HTTPS encryption makes a huge difference to online security; by encrypting all data transferred to and from your site, you can be certain that potential attackers aren’t listening in. And can you put a price on the reassurance users feel when they see that little padlock icon?
The answer is in fact, yes, and that price could be nothing - with a Let’s Encrypt certificate providing free website encryption. In theory, this allows anyone to set up SSL encryption on their website (and get that all-important padlock) without worrying about the cost.
Since its launch in April 2016, Let’s Encrypt has quickly become a popular choice for anyone looking to enhance the security of their online presence. But what is it that allows Let’s Encrypt SSL certification to be provided free of charge, and what are the benefits of a paid-for certificate instead? To answer these questions, firstly, we need to look at the history of the project, and how a Let’s Encrypt certificate works.
What is Let’s Encrypt?
Let’s Encrypt is a certificate authority (CA) run by the Internet Security Research Group (ISRG), a non-profit organisation based in California. In its own words, Let’s Encrypt SSL is ‘a free, automated, and open certificate authority, run for the public’s benefit’.
The idea behind Let’s Encrypt is to ‘create a more secure and privacy-respecting web’. With Google nudging everyone towards HTTPS, and the major browsers moving to highlight HTTP sites as non-secure, this clearly reflects an industry-wide effort to enhance security standards across the web.
But as an organisation relying on sponsors and donors, Let’s Encrypt has to be smart in how it delivers its services. Compared to commercial CAs, Let’s Encrypt makes extensive use of automation, with fully automated systems handling the issuing and renewal of all certificates.
How to use Let's Encrypt
As a CA, Let’s Encrypt offers certification that enables HTTPS security. However, the way you go about achieving accreditation depends on whether your website has Shell Access (SSH Access) or not. Usually, if your website is managed through cPanel, Plesk, or WordPress, you will have SSH Access, but it’s worth checking with your host provider.
If you have SSH Access, it’s recommended that you use an automated certificate issuance and installation ACME client. If you don’t have SSH Access, you’ll likely need to use built-in support offered by your host provider. If they offer Let’s Encrypt SSL, you can simply request that they apply for a free certificate on your behalf.
A Let’s Encrypt certificate is only valid for 90 days, while commercial certificates generally expire after two years. Though this sounds like a hassle, auto-renewal is available to ensure that a website isn’t temporarily left without HTTPS – there’s no need to manually renew the certificate every three months
This focus on automation is a big part of how Let's Encrypt keeps its costs down, and ultimately delivers HTTPS for free.
Free vs paid SSL: validation levels
So, with SSL certificates available for nothing, why would anyone pay for one? In terms of the actual encryption method, there’s no difference between a Let’s Encrypt certificate and one from a commercial provider.
However, there are various areas where Let’s Encrypt can’t compete with the premium CAs. There are three basic types of SSL certificate available from commercial CAs:
- Domain validation (DV)
- Organisation validation (OV)
- Extended validation (EV)
With DV, the CA verifies that the party requesting the certificate is in control of the applicable domain, while with OV, the CA also verifies the name, location and existence of the organisation associated with the domain. Meanwhile, EV involves the heaviest vetting, with the CA going to great lengths to verify the status of the certificate purchaser as a legal entity, including manual checks by a human.
Due to the way its automated systems are set up, Let’s Encrypt SSL can only provide DV certificates. While this may be enough for many sites, anyone looking for a higher level of verification – and the increased trust that comes with it – will need to look elsewhere.
Let’s Encrypt SSL vs paid SSL: support and warranty
With only a small team of humans at the heart of all its automation, Let’s Encrypt can’t provide direct technical support to its users. Extensive documentation is available, and there’s always the community support forum, but this will only get you so far when it comes to more complex technical issues.
With a certificate from a commercial CA, however, you usually get access to some form of direct technical support and troubleshooting advice should anything go wrong.
Premium certificates will also usually come with a warranty – essentially a form of insurance against the unlikely event of certificate failure, fraudulent transactions and end-users losing money. In contrast, a Let’s Encrypt certificate does not offer any form of warranty.
Should you pay for an SSL certificate?
Ultimately, an automatic Let’s Encrypt certificate is ideal for taking the first step into the world of HTTPS. And it makes perfect sense - especially with Google and others pushing the entire web towards HTTPS adoption. For smaller sites and blogs, where HTTPS is nice to have but not mission-critical, Let’s Encrypt SSL is a great option.
But for enterprise-level sites, especially ones that handle sensitive data, the benefits of a premium SSL certificate can’t be overstated. If you’re running an ecommerce platform, or any business that takes payment details online, customer data is one of your most valuable assets. While a Let’s Encrypt certificate can provide SSL protection, it can’t provide the comprehensive coverage and reliability offered by a paid-for certificate.
And Let’s Encrypt isn’t the only place you can get an SSL certificate for free. At Fasthosts, we provide SSL certificates from established provider DigiCert, free for one year on our Web Hosting platform and our Dedicated Servers. For a secure online presence, we have a complete range of services, with your websites hosted in UK data centres and comprehensive support available 24/7.