The launch of Let's Encrypt in May 2016 attracted a lot of attention in the trade press. This is because the Americans are offering something for free that all website operators previously had to pay good money for: SSL certificates. The benefits and value of free SSL certificates cannot be overestimated.
Let's Encrypt not only enables all website operators worldwide to encrypt their services, but also makes the web a safer, faster and fairer place. In this dossier, we explain clearly what Let's Encrypt is, how it works and how you can get your next SSL certificate for free.
After six months on the market, Let's Encrypt has already issued more than 14 million free certificates. This may seem like a lot at first glance, but compared to the industry giants it is still quite low. Let's Encrypt has a market share of just 0.02 percent.
And yet the mere existence of free SSL certificates has already had a noticeable effect on the German hosting market. Many hosters and SSL authorities already offer site operators an SSL certificate free of charge. This was not the case until recently. Admittedly: Let's Encrypt can't do everything, but it offers everything that site operators need for the vast majority of blogs, stores and company websites.
But in addition to encrypting your own site and providing a speed advantage, Let's Encrypt also performs another important service: the free SSL makes your site future-proof. Because unencrypted websites will face hard times from 2017. Google has been planning something since 2014 that could cost many website operators a lot of trust and visitors. From 2017, sites without HTTPS will be marked as insecure in Google's own browser. Mozilla, the foundation behind the popular Firefox browser, also has plans to systematically penalize insecure - i.e. HTTP - websites.
But with just a few clicks, you can dispel these concerns thanks to free SSL. You can make your site more secure with a certificate, reduce legal uncertainty and even give it a performance boost. We explain the most important answers and background information in this dossier.
Part 1 - The basics: The fairy tale of the premium certificate
Free does not mean that the certificates from Let's Encrypt are less secure. In fact, the free certificates differ from the paid certificates. Nevertheless, there is no difference in terms of security. It is therefore all the more important to understand why Let's Encrypt actually provides everyone with an SSL certificate free of charge and how the system behind it works.
Let's Encrypt is a certification authority for SSL certificates - also known as the Certification Authority (CA) - which officially began operations in May 2015. The initiative has created an automated process through which SSL certificates are issued. Due to this almost complete automation, the project requires very few employees and can also offer the certificates free of charge. The costs incurred for employees and infrastructure are covered by donations and sponsorship.
Regardless of whether the certificate is free or fee-based: it always fulfills the same task. It shows the user that they are on the "right" website and that the data traffic between the browser and web server is encrypted.
Let's Encrypt is free, among other things, because "HTTPS everywhere" is an idea of the industry giants
But the most pressing question first: Is Let's Encrypt really free? Or rather: What's the catch? To make a long story short: Yes, neither the certificates nor the required programs cost money. And: there is no catch. However, this question is often not based on purely economic motives, but above all on the further question of why Let's Encrypt is free of charge. So why should a product that other organizations have previously paid for suddenly be offered free of charge?
"We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure Web is for everyone." - Let's Encrypt
Let's Encrypt has relatively low personnel costs, as almost all processes are automated. In addition, some of the manual work is carried out by employees of other non-profit organizations - for example, maintaining the small program that issues the certificates, the so-called Certbot.
This eliminates a major financial burden. The required hardware is also largely covered by the cooperation with the Linux Foundation. All other costs are covered by sponsorship and donations. Official sponsorship is estimated at up to 350,000 dollars per year.
In addition to industry giants such as Mozilla, Cisco, Chrome and Facebook, companies from the WordPress sector, such as Automattic, are also among the supporters of the Let's Encrypt project. The company of WordPress co-founder Matt Mullenweg has made a name for itself primarily through its standard integration of Let's Encrypt certificates on WordPress.com.
HTTPS Everywhere: Encryption for All https://t.co/eRvNKWrZcZ Sites https://t.co/QLVPvZgmqh pic.twitter.com/drJ7ZddPW8
- WordPress.com (@wordpressdotcom) April 8, 2016
The motivation, which all sponsors of the project like to mention prominently, is the desire to create equality on the web. After all, it can be assumed that HTTPS will become an even more important ranking criterion in the future. And if certain websites either cannot afford the certificates or do not have access to them, this will exclude certain sites - and therefore certain people and their WordPress projects - from participating on the internet.
Some sponsors will also soon introduce technologies that mark unencrypted pages and thus increase the pressure on operators to obtain certificates. In July 2018, for example, Google implemented the marking of all HTTP pages in the Chrome browser as "not secure".
A certification authority that issues an SSL certificate free of charge to every website operator therefore fits in perfectly with the plans of Let's Encrypt's biggest sponsors. Such providers, who propagate "HTTPS everywhere", are therefore also significantly involved in the establishment of a free SSL infrastructure.
