Let's Encrypt has been available as a full version since May 2016 and offers every website operator the opportunity to set up SSL free of charge. But what is the difference between a free SSL certificate and a paid one? Technically speaking, nothing, but organizationally all the more.
The most important answer right at the beginning: No, a free SSL certificate is no less secure than a paid one. But what is the main difference? Somehow, free SSL certificates have to be cross-financed. Here, too, there is a quick answer: through sponsoring. Let's Encrypt shows how the system works.
The mission of the Let's Encrypt initiative can be summarized as follows: Encrypted communication should be a basic right on the internet. Until 2016, users usually had to pay to encrypt communication between the web server and browser. Free access to the certificates was therefore not guaranteed.
Since last year, however, Let's Encrypt has been a new certification authority that issues a free SSL certificate to every user and thus makes encryption available to every website owner worldwide. This changes a lot of things: with the free certificates, demands for HTTPS as the new standard on the web are within reach.
For store operators or companies, the lock in the address bar has always been an important indicator of trust - for legal reasons alone. However, every website operator, whether blogger, freelancer or store operator, should actually rely on encryption. This is because it brings many advantages - regardless of the cost of the certificate. This is because the certificate types do not differ in terms of the technical basis of encryption.
In this article, I will therefore discuss the advantages and technical basics of SSL authentication and encryption.
An SSL certificate makes your site more secure and is good for Google
First of all, the security aspect is of course crucial in connection with SSL. On the one hand, a certificate confirms the authenticity of the server being accessed. Secondly, communication between the web server and the client - i.e. the browser - is encrypted. This protects the communication from access and changes and makes personal data, such as address or bank information, inaccessible.
An SSL certificate also plays an important role in search engine optimization. Although it is not known to what extent SSL is relevant as a ranking criterion for Google, it has been proven that HTTPS is a ranking signal. A good two years ago, Google announced that it would prioritize encrypted pages in its search results and that it would gradually expand this trend.
It has also recently become clear that the Google Chrome browser will soon brand unencrypted pages with a "Not secure" in the address bar. At least if the pages on which passwords or credit card information are requested are not encrypted. At the Google developer conference I/O in January 2016, developers from the security company CloudFlare presented a screenshot that gives a foretaste of what Google is planning.
Last but not least, Google also prefers HTTPS for crawling.
- Even absolutely trustworthy sites like t3n.de are marked as unsafe with Google Chrome. In this case, however, the flag is not caused by an insecure site, but by my browser configuration when I accessed the site.
An SSL certificate makes your website faster and more trustworthy
HTTPS means that the communication between the web server and the client is encrypted. However, this does not mean that SSL is a performance killer. Quite the opposite: since the HTTP/2 standard has been around, encrypted pages run significantly faster than unencrypted pages. This also applies to their mobile versions. So for anyone who has so far refrained from using encryption for performance reasons, let me tell you: your worries are unfounded!
Ultimately, an SSL certificate always has a psychological effect on visitors to your site. The lock symbol in the address bar and the good feeling about the encryption have an effect on conversions. You might think that encryption is therefore more relevant for store systems, payment providers, etc. However, since Let's Encrypt started offering free SSL certificates, bloggers and other internet professionals have also been able to enjoy the benefits of HTTPS - at no extra cost.
A free SSL certificate fulfills the same technical purpose as a paid certificate
When discussing the security-relevant properties of SSL, it is first important to distinguish between the certification authorities and the SSL certificates themselves.
A certification authority (CA) issues certificates and signs them, i.e. confirms their authenticity. In this process, certificates are stored on the web server. If a customer now visits a website on this web server, this website can identify itself as the owner of the certificate.
The browser then checks the certificate stored on the page against the "certificate tree" stored with it (see illustration below). The so-called root certificate is at the top of the tree. All other certificates and ultimately also the free certificates from Let's Encrypt are based on this. If the root certificate and all other upstream certificates are valid, an encrypted connection is established. The certification authorities are therefore the linchpin of domain validation. And trust is the be-all and end-all for these authorities.
- This is how the SSL authentication process basically works. Regardless of whether it is a free SSL certificate or a paid counterpart.
The certificates in turn serve to authenticate the communication partners - i.e. the web server and the browser - and to initiate the actual encryption mechanism. They ensure that the web server and browser receive the correct public and private keys in order to initiate protected communication.
First, the server authenticates itself to the client as the certificate holder. Asymmetric encryption is then set up and the corresponding keys are exchanged. These then enable symmetric encryption. From this point onwards, all communication between client and server is encrypted.
The keys are renewed regularly throughout the entire communication. This means that the data stream remains protected against interception and modification even if an attacker succeeds in hacking it once.
But how strong is the encryption actually? That depends entirely on the web server configurations of the respective hoster.
- This illustration shows the so-called Chain of Trust of the Let's Encrypt certificates. You can see that the Let's Encrypt certificates are based on root certificates from the IdenTrust certification authority.
Regardless of whether you have a free SSL certificate or not: trust is what counts
From a technical point of view, there is therefore no fundamental difference between paid and free SSL certificates. What differs massively, however, is the certification authority. Opinions differ when it comes to the trust that can be placed in the CA.
Behind traditional certification bodies is a company that is more or less economically successful. The most important asset of this company is the trust of customers and the public in its certification services.
In contrast, Let's Encrypt and its parent organization, the Internet Security Research Group, is not profit-oriented, but pursues a non-profit mission. However, Let's Encrypt is backed by industry giants such as Chrome, Facebook, Mozilla and Linux.
The question of trust in the certification body is therefore to some extent a matter of judgment: do I trust the company that is marketing to maximize the trust placed in it, or the non-profit certification body that relies on the reputation of the industry leaders that support it?
Conclusion: There are hardly any technical differences - but there are organizational ones
Regardless of whether it comes from Comodo, Thawte and Co. or Let's Encrypt: SSL encryption brings your site many advantages and makes it more competitive overall. On a technical level, the certificate types hardly differ: HTTPS is HTTPS. The strength of the encryption, on the other hand, has to do primarily with the web server configuration.
If you have a free SSL certificate, you don't have to worry about disadvantages compared to paid certificates. This is because the most important security-relevant starting point for domain-validated certificates is the certification authority, not the certificate itself. Which certification authority you trust is again a matter of judgment. Both the open source initiative, which is promoted by industry giants, and the profit-oriented company, whose most important corporate value is the trust of its customers, have an interest in being seen as trustworthy as possible.
We, the Raidboxes team, have decided to trust the Let's Encrypt project. This is because it enables us to pass on the many advantages of SSL directly - and above all free of charge - to our customers.