No doubt you’ve heard of Google’s updates regarding HTTPS, and their ongoing quest to create a more secure internet for us to inhabit.
Back in 2014, an announcement was made by Google that the websites served through ‘HTTPS’ will secure better SEO rankings.
This announcement gave rise to a lot of controversies between web developers and website owners. Some people were quite happy with this idea because they agreed with the concept of generalized HTTPS use in order to make the internet a safer place; while there were other people that thought that this initiative was unnecessary, complicated and expensive.
Another reason for people to feel unhappy with this announcement was that they would have to re-code their websites to use HTTPS. It would also be required to spend money on purchasing SSL certificates.
At that time, people might not have thought that HTTPS would conquer the internet world that easily.
Flash forward to january 2019. In order to comply with Google’s standards and to avoid getting your website flagged as ‘not secure‘, every website owner should make sure that all the website pages are served through HTTPS. Many browsers have also made the switch to warn their users whether the website that they are browsing is safe or not.
But simply installing an SSL certificate is no walk in the park…
That’s where Let’s Encrypt comes in. This fledgling Certificate Authority (CA), that was launched in 2016, has disrupted the industry during the past two and a half years by offering free Domain Validation (DV) and as of april 2018 Wildcard SSL certificates to any qualifying site. You get to protect your visitors’ security, they get more peace of mind, and you don’t have to spend a dollar while you’re at it. It’s a winning proposition.
What is Let’s Encrypt?
Let’s Encrypt is an automated, free and an open certificate authority (CA) offering a solution to TLS (Transport Layer Security) encryption for website owners. The Let’s Encrypt initiative was founded on the objective to provide all website owners with SSL certificates that are not only free, but both easy to install and easy to update too.
Encrypting the traffic to your website used to be a fairly expensive ordeal. Particularly for small business owners who want to do right by their website visitors, but don’t have a great deal of money to invest in HTTPS. Let’s Encrypt tackles this head-on, additionally eliminating the complexity of installing and maintaining the security certificates with automated processes.
Let’s Encrypt works with a simple principle – They provide support for the generalization of HTTPS and want to make it available for every website owner. However, as their business runs on a ‘non-profit’ concept and as they have a limited amount of resources, they have to focus more on sustaining the core principle that is creating easy and automated SSL issuance process. They are not driven with the goal of providing any end user support for certificate generation or renewals; given the nature of this initiative, this fact is understandable.
Let’s Encrypt is still comparatively a young service. They left Beta in 2016 – this means that they don’t have the credibility and experience of a proper established certificate authority. This is the reason why they lack an extremely important feature that is provided by the traditional certificate authorities; ubiquity or omnipresence. All browsers and operating systems comprise of a root repository that contain a list of approved or trusted certificate authorities along with their root certificates. The root certificate states which Intermediately Certificate should be trusted and the ones that shouldn’t be trusted; therefore being a part of this group is extremely important for every certificate authority.
To look at it in another way, as Let’s Encrypt is still a new company, the certificates issued by this authority are not 100% accepted by all the browsers, especially the certificates that were released before this organization came into existence. This is the reason why they reached out to IdenTrust, another certificate authority trusted by the main browsers in order to cross-sign their CAs. Even though this solves most of the browser warnings, it still does not cater to some compatibility issues that are discussed further in this article.
On the positive side, Let’s Encrypt makes use of their self-issued root and intermediate certificates and the private keys are stored in accordance with their website on the hardware security modules (HSMs) and they are out of the reach of hackers.
Advantages of Let’s Encrypt
It’s difficult to compete with a €0 price tag, especially when other CAs charge arguably high rates for similar certificates. Anywhere from €20,- up to nearly €1000,- a year for premium EV certificates.
With those kinds of prices, it’s no wonder that Let’s Encrypt is gaining traction quickly among web hosts and users alike. It’s worth noting however that since Let’s Encrypt certificates are free, you don’t get access to any type of insurance to cover you in the event of a security breach, which is something other CAs offer.
Speed Of Issuance
As Let’s Encrypt certificates are free of charge and their issuance process is completely automated, the certificates are generated really fast if not instantly. The validation process is quickly performed with the help of an ACME protocol based software.
Certbot automatically fetches and deploys your Let’s Encrypt certificate, to immediately start serving over HTTPS. You can even enable features such as automatic HTTP to HTTPS redirects on Apache. As an initiative from EFF (Electronic Frontier Foundation), Certbot is part of a web-wide effort to encrypt the entire internet for the safety and security of its users.
Users can have a valid certificate effective on their domain within a few seconds.
In contrast to the traditional certificate authority, it is important for the user to put an SSL order first. Users can put the order directly on their website or through a reseller and then the users have to perform the validation steps manually. The validation process can take up to a few hours to several days depending on the type of certificate purchased.
Let’s Encrypt does require you to renew your certificate every 90 days, however there is an automated renewal process in place, that works well in most situations. There are still some issues left to be ironed out regarding auto updates.
Commercial SSL certificates expire each year and cannot be renewed. A new certificate will have to be purchased and installed each year.
Disadvantages of Let’s Encrypt certificates
Validation / Visitor Trust Level
The certificate types available through Let’s Encrypt include Domain Validated (DV) or Wildcard SSL certificates. Let’s Encrypt, does not have any plans to offer ‘Organization Validated’ or ‘Extended Validation’ certificates in the near future.