Let's Encrypt is no longer a small NGO
Let's Encrypt itself is merely the certification authority, i.e. the authority that issues the certificates. However, the overall organizational construct is much larger. The parent organization of Let's Encrypt is the Internet Security Research Group (ISRG) based in San Francisco. The board of this non-profit organization includes scientists, company representatives and representatives of foundations and other non-profit organizations.
At least two other organizations are also important in connection with Let's Encrypt. One is the Electronic Frontier Foundation (EFF), which has been supporting Certbot, the certification software for creating Let's Encrypt certificates, since May 2016. Secondly, the Linux Foundation, which provides the technical infrastructure for Let's Encrypt via its Collaborative Projects program. In total, several teams from non-profit organizations support Let's Encrypt and the corresponding infrastructure.
In September 2016, the organization published a detailed cost breakdown for 2017, which shows that around $200,000 in employer costs are factored in per employee. Let's Encrypt staff are therefore quite well remunerated. In the USA, however, such salary levels are apparently necessary due to competition from industry giants.
SSL is SSL is SSL - There are no premium certificates when it comes to security
The free certificates from US providers are no less secure than those from German providers that charge a fee. The result is therefore always the same: the website operator can encrypt the data traffic between the server and client (i.e. the browser) and thus prevent personal data such as address, telephone number and, above all, bank details from being tapped.
As a German website operator, you are obliged to secure your website against the tapping of personal data as soon as you collect it. This means that, in theory, even a contact form is one of the relevant cases.
Of course, this applies all the more if you are requesting bank details or other confidential customer data. If you want to use payment systems such as PayPal, an SSL certificate is also a basic requirement. Without HTTPS, you are not only blocked from entering the world of e-commerce, you are also at risk of receiving a warning.
The principle of SSL encryption is the same for all certificates: with the SSL certificate, the certification authority issues a kind of insurance for the website visitor. In the case of domain validation, this means that the certificate confirms that the website being visited is also located on the server that holds the certificate for the domain being accessed.
For example, if you visit https://raidboxes.de, the green lock in the address bar indicates that the server on which the page is located is also the server of the domain owner. So you know that you are surfing on the right page.
In addition, there are also so-called Organization Validated and Extended Validation certificates. These indicate that the page really belongs to the organization whose website you want to visit. This is particularly relevant for banks or payment providers such as PayPal or Stripe.
If you call up a page that is encrypted with one of the free Let's Encrypt certificates, the following happens:
A certification authority (CA) issues certificates and signs them, i.e. confirms their authenticity. In this process, certificates are stored on the web server. If a customer now visits a website on this web server, this website can identify itself as the owner of the certificate.
The browser then checks the certificate stored on the page against the "certificate tree" stored with it (see illustration below). The so-called root certificate is at the top of the tree. All other certificates and ultimately also the free certificates from Let's Encrypt are based on this. If the root certificate and all other upstream certificates are valid, an encrypted connection is established. The certification authorities are therefore the linchpin of domain validation. And trust is the be-all and end-all for these authorities.
The certificates in turn serve to authenticate the communication partners - i.e. the web server and the browser - and to initiate the actual encryption mechanism. They ensure that the web server and browser receive the correct public and private keys in order to initiate protected communication.
First, the server authenticates itself to the client as the certificate holder. Asymmetric encryption is then set up and the corresponding keys are exchanged. These then enable symmetric encryption. From this point onwards, all communication between client and server is encrypted.
The keys are renewed regularly throughout the entire communication. This means that the data stream remains protected against interception and modification even if an attacker succeeds in hacking it once. The strength of this encryption then depends on the web server configurations of the hoster and not on the certificate.
The central element of SSL certificates is the Chain of Trust
The Chain of Trust is the basic principle behind all classic SSL certificates. An organization guarantees that a specific certificate of origin (root certificate) is trustworthy. This means that the statements contained in the certificate - such as "Page X belongs to domain Y" or "Domain Y belongs to provider Z" - are correct. As long as this original certification authority is trusted, the system works.
The certificates of all SSL providers are generally based on such root certificates. In this way, the providers achieve trustworthiness and can in turn fulfill their task of signing certificates. Smaller providers therefore rely on the trustworthiness of larger providers. Or vice versa: larger providers pass on their trustworthiness to the smaller ones. This is how they create the chain of trust:
However, if the root certificate is now corrupted, the chain breaks and the certificates theoretically become worthless. However, this applies to all SSL certificates, regardless of whether they are free or fee-based.
