A new Certificate Authority, Let’s Encrypt, is here and will soon begin offering free DV SSL Certificates.
Let’s Encrypt is a new non-profit Certificate Authority (CA) sponsored and founded by industry advocates; such as, the Electronic Frontier Foundation (EFF), Mozilla, and the Internet Security Research Group (ISRG). Let’s Encrypt will be launching very soon and will be offering free SSL certificates.
Of course we are strong supporters of universal encryption and hope that Let’s Encrypt will lower barriers for websites that can’t afford existing SSL options. However, we do not think Let’s Encrypt should be a viable option for commercial use of any kind, you should continue to buy from established Certificate Authorities (CAs) such as Symantec, Comodo, GeoTrust, RapidSSL and Thawte. Especially since the pricing for basic encryption/Domain Validated (DV) certificates are available for extremely low and affordable rates and still carry a strong brand name recognized by most web users. Also, Let’s Encrypt will not be able to provide a few major types of SSL certificate solutions, like Extended Validation (EV) or multi-domain certificates and we definitely don’t think that a free certificate solves a user’s most pressing problem when browsing on the web: Authentication.
Let’s Encrypt Will Have Major Limitations
Unfortunately, Let’s Encrypt will have some very notable limitations due to their limited funding and infrastructure. Because they will only be offering free certificates, they will only be able to provide automated, basic encryption only/Domain Validated (DV) SSL certificates with no other frills that typically come with SSL certificates.
These limited certificates only confirm the ownership of your domain, and don’t involve any vetting of your business information (which typically takes a validation expert’s time and effort to manually verify) or any additional features found in basic certificates, like a site seal or a warranty. In general, businesses that want to offer their potential customers an additional layer of safety & security like activating all SSL indicators in browser or from promoting authentication should opt for OV or EV certificates from trusted 3rd party security companies/commercial CAs such as Symantec and Comodo.
EV certificates (like the one we use on our website) are the only kind that activate the Green Address Bar, the most prominent SSL indicator in the world, which proudly displays your business name and location next to your URL in web browsers in green. Green means go in all languages and for all ages!
Many of the largest companies in the world use EV SSL certificates because they are better equipped to communicate trust and security to the general website visitors. Twitter, Apple, and PayPal, for example, all use EV SSL to ensure users have absolutely no doubt they are on the official and intended website. Banks almost exclusively use EV SSL because EV certificates are less vulnerable to unauthorized issuance and phishing attacks. The green bar cannot be duplicated by a hacker at all.
Also, Let’s Encrypt won’t have support for Wildcard SSL certificates at launch. Wildcard certificates allow you to protect subdomains of your choice, indicated by the use of an “*” (giving you the option to extend SSL security to the location of the asterisk, such as “*.domain.com” or “*.employeeportal.domain.com”). These certificates are incredibly versatile and an efficient option for management reasons. For some websites, they can actually be the only option if they need to have immediate SSL security on new subdomains.
We believe these are major limitations which will exclude a notable number of users and use-cases from even trying out the certificate.
Years of Experience Taught us That Users Need More than a Free Certificate
We have worked with hundreds of thousands of customers and if our experience has taught us anything, it’s that SSL can be confusing, and many people need help. Knowing what type of certificate you need and how you will get it successfully working on your network are the most common and most serious questions our customers and partners have. Anyone who works with SSL knows it’s about much more than just making a purchase. These complex security solutions need hand holding, therefore are not a type of product that can just be sold and never spoken of again. People need help with validation, installation, site seals, Always on SSL implementation, random industry updates & compliance, etc. even if it is just with a basic DV certificate.
Every customer of ours gets 24 x 7 access to our customer support to help with any part of the SSL process. For example, when the Heartbleed bug was discovered, our team of SSL experts was answering questions non-stop from website owners and administrators worried about what to do next. When the industry announced the SHA-2 migration, we had thousands of calls from confused users who did not know if they would be affected.
Due to the nature of Let’s Encrypt, they won’t have staff on hand to help you get your first SSL certificate installed, or have a 24 x 7 hotline the next time a critical bug is discovered. Community support will be available, but we don’t think this will be the best option for professionals and business owners who need to quickly get their site configured and working, and move on to the job they really care about which involves making money. If an issue with the magnitude of Heartbleed occurred and your business was relying on a free certificate issued by Let’s Encrypt and you need help navigating the process to resolve the issue, you might be in some serious trouble all in an attempt to save $20-$50 at the onset…it’s just not worth the risk.
We have found that what our customer’s need most isn’t a free certificate, but help and guidance on how to ensure their SSL configuration is working properly and is adequately secure. Most businesses view time as the most precious commodity, so they are more than willing to pay for a security product that is backed with 24/7 support and quick solutions, rather than simply getting a free product that requires countless hours of manual intervention. Web security in nothing to cut corners on in this day and age, it needs to be left to industry experts and security companies with specialized & optimized security protocols, processes & procedures.
We also strongly believe in the reputation of the existing CAs. Numerous studies have shown that globally recognized CAs like Symantec, Comodo, GeoTrust, and Thawte reassure millions of people using the web every day. Case studies have shown that using a “Site Seal” (an interactive badge showing your website’s use of SSL and choice of CA) from a trusted CA can improve customer trust and conversion rates, especially the Norton® Secure Seal, which comes with all Symantec branded certificates and it the most-recognized trust mark on the web.
Let’s Encrypt’s one-size-fits-all approach isn’t perfect. A personal blog has different needs than a corporate homepage. At The SSL Store™, we believe there is a perfect solution for everyone: personal attention and attentive support behind globally recognized brands.
As SSL encryption becomes more prevalent, websites and online businesses looking to stand out will need to do more. We hope that the green padlock, an indicator that SSL is being used on a website, will become ubiquitous across the web.
Those looking to differentiate themselves should look to do more and get an EV certificate which activates the more prominent Green Address Bar, proudly displaying your companies legally registered name and country. The rigors of the EV process doesn’t just get you a fancy display in your browser – it also makes replicating your certificate extremely harder (a hacker may just more likely target a site with let’s say a free basic certificate?), which can keep your website and reputation safer.
Whether you have never used SSL before, or are an existing customer with us, please give us a call to learn more about how you can use SSL to not just encrypt and secure your website’s communications, but also improve your brand’s reputation and increase customer loyalty.