Let's Encrypt background info
Introduced in 2016, Let's Encrypt represents a free open certificate authority (CA), which provides website owners with digital certificates for enabling HTTPS (SSL/TLS).
It was launched by the Internet Security Research Group (ISRG), a public-benefit organization sponsored by the Mozilla Foundation, the Electronic Frontier Foundation (EFF) and Cisco Systems, with the aim of making HTTPS encryption both affordable and user-friendly.
Their main goal is to create a more secure, privacy-driven web.
Let's Encrypt certificates are:
- free-of-cost: each domain name owner can obtain a trusted certificate at absolutely no cost;
- automatic: the certificate setup and renewal procedures are fully automated; no human intervention is needed;
- simple-to-use: there are neither payments to make, nor validation emails to respond to;
- secure: Let's Encrypt serves as a platform for implementing the latest security practices;
- fully transparent: all issued certificates are publicly available for anyone to view;
- open: the issuance and renewal protocol is published as an open standard that can be adopted;
- 'self-regulated': this is a joint community effort, beyond the control of any organization;
What is the difference between regular commercial and Let's Encrypt SSLs?
Let's Encrypt offers you a free and automated way of obtaining SSL certificates for websites.
Just like regular SSL certificates, Let's Encrypt certificates offer basic SSL encryption, i.e. they give site visitors an assurance that they are exchanging information with the domain that is visible in the address bar and that their personal data (login details, credit card information, etc.) cannot be eavesdropped.
If a site is using a Let's Encrypt SSL, you will see https:// at the beginning of the URL in your browser's address bar, along with a green padlock. These certificates are also already trusted by all major browsers. They offer secure communication most site visitors will feel comfortable with. So now you may ask yourself, "Why would I ever go with a regular commercial SSL certificate?"
As a business entity you may want to have a certain security guarantee against online abuses and this is where commercial SSLs are needed.
Here are more differences between a Let's Encrypt certificate and a regular commercial SSL certificate:
- Warranty: Let's Encrypt certificates do not include a warranty against mis-use or mis-issuance, whereas regular SSLs do. While this may not be a problem for smaller websites, for larger organizations most probably will.
- Wildcard Certificates: Let's Encrypt does not currently offer wildcard or multi-domain certificates, whereas traditional CAs usually do. This, however, may change soon. Let's Encrypt has announced they will start issuing Wildcard SSL certificates from January 2018.
- Validity Period: Let's Encrypt certificates are only valid for 90 days and must be renewed before they expire. Most regular SSL certificates are valid for at least one year, and website owners can also choose a longer validity periods (2 years).
- Support: Let's Encrypt does not offer assistance with requesting SSL certificates. Only community help is available.This can be an issue for organizations that need to quickly equip their business sites with an SSL.
The final verdict...
Both Let's Encrypt and commercial SSLs will do the encryption job that is expected of them in order to protect your sites against interception and eavesdropping.
Your choice will solely be determined by the type of site you manage, which in turn defines your security requirements:
- If you own a simple personal site, a blog or a photo gallery, or just need a quickly configurable, simple and free SSL certificate that you can obtain with minimum effort, then Let's Encrypt is the way to go.
- If you operate an online store or a business website, then you will need to invest in a paid, warranty-backed SSL certificate issued by an established CA.
Due to Google's recently voiced intent to give HTTPS sites higher search rankings and the subsequent rise of authorized SSL resellers, the prices for commercial SSLs have been going down steadily. Today, every business/e-commerce website owner can obtain an affordable warranty-backed commercial SSL certificate from a reputable CA. So if you run a business off your website regular commercial SSL certificates are the way to go.