Should you use free SSL/TLS Let´s Encrypt Certificates or not?
We get the question on an ongoing basis and unfortunately the answer is not simple and straightforward. In the following, we have gathered various experiences made by our customers. In addition, we provide a more general technical review of the advantages and disadvantages of the individual certificate types, free or not, we aim to be able to make your choice a little simpler.
Experiences have been gathered over the years through ongoing dialogue with our customers, which consists half of all Danish municipalities, 4 of the 5 regions and a number of different government agencies. In addition, a number of large, prominent private companies across industries typically with activities both in and outside Denmark.
First of all “the elephant in the room”
No, a certificate from Let's Encrypt is NOT more secure than a similarly paid certificate from the well-known certificate manufacturers or resellers. No one mentioned no one forgotten - our customers use certificates across all known manufacturers, thus also saying that SSL/TLS certificates are a generic product and therefore as a buyer / orderer you do not necessarily have to have a technical preference for the issuer. Whether the certificate is free or paid, the certificate always performs the same function, namely securing and encrypting the traffic between the user's browser and web server.
Let's Encrypt is only financed through donations and the vision from day 1 has been that encrypted communication on the Internet must be possible for everyone. Let´s Encrypt acts as a key center for the certificates, where issuance and renewal takes place in an almost fully automated process - thereby keeping costs down at an extremely low level despite the very large certificate portfolio handled globally. Conversely, support and assistance are not guaranteed if the technique teases.
Let’s Encrypt differs from other providers of SSL/TLS certificates in 2 key areas:
- The duration of Let’s Encrypt certificates is only 3 months
- Let’s Encrypt only offers domain-validated certificates and thus does not contain the identity of the organization to which the certificate is issued (see the description of DV, OV and EV certificates below)
All in all, we see a clear trend in the use of affordable certificates in the case where one wants a high conversion rate and maximum degree of trust from visitors. In the case of internal applications, operated applications or the like, we see a trend in Let's Encrypt's favor - another upside is the positive effect on the annual cost of certificates.
Whether one leans more or less towards Let's Encrypt, they have come to stay and a new standard has definitely been set for in relation to the degree of automation for both renewals and issues.
For the sake of good order, we have in the following map listed the different types of SSL and TLS certificates offered from various certificate manufacturers and resellers:
Domain validation (DV)
Domain validated certificates are the lowest validated version of a certificate in terms of security. Only requirement is proven control of the domain or domains contained in the certificate. The control can be demonstrated by a company or even just a person, for example by creating a DNS record or replying to an email sent to one of a shorter list of approved email addresses, such as hostmaster @, postmaster @ and administrator @. It does not appear from a domain validated certificate to which organization the certificate is issued. Due to the relatively low security, it is not advisable to use this type of certificate for websites that contain payments, transactions or collection of personal data.
Organization validation (OV)
Organization's validated certificates are the next level in terms of security. OV certificates undergo a series of checks that overall validate that it is the given organization that orders the certificate and that the organization has control of the domains to which the certificate is issued. For example, a call is typically made to the company to ensure that it is the company that has ordered the certificate. An organization's validated certificate states which organization the certificate was issued to.
Extended validation (EV)
Extended Validated Certificates, this is the highest level of validation of SSL/TLS certificates. EV certificates go through the same security steps as both the DV and OV certificates. In addition, additional steps have been included with a focus on validation, such as securing a company's physical address, verification via telephone contact and other measures to ensure a high level of trust in the information specified in the certificate. The name and address of the organization will appear on the certificate issued.
What have we learned and what do TrustSkills expect from the future?
As mentioned, Let´s Encrypt is here to stay, and the automated process of ordering, renewing and deploying is definitely a new standard for certificate management.
We at TrustSkills rely on the same methodology used by Let's Encrypt in connection with automation. The ACME protocol is the focal point, the only difference is that our solution is capable of automating the entire process from procurement to deployment for all types of SSL/TLS. In addition, our solution also handles your internal certificates (Microsoft PKI) and MitID (Voces / Foces)
Below is an illustration of our solution.
