The non-profit Let's Encrypt initiative from San Francisco has been offering free SSL certificates since May of this year. According to its own information, the goal is to democratize the Internet and make it more secure. In this way, the Americans provide more legal certainty in Germany. For example, in the question of whether SSL is mandatory for a contact form.
HTTPS is set to become the new standard on the web. At least, if the US-American Internet Security Research Group has its way. With the Let's Encrypt project, the group wants to provide every website operator worldwide with a free SSL certificate. Regardless of their origin or ability to pay.
Especially european website operators can profit from this noble idea. Thanks to sponsors such as Facebook, Mozilla or Linux, the Let's Encrypt certificates enjoy a high level of trustworthiness. And the free SSL is technically no different from the paid version.
This means that operators of smaller blogs or company websites can also enjoy the advantages of HTTPS: more speed thanks to HTTP/2, more data security and, above all, more legal certainty. Or rather, less legal uncertainty, because until now, bloggers and operators of smaller sites in particular had to deal with the question of whether SSL is mandatory for a contact form, for example, and whether they might be threatened with a warning.
Is SSL encryption mandatory?
It has been mandatory to back up sensitive data in Germany for years. At least in theory. Because according to §13 of the Telemedia Act:
"Service providers [...], insofar as this is technically possible and economically reasonable, shall, within the scope of their respective responsibility for telemedia offered on a business-like basis, ensure by means of technical and organizational precautions that [...] the technical facilities used [...] are secured against a breach of the protection of personal data [...]"
- Telemedia Act §13
Especially the unclear wording has caused a lot of uncertainty among German site operators: Is one's own blog business-like? At what point can it be classified as such? What is technically possible? What is economically reasonable? These and other questions have been discussed in great detail. Without a clear result.
However, the tenor seems to be: SSL encryption is not mandatory. But just a backup of the data. This does not have to be done via an SSL certificate. Encryption of the communication between the browser and the web server is, however, a very good way of protecting the sensitive data of site visitors.
In addition to the unclear legal formulations, there is also a lack of precedents.
The danger of a warning notice should be quite low
This also has to do with problems on the part of the authorities. Because the supervisory authorities usually simply do not have the resources to systematically scan all websites in their area of responsibility for violations. The risk of actually being warned should therefore be quite low. But: You cannot be sure about this.
Against all these imponderables and legal grey areas you can now protect yourself as a website operator effectively and above all simply. Because the free SSL certificates from Let's Encrypt have put the hosting European landscape under pressure. And so hosting companies have created several possibilities to get free SSL certificates.
Theoretically, anyone can purchase a free SSL Certificate today
At least the customers of the large and specialised German providers no longer have to pay for simple SSL certificates. Because the providers have reacted to the free SSL from America with at least three different approaches:
- Full integration of Let's Encrypt: Only a few hosts have completely integrated the certificates from San Francisco into their offer. At Raidboxes, for example, you can set up SSL with just one click.
- Partial integration of Let's Encrypt: Other hosting companies have taken Let's Encrypt into account and allow installation. Partially, the Let's Encrypt option is tariff-dependent. However, the free SSL was not integrated into the user interface of the hosting here. The user must take action himself and set up his free SSL certificate with the help of the software called Certbot.
- Bypassing Let's Encrypt: Especially the big host like 1und1 or Mittwald have completely decided against integrating Let's Encrypt certificates. Instead, they offer free SSL certificates from their cooperation partners.
Conclusion: Less concern about legal uncertainty for site European operators
Whether you run a blog, a business website or a shop: thanks to the current movements in the hosting market, free certificates are already available to many users today. With these, you can very easily eliminate legal uncertainties around the Telemedia Act and the obligations for website operators. Because regardless of whether the certificate is free or chargeable: sensitive data is reliably encrypted and thus protected against third-party access.