The limited validation is the main disadvantage of Let's Encrypt certificates
SSL certificates work by guaranteeing that the website you are visiting belongs to a specific counterpart. As a rule, this is the domain, i.e. the address of the website. In such a case, the certificate ensures that the accessed page really belongs to the accessed domain. This is the lowest validation level.
There is also an organizational validation and extended validations. The latter ensure that the page you are visiting really belongs to the company you suspect is behind the page. This is essential for banks and payment providers.
Let's Encrypt certificates only offer domain validation. Extended validations are not yet possible and will probably not be introduced in the future. This is because the authentication process for organizations and companies is complex and requires human labor. However, Let's Encrypt can only offer its certificates free of charge because all processes are automated as far as possible. In other words, they do not require human labor.
Multiple domains can be validated with Let's Encrypt certificates
Since a few weeks, the free SSL certificates have made it possible to combine several domains under one certificate. This means that the free certificates can also be used for more complex site structures with several top-level domains and subdomains.
Conclusion: Nobody has to pay for SSL certificates these days
The free SSL certificates from Let's Encrypt are just as secure and perform just as well as paid certificates. The US company has put pressure on German hosting providers in particular. As a result, nobody has to pay for SSL anymore. The key finding of Let's Encrypt is that free HTTPS is possible and important for the Internet as a whole. And, incidentally, small and medium-sized website operators in particular benefit from this. This is because they save costs on the one hand and create legal certainty for their offerings on the other.
In the second part of this dossier, we show how Let's Encrypt stands today and how future-proof the certificates are. We have often heard the question of what would actually happen to your own site if Let's Encrypt were to fail. In part 3 of this dossier, we show you the specific advantages Let's Encrypt offers in terms of performance and security, what you need to look out for and how to set up such a certificate.
Part 2 - Let's Encrypt has huge potential, especially for small and medium-sized websites
We hear the question again and again: "What happens if Let's Encrypt fails?". With more than 100 million certificates now issued, Let's Encrypt has already reached an important milestone. In a market comparison of certification authorities worldwide, Let's Encrypt has already risen to 10th place.
Since Let's Encrypt was officially launched in May 2016, the milestones have been coming thick and fast: Two million, five million, 14 million, then recently 100 million free SSL certificates. However, this figure does not mean that these 100 million issued certificates are actually active. Rather, you have to approach the actual figure from several angles and question it: What is actually behind it?
Not all of the 100 million certificates issued are valid
The figure 100,000,000 initially says very little. This is because it contains garbage data: certificate renewals, multiple certifications and expired certificates are also counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the figure is quickly put into perspective.
The number of currently valid certificates is more informative: Let's Encrypt currently has around 53 million valid certificates. This does not mean that there are actually that many sites that are encrypted with Let's Encrypt. But the figure does provide a first approximation.
Let's Encrypt currently in 10th place worldwide
Another good source for correctly assessing Let's Encrypt is the data from w3techs.com. Based on the top 10 million websites published by Alexa, the service determines the shares of certain Internet technologies. The relevant websites are searched specifically for certain technologies. If a hit is obtained, this is included in the count. You can find out more about the sample used here.
According to w3techs, Let's Encrypt is currently still a dwarf in the ranks of certification authorities with just over 0.2% market share and 0.1% usage among the top websites. Nevertheless, Let's Encrypt has now made it to 10th place, which is not to be sneezed at given the competition from heavyweights in the market such as IdenTrust (45.1% market share), Comodo (31.5%), DigiCert (11.1%) and GoDaddy (6.9%) in the top ranks.
In this context, it should be mentioned that the certification authority IndenTrust supplies the root certificates for Let's Encrypt. The fact that they occupy 1st place is therefore a good sign. Because if the source of the root certificates enjoys a high level of trustworthiness, then the services based on these root certificates also tend to be well positioned.
Let's Encrypt certificates are currently used more by small and medium-sized sites
As extended validations are currently not available with Let's Encrypt, it is mainly smaller sites that use the free certificates, which can easily do without extended validation. The w3techs data clearly shows that Let's Encrypt is currently mainly used by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. It can be assumed that these sites are primarily commercial offerings that are dependent on extended validation or cannot easily switch to the free SSL certificates due to their complex structure.
Conclusion: Let's Encrypt has great potential, as almost 17% of sites are still unencrypted
Looking to the future, the sites with SSL certificates are less interesting than those without. According to w3techs, this is 16.9 percent. Although the reasons for the lack of an SSL certificate are not broken down for these sites, the costs in combination with the technical hurdles are likely to be the main obstacles for a good percentage of them.
Both the cost hurdle and the problems with setup are now largely eliminated by Let's Encrypt. And if the hosting providers integrate the certificates into their services accordingly, it will be even easier. This is because 1-click solutions are usually the result. The more the Californian initiative becomes known, the smaller the number of sites that do not have an SSL certificate is likely to become.
