Why, for Web Hosts, the Encryption Everywhere program from Symantec is preferable to Let’s Encrypt’s free SSL Certificates.
The age of encryption is here. Whereas at the start of 2015 just 3% of all websites had basic encryption, that number will soon skyrocket. The goal is to eventually encrypt the entire internet. That’s something that the browser community has wanted for years, and now it’s been pushed forward even more by free low-end SSL offerings from organizations like Amazon and Let’s Encrypt.
Let’s Encrypt, in particular, has been at the forefront of this movement within the developer community, offering free basic encryption-only DV certificates to any website that applies for one, even high-risk domains, such as phishing or trademarked domains.
Let’s Encrypt has caused the entire SSL industry to take a shift. Now, a number of Certificate Authorities are exploring the idea of offering complimentary encryption solutions, with Symantec – the world’s number one CA – leading the charge. This past Spring, Symantec unveiled its Encryption Everywhere program specifically for web hosting partners, a direct response to this Let’s Encrypt and browser community movement.
Now web hosts have a choice to make—Let’s Encrypt or Symantec’s program? In this article, we’ll take a look at both and explain why the full-blown program by Symantec is the better option for any real web hosting company.
A Closer Look at Let’s Encrypt
Let’s Encrypt is a new non-profit Certificate Authority, sponsored by some major internet players – companies like Mozilla, Facebook, Akamai and Cisco – that offers free, 90-day bare-bones Domain Validation SSL Certificates.
It’s a truly noble cause that we are a fan of, and for many website owners it’s a good enough security solution. Every website should be encrypted and the ability to do so for free is a fantastic option for blogs, personal websites and sites that don’t collect any personal information or would benefit from further business authentication.
Let’s Encrypt is fully-automated if you know what you’re doing, meaning issuance, installation, configuration and renewal are all able to be handled automatically. It’s also open and transparent, and the fact it’s a non-profit means it serves the greater web community and isn’t beholden to corporate interests.
This is all great news for a certain type of customer. Make no mistake about it, Let’s Encrypt is the right option for some.
But not everyone. Especially not a web host with thousands of websites under control.
A Closer Look at Symantec Encryption Everywhere
Symantec’s Encryption Everywhere program was designed specifically for web hosts (and some domain registrars) and offers basic complimentary DV SSL Certificates from the world’s most popular online security company with a minimum validity period of six months and goes all the way up to one year. This means renewals don’t need to be handled as often. The program is geared towards web hosts, so they can bundle SSL with every hosting package to meet the web’s new minimum standard. Symantec will not just be doling out these DV certificates on a site-by-site basis to individual customers, but rather working through partners like The SSL Store™ and large web hosts to do so in a very structured and tactical manner.
There are some clear-cut advantages to going with this Symantec offering over Let’s Encrypt. For starters, there’s support! Let’s Encrypt just simply doesn’t have the infrastructure to offer support like Symantec can. Whereas if you have any issues with one of Symantec’s complimentary certificates or platform, you can contact someone and get direct help, getting help for a Let’s Encrypt certificate requires you to sift through a web forum looking for a user-generated answer to help you fix your issue.
In addition, Let’s Encrypt has a major limitation when it comes to running a hosting business, this limitation is the inability to mass-revoke its certificates in the same way that Symantec does. Why is this significant? In the case of a large wide-spread vulnerability, like the Heartbleed bug a couple years ago, Symantec can quickly act to revoke and reissue certificates so that websites using Symantec encryption continue to be protected. Let’s Encrypt just simply doesn’t have this capability and most likely never will
Symantec has invested millions of dollars over the course of the past year in building a scalable infrastructure to fully support mass quantities of certificates and all of the necessary tools typically associated with managing SSL.
Let’s Encrypt is also not an ideal security solution for any company that requires business-level authentication. Authentication is extremely important on the internet because it is the web’s way to bolster trust. If you’re customers are running a company or a website where it’s important that their consumers trust you, you’re probably going to want to look for something other than a DV certificate.
Sure, the price tag (free) is great. But in order to receive a DV cert all one has to do is prove ownership over a domain. This means that a growing number of people are slowly not trusting DV certificates anymore because anyone, even a cybercriminal, can own a domain and grab a DV certificate at no cost and slap it on their site quickly activating browser indicators like; HTTPS in the URL, which is what most web users have traditionally associated as “safe”, which unfortunately is no longer the case. In fact, it has been well-published that many criminals have already put Let’s Encrypt’s free offerings to good use.
For companies that want to build trust with their customers, a DV certificate just isn’t sufficient. Let’s Encrypt only offers Domain Validation, whereas Symantec’s program has the ability to place the right customers with the right security solution that is more appropriate and valuable to the business owner and their needs. These higher-value certificates offer businesses the kind of verification/authentication that they need to put their customers at ease and protect their reputation.
Let’s Encrypt is a great organization with an outstanding mission that offers a service that is invaluable to many websites across the internet that would NEVER have entertained the idea of encrypting their site before. However, it was never the intent for a web host to fully-embrace it as the end all, be all SSL/TLS solution for their customers. For a web host that has many businesses or organizations that need to establish trust in order to succeed, Symantec is the clear better choice. Symantec has the resources and the infrastructure to better support its complimentary offerings, as well as low-friction upgrade paths to higher-value certificates that can help to boost trust and comprehensive security for organizations and companies that need them.
While both programs have their place on the internet, Symantec’s is the better option for a web host that would like to offer basic web security with every hosting package, but would also like to have a strategic monetization strategy in place for high-value clients and certificates.