this can trick the uneducated users more easily. How will the visitors differentiate between a genuine respectable business organization and a phishing website? This is where the ‘Organization Validated’ or ‘Extended Validation’ certificates come into the picture. The validation process is extended further for these types of certificates. In addition to the DCV step, businesses also have to prove their legitimacy. Businesses can do this either by showing a proof of the incorporation or by providing other important documents that state that the existence of the business as a bona fide trading entity. Moreover, for the Extended Validation certificates, the validation process goes even more deeper. In the case of Extended Validation certificates, the certificate authorities carry out independent checks to confirm that the information provided by the certificate requester matches the information available in the public registers.
The Organization Validated and Extended Validation certificates always comprise of some details about the website owner, on the basis of the level of validation and browsers display this certificate information to the website visitors. For instance, you may have seen a green address bar that includes the company name; this green bar substantially increases the trust level of the users. The OV/EV SSL certificates also provide branded website seals that further increase the user’s confidence.
As stated earlier, Let’s Encrypt certificates are not completely compatible with all the browsers. With light to the fact that they are still a new certificate authority and the main browsers or operating systems do not recognize them. Let’s Encrypt publishes a list of incompatibilities mentioned below:
- Sony PS3 and PS4 game consoles
- Blackberry OS v10, v7, & v6 (Comodo support 4.3.0 + )
- Android < v2.3.6 (comodo – 1.5 +)
- Nintendo 3DS
- Windows XP prior to SP3
- Java 7 < 7u111
- Java 8 < 8u101
In practical terms, most of the website owners will find that Let’s Encrypt is compatible with the devices used by a majority of their clients. However, in the case of SNI, if your clients are still using the older operating systems, browsers or mobile devices, then there are chances of encountering some problems.
Purchasing a premium SSL certificate that is issued by an established certificate authority will generally avoid the compatibility issues. This is because the established certificate authority is already recognized and trusted by all the major software and hardware combinations – and this is not just a fact now, but this was the fact in the past as well (this means that even the older devices worked as expected).
Certificate Lifetime And Reliability
The certificates provided by Let’s Encrypt have a maximum lifetime of 90 days. Given the fact that the renewal process is 100% automated, this might not seem to be an issue at first. However, the renewal process is not completely error free some issues were already reported on the community page of Let’s Encrypt. Users have complained about the renewals getting failed for various reasons that include problems with the .config files, failed domain control authentication etc.
In absence of a reliable renewal system and with no support staff available for troubleshooting the technical issues, renewal of the SSL certificates turns into a daunting task. Even if you have a lot of technical skills, as the renewals of the certificates have to be done quite frequently, undertaking the renewal process on your own can take up a lot of your time.
The fact that Certbot asks the users to run the auto-renewal cronjobs multiple times everyday should raise some doubt about the reliability of this process.
As quoted by Certbot – ‘if you’re setting up a cron or systemd job, we recommend running it twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason).’
In reality most of the website owners surely need more than just a ‘chance’ for keeping their website online, but then it is a matter for getting the service level for which you have paid a price. As Let’s Encrypt certificates are available free of cost, the limitations should also be accepted.
The premium SSL certificates offered by Let’s Encrypt have a lifetime duration of 1-3 years. Naturally, as there is a longer period between renewals, there is a lower risk involved in the renewal process. Considering the worst case scenario, it might have an impact on your business once every 3 years in comparison to once every 3 months!
In addition to this, the premium SSL certificates are generally renewed manually by users. Even if you have the proper processes set in place for ensuring that any certificate expiry doesn’t go unnoticed, the human element can identify and resolve the issues before they have any negative impact on your business.
At MilesWeb, we take complete responsibility for every premium SSL certificate that we provide. Customers are notified 60 days in advance before the certificate expires. The entire issuance, validation and installation process is profoundly managed by MilesWeb. The reliability of the renewal process given by MilesWeb Vs. the one offered by Let’s Encrypt is unmatched. The failures in the SSL renewal process might create problems for your business; therefore you must consider signing up for a premium SSL certificate.
Let’s Encrypt does not provide wildcard certificates, this means that you need a separate certificate for every sub-domain that you want to secure. It is important for you to know the exact sub-domain at the time of requesting the certificate or at the time of replacement of the certificate.
You can request a maximum of 20 certificates for every domain for a period of 7 days; therefore, if you have more than 20 sub-domains, this can get a little difficult to manage. This process does not have any override mechanism, so in any way you reach that limit whether it is by mistake or by the number of domains you own, the only way is to wait for 7 days until the limit rests.
Even though you can request for multiple domains in 1 certificate, there is a limitation of 100 names. In case you need more, the only option you have is to opt for a premium SSL certificate.
There are some other technical limits as well for the issuance and renewal process of the certificates, but normally you won’t encounter them. It is important for you to note that if you encounter any technical issues, the only option you have is to wait for the limit to reset. There is no technical support person available at Let’s Encrypt for making any exception for you.
Should you still pay for the SSL certificate?
The answer to this question depends on three things:
- The type of business you run
- Technical skills possessed by you and your technical department
- How much you value your time?
Yes, Let’s Encrypt certificates are free and that is a great thing if you are working on a tight budget; but, the truth is that the average price of a premium SSL certificate is less than £1 per week and this will be one of the lowest in your business overheads. You need to determine for yourself if the time and business risk involved in dealing with a renewal malfunction justify a cost saving?
As a MilesWeb customer, you are already aware that we offer fully managed services and our premium round the clock support extends to services like SSL and domain names as well. This goes on to say that everything right from ordering, installation, renewal, reissue of certificate, troubleshooting issues etc. is MilesWeb’s responsibility.
The best thing about purchasing a premium SSL certificate is that there is no admin burden but apart from that premium SSL certificates are also worthy of customer’s trust. This is an extremely important aspect for any business and especially for the ecommerce businesses where users have to be confident and comfortable with entering their card details or giving out personal information. A Green Bar or a Site Seal offers the required reassurance that the trade is being made by a reliable business entity.