So far, it seems that Let's Encrypt has not yet made the transition to exponential growth. This could change in 2018 when Chrome starts to mark websites without HTTPS. The behavior of other browser manufacturers in this matter will also have an influence on further developments. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for website operators and hosting providers.
The providers also determine how easy or complicated it is to set up free SSL. In the last part of this dossier, we show you the advantages of free SSL certificates from Let's Encrypt and how you can get one.
Part 3 - Added value of SSL certificates and setting up Let's Encrypt
Of course, the security aspect is the most important advantage of HTTPS. But on the right infrastructure, encryption even offers a performance advantage. You can usually order your free SSL certificate via your hoster. Alternatively, you can set it up yourself.
An SSL certificate switches your website from unencrypted HTTP to secure HTTPS. The data exchanged between the browser and the web server is encrypted. An SSL certificate therefore has three main advantages: (1) Encryption of personal data. (2) Legal security for the website operator. (3) Shorter loading time thanks to HTTP/2.
Encryption of communication between browser and web server
The main benefit of an SSL certificate is that communication between the web server and browser is encrypted. The authentication process precedes the encryption and ensures that the certificates also fulfill a second benefit, namely the identification of the certificate holder.
Both create trust with the user. This is because they not only know that they are on the right website, but also that no one can simply read the data they enter on the site. For example, address information or bank details.
This added trust can be beneficial for your own online business. In most cases, however, an SSL certificate is mandatory anyway.
If personal data is requested, it must be protected
Irrespective of the General Data Protection Regulation (GDPR), which came into force on May 25, 2018, backing up sensitive data has been mandatory in Germany for years. At least in theory. Because according to §13 of the Telemedia Act:
Service providers "[...] insofar as this is technically possible and economically reasonable, to ensure, within the scope of their respective responsibility for telemedia offered for business purposes, by technical and organizational precautions that [...] the technical facilities used [...] are secured against breaches of the protection of personal data [...]"
The unclear wording in particular has caused a great deal of uncertainty among German website operators: Is one's blog business-like? When can it be classified as such? What is technically possible? What is economically reasonable? These and other questions have been discussed at great length in some cases. Without a clear result.
However, the tenor seems to be: SSL encryption is not mandatory. But securing the data is. This does not have to be done via an SSL certificate. However, encrypting communication between the browser and the web server is a very good and relatively simple way of protecting the sensitive data of website visitors.
For website operators, this means that an SSL certificate very quickly removes a great deal of legal uncertainty and massively reduces the risk of warnings. It makes no difference whether the certificate is free or fee-based. What matters is the encryption itself.
HTTPS a performance killer? A misconception - if the hoster has taken appropriate precautions
Time and again, website operators express concerns as to whether page load times will suffer as a result of encryption. These are more than unfounded. Not only is the authentication process not particularly performance-hungry, SSL also makes your own site even faster. At least if the so-called HTTP/2 standard is set up on the web server.
Thanks to the parallel loading of data packets and optimized communication between the browser and server - known as server push - this ensures that the page loads faster.
Your hosting provider's support can provide information on whether HTTP/2 is active.
Depending on the hoster, setting up a free SSL certificate is either simple or more complex
In principle, any user who has the appropriate access rights to the server can set up Let's Encrypt relatively easily themselves. In the vast majority of cases, however, this is not even necessary. This is because many hosting providers have now integrated convenient solutions into their offerings.
A basic distinction can be made between:
Providers that allow Let's Encrypt, but where you have to set it up yourself. Providers who do not allow Let's Encrypt themselves but still offer free certificates and providers who have integrated Let's Encrypt into their user interface.
The second group includes some large German hosters. Although they have not integrated Let's Encrypt, they have followed suit since the initiative was launched and now offer free SSL from their cooperation partners. The certificates are usually included in the tariffs. However, how exactly you activate them can vary from provider to provider.
Ideally, the providers have integrated free SSL into their user interfaces and the installation is conveniently carried out automatically. A few providers have done this with the Let's Encrypt certificates. The function can then look like ours, for example:
SSL can then be activated and, if necessary, deactivated again with a simple click. With some providers, SSL is also simply activated automatically.
Conclusion: SSL has many advantages and is actually available everywhere for free
In principle, an SSL certificate is available to every website operator free of charge in one way or another. In the vast majority of cases, the setup is also limited to one or a few clicks. We can therefore only advise you to look at your own hosting offer promptly and make your own site future-proof as quickly as possible. In addition to Google, Mozilla has also announced that it will penalize unencrypted sites accordingly. However, with a little preparation, no site operator needs to worry.