DCV stands for ‘Domain Control Validation’, this validation process states that the only thing that is checked before issuing the certificate is that the requester of the certificate has access to the domain either by uploading a simple .txt file in the domain’s root folder or by adding a particular DNS record in the domain zone. As a result of this process, a lot of questions are raised over HTTPS credibility since anyone can get access to a free SSL certificate including malicious organizations. These organizations will not miss the opportunity to use the HTTPS padlock that is recognized for web security throughout the world to pass as a ‘genuine’ business organization.
There are some compatibility issues with Let’s Encrypt certificates as they are not completely compatible with all the browsers. With light to the fact that they are still a new certificate authority and the main browsers or operating systems do not recognize them. Let’s Encrypt has published a list of incompatibilities.
- Blackberry < v10.3.3
- Android < v2.3.6
- Nintendo 3DS
- Windows XP prior to SP3
- cannot handle SHA-2 signed certificates
- Java 7 < 7u111
- Java 8 < 8u101
- Windows Live Mail (2012 mail client, not webmail)
- cannot handle certificates without a CRL
- PS3 game console
- PS4 game console with firmware < 5.00
For the majority of website owners, this is a non-issue. However, in the case of SNI, if your clients are still using the older operating systems, browsers or mobile devices, then there are chances of encountering some problems.
Purchasing a premium SSL certificate that is issued by an established certificate authority will generally avoid the compatibility issues. This is because the established certificate authority is already recognized and trusted by all the major software and hardware combinations – and this is not just a fact now, but this was the fact in the past as well (this means that even the older devices worked as expected).
For developers managing multiple client websites, the rate limit can also be an inconvenience. There is, however, a Renewal Exemption to ensure that users are always able to renew a certificate without it counting toward the weekly rate limit. Renewals are defined as containing “the exact same set of hostnames as a previously issued certificate”.
According to Let’s Encrypt, the rate limits are as following:
- 50 certificates per registered domain per week
- 100 names per certificate
- 5 duplicate certificates per week
- 10 accounts per IP address per 3 hours
- 500 accounts per IP range within an IPv6 /48 per 3 hours
- 300 pending authorisations on your account
There is no way to temporarily reset the rate limit if you’ve hit it. (Revoking certificates will not reset your rate limits either, if you’re thinking of getting cheeky.) Though you can request a higher rate limit in advance if you are a large organisation or hosting provider, but requests can take weeks to process.
HTTPS made too easy
Let’s Encrypt came under fire in 2016 for making HTTPS too easy, thereby providing a false sense of security to users. In other words, any malicious website can install the free SSL certificate without much scrutiny or financial investment, and exploit the appearance of “looking more trustworthy” to push malware to unsuspecting visitors.
This isn’t really a fault of Let’s Encrypt, but rather the fault of a lack of general education regarding internet safety. Just because a website says it’s “secure” doesn’t mean that the website is well-intentioned, and some cybercriminal opportunists are abusing this common misconception to trick those less web-savvy into giving away sensitive information and downloading gosh-knows-what.
Certificate Lifetime And Reliability
The certificates provided by Let’s Encrypt have a maximum lifetime of 90 days. Given the fact that the renewal process is 100% automated, this might not seem to be an issue at first. However, the renewal process is not completely error free some issues were already reported on the community page of Let’s Encrypt. Users have alsocomplained about failed renewals for various reasons.
In absence of a reliable renewal system and with no support staff available for troubleshooting the technical issues, renewal of the SSL certificates turns into a daunting task. Even if you have a lot of technical skills, as the renewals of the certificates have to be done quite frequently, undertaking the renewal process on your own can take up a lot of your time.
The fact that Certbot asks the users to run the auto-renewal cronjobs multiple times everyday should raise some doubt about the reliability of this process.
As quoted by Certbot – ‘if you’re setting up a cron or systemd job, we recommend running it twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason).’
In reality most of the website owners surely need more than just a ‘chance’ for keeping their website online, but then it is a matter for getting the service level for which you have paid a price. As Let’s Encrypt certificates are available free of cost, the limitations should also be accepted.
Premium SSL certificates have a lifetime duration of 1-3 years. Naturally, as there is a longer period between renewals, there is a lower risk involved in the renewal process. Considering the worst case scenario, it might have an impact on your business once every 3 years in comparison to once every 3 months!
In addition to this, the premium SSL certificates are generally renewed manually by users. Even if you have the proper processes set in place for ensuring that any certificate expiry doesn’t go unnoticed, the human element can identify and resolve the issues before they have any negative impact on your business.
Let’s Encrypt have put limits in place with regards to the issuance and renewal of your certificates. You can request a maximum of 50 certificates for every domain for a period of 7 days; therefore, if you have more than 50 sub-domains, this can get a little difficult to manage. This process does not have any override mechanism, so in any way you reach that limit whether it is by mistake or by the number of domains you own, the only way is to wait for 7 days until the limit rests.
Even though you can request for multiple domains in 1 certificate, there is a limitation of 100 names. In case you need more, the only option you have is to opt for a premium SSL certificate.
There are some other technical limits as well for the issuance and renewal process of the certificates, but normally you won’t encounter them. It is important for you to note that if you encounter any technical issues, the only option you have is to wait for the limit to reset. There is no technical support person available at Let’s Encrypt for making any exception for you.
Should you still pay for SSL certificates?
The answer to this question depend on your needs as a business. Please consider:
- The type of business you run. Is a DV certificate suitable?
- Technical skills possessed to maintain SSL certificates by you and your technical department
- How much do you value your time?
Yes, Let’s Encrypt certificates are free and that is a great thing if you are working on a tight budget; but, the truth is that the average price of a premium SSL certificate is less than £1 per week and this will be one of the lowest in your business overheads. You need to determine for yourself if the time and business risk involved in dealing with a renewal malfunction justify a cost saving?