Regardless of whether it is a free SSL certificate in the open source version or a chargeable SSL encryption - the purpose is the same: All confidential information on a website is encrypted and summarized in the form of a certificate. If so, couldn't everyone get a free SSL certificate? It's not that easy. Some security aspects play a decisive role when choosing a certificate. The current blog post deals with the question in which cases an SSL certificate as a free variant makes sense and in which cases it can bring advantages to fall back on a paid solution.
For those of you who are wondering what an SSL certificate is exactly and why it is so important for your own website, you can find the answers to our latest blog post.
Generally there are different types of SSL certificates. These differ significantly in which test procedure is carried out by the certification body, e.g. GlobalSign. Depending on the scope of your website, there is a corresponding security level for the optimal encryption method:
The Domain Validated Certificate signals to users that the domain has been checked with regard to encrypted data transmission. There is thus a secure connection between the user's browser and the server on which the website is located. This certificate can be recognized by the lock symbol in the address line. This domain validation is the easiest and fastest way of validation by GlobalSign.
The Organization Validated Certificate confirms that not only the connection to the website but also the company or organization has been verified. Users are shown not only the symbol, but also the correctness of the company data in the address line. The validation method is, so to speak, more stringent than with the Domain Validated Certificate. Applicants must prove the existence of their organization. Additional external documents such as an extract from the commercial register are also used for checking.
The Extended Validation is characterized by the fact that it requires the strictest verification method. The identity of the company is put to the test according to defined criteria and the documents requested are checked. Website visitors can be convinced of the verified credibility of the website by the certificate stored in the address line. You can recognize the extended certificate by clicking on the lock symbol in the address line.
When you order an SSL certificate, only the main domain is protected. The wildcard certificate is used to encrypt further domains or subdomains. This could offer a solution for all those who manage multiple websites or pages that are on the same domain.
Of course, SSL encryption often incurs costs that, depending on the certificate validation, can amount to several hundred euros per year. The responsibility for the SSL encryption of the website rests with the respective website operator.
But shouldn't users generally be able to rely on a secure Internet without the decision about it being up to the website operator or depending on their wallet?
The Let's Encrypt initiative has probably also asked itself this question. The non-profit and sponsorship-funded project and its members have made it their mission to make SSL / TLS encryption and secure data transmission accessible to everyone and thus to spread them further.
In particular, Let's Encrypt is a free certification authority. The SSL certificates can be applied for and renewed free of charge - provided that the encryption is checked! Furthermore, the issued https certificates and the associated issue protocol can be publicly viewed and also adapted - as is usual for open source software.
So there is a very positive thought behind the project for all those who are looking for an alternative to the paid versions. The Internet Security Research Group (ISRG) provides the Let's Encrypt service. This is sponsored by companies such as Google Chrome, Cisco Systems and the Mozilla Foundation. The Linux Foundation is also participating in the project.
Now, of course, the question arises: "Why should one still buy SSL certificates at all when SSL certificates are also provided free of charge?"
There are a few points to consider when deciding on a free SSL certificate.
Not all types of SSL certificates described above can be issued with a free Let's Encrypt certificate. Such as the Organization Validated and the Extended Validated certificate. This means that the verification mainly relates to the encryption of the data transmission - but not to the verification of the company or organization.
The variant described above may not be sufficient for websites on which sensitive and personal data are recorded and processed. Basically, you should ask yourself how sensitive the information is that is entered or processed on your site. Is it just information that you would give to anyone who asks you for it, so to speak? Or is it information that you wouldn't even give your best friend?
Users of a page for cooking recipes who enter their desired recipes have completely different security needs than visitors to an online shop, where credit card and bank account details have to be entered. Accordingly, the visitors also want clearly recognizable and good encryption.
Even if, from a technical point of view, there is no difference between the free and paid version of simple SSL certificates, there could still be a psychological effect on credibility.
Recognizing the value of free software is only one side of the coin - of course, all website operators can benefit directly from the advantages. However, the question arises as to whether the users of the site would also trust open source products for security-relevant topics such as SSL. With a click on the lock symbol in the address line or with a mouse-over you can see the certification authority that issued the SSL certificate. This means that the user has the opportunity to find out more about the certification body at any time. The fact that more and more dubious sites, such as phishing sites, have a Let's Encrypt certificate (cf. (1) Golem.de, March 28, 2017, J. Thoma) could improve the credibility of the site's security possibly diminish.
In the event that you have been issued an SSL certificate by a certification authority - but the connection has proven to be insecure, so that your customers have suffered damage as a result, the guarantee coverage applies to a certain amount. However, the prerequisite for this is that one exists. Therefore, especially if you do not operate a purely informational site, you should use SSL certificates with guarantee protection. Unfortunately, free SSL certificates from Let's Encrypt do not come with a corresponding guarantee.
If you take into account all of the criteria mentioned, it can be concluded that a Let's Encrypt SSL certificate is quite suitable for encrypting smaller websites, information pages and pages on which no sensitive information is entered.
If a greater degree of trust on the part of the user is necessary when transmitting sensitive data, an SSL certificate of a "higher category" - that is, Organization Validation or Extended Validation - makes perfect sense. Because of the stricter verification methods, these types of SSL create increased credibility and perceived security for users. With regard to the guarantee, an SSL certificate with appropriate protection is recommended for sites on which sensitive data is processed.
Are you still not quite sure which security level is the right one for your website? Our SSL page gives you an overview of the various options for SSL certificates. If you still have any questions, please do not hesitate to contact us and we will take a closer look at your needs.