The launch of Let's Encrypt in May 2016 attracted a lot of attention in the trade press. This is because the Americans offer something free of charge for which all website operators previously had to pay good money: SSL certificates. The benefit and value of free SSL certificates cannot be overestimated.
Let's Encrypt not only enables all site owners worldwide to encrypt their services, but also makes the web a safer, faster and fairer place. In this dossier we explain clearly what Let's Encrypt is, how it works and how you can get your next SSL certificate for free.
After half a year on the market, Let's Encrypt has already issued more than 14 million free certificates. At first glance, this seems like a lot, but compared to the industry giants, it is still quite little. Let's Encrypt has a market share of just 0.02 percent.
And yet the mere existence of free SSL certificates is already having a noticeable effect on the German hosting market. Many host and SSL authorities already offer site operators an SSL certificate for free today. This was not the case until recently. Admittedly: Let's Encrypt can't do everything, but it offers everything a site operator needs for the vast majority of blogs, shops and company sites.
But besides the encryption of your own site and a speed advantage, Let's Encrypt provides another important service: The free SSL makes your site future-proof. Because hard times are ahead for unencrypted sites as of 2017. Since 2014, Google has been planning something that could cost many site operators massive trust and visitors. sites without HTTPS will be marked as insecure in the in-house browser from 2017. Mozilla, the foundation behind the popular Firefox browser, also has plans to systematically disadvantage insecure - i.e. HTTP - websites.
But with just a few clicks, you can put those concerns to rest with free SSL. You can make your site more secure with a certificate, reduce legal uncertainty and