Without a doubt, HTTPS encryption makes a huge difference to online security. By encrypting all data transferred to and from your site, you can be certain that potential attackers aren’t listening in. And can you put a price on the reassurance users feel when they see that little padlock icon?
Well, now that anyone can implement HTTPS for free, that price could be zero. Let’s Encrypt provides free SSL certificates, in theory allowing anyone to set up SSL encryption on their website (and get that all-important padlock) without worrying about the cost.
Since its launch in April 2016, Let’s Encrypt has quickly become a popular choice for anyone looking to enhance the security of their online presence. But what allows Let’s Encrypt to provide so many SSL certificates free of charge? And what are the benefits of a paid-for certificate instead? To answer these questions, first we need to look at the history of the project, and how Let’s Encrypt works.
What is Let’s Encrypt?
Let’s Encrypt is a certificate authority (CA) run by the Internet Security Research Group (ISRG), a non-profit organisation based in California. In its own words, Let’s Encrypt is ‘a free, automated, and open certificate authority, run for the public’s benefit’.
The idea behind Let’s Encrypt is to ‘create a more secure and privacy-respecting web’. With Google nudging everyone towards HTTPS, and the major browsers moving to highlight HTTP sites as non-secure, this clearly reflects an industry-wide effort to enhance security standards across the web.
But as an organisation relying on sponsors and donors, Let’s Encrypt has to be smart in how it delivers its services. Compared to commercial CAs, Let’s Encrypt makes extensive use of automation, with fully automated systems handling the issuing and renewal of all certificates.
Let’s Encrypt certificates are only valid for 90 days, while commercial certificates generally expire after two years. Though this sounds like a hassle, auto-renewal is available to ensure that a website isn’t temporarily left without HTTPS – there’s no need to manually renew the certificate every three months
This focus on automation is a big part of how Let's Encrypt keeps its costs down, and ultimately delivers HTTPS for free.
So with SSL certificates available for nothing, why would anyone pay for one? In terms of the actual encryption method, there’s no difference between a certificate from Let’s Encrypt and one from a commercial provider. However, there are various areas where Let’s Encrypt can’t compete with the premium CAs.
Free vs paid SSL: validation levels
There are three basic types of SSL certificate available from commercial CAs: domain validation (DV), organisation validation (OV) and extended validation (EV).
With DV, the CA verifies that the party requesting the certificate is in control of the applicable domain, while with OV, the CA also verifies the name, location and existence of the organisation associated with the domain. EV involves the heaviest vetting, with the CA going to great lengths to verify the status of the certificate purchaser as a legal entity, including manual checks by a human.
Due to the way its automated systems are set up, Let’s Encrypt can only provide DV certificates. While this may be enough for many sites, anyone looking for a higher level of verification – and the increased trust that comes with it – will need to look elsewhere.
Let’s Encrypt vs paid SSL: support and warranty
With only a small team of humans at the heart of all that automation, Let’s Encrypt can’t provide direct technical support to its users. Extensive documentation is available, and there’s always the community support forum, but this will only get you so far when it comes to more complex technical issues.
With a certificate from a commercial CA, you usually get access to some form of direct technical support and troubleshooting advice should anything go wrong.
Premium certificates will also usually come with a warranty – essentially a form of insurance against the unlikely event of certificate failure, fraudulent transactions and end-users losing money. Let’s Encrypt certificates do not offer any form of warranty.
So should you pay for an SSL certificate?
Ultimately, Let’s Encrypt’s automatic SSL certificates are ideal for taking a first step into the world of HTTPS – and it makes perfect sense, with Google and others pushing the entire web towards HTTPS adoption. For smaller sites and blogs, where HTTPS is nice to have but not mission-critical, Let’s Encrypt is a great option.
But for enterprise-level sites, especially ones that handle sensitive data, the benefits of a premium SSL certificate can’t be overstated. If you’re running an ecommerce platform, or any business that takes payment details online, customer data is one of your most valuable assets. While Let’s Encrypt can provide SSL protection, it can’t provide the comprehensive coverage and reliability offered by a paid-for certificate.
And Let’s Encrypt isn’t the only place you can get an SSL certificate for free. At Fasthosts, we provide SSL certificates from established provider DigiCert, free for one year on our Web Hosting platform and our Dedicated Servers. For a secure online presence, we have a complete range of services, with your websites hosted in UK data centres and comprehensive support available 24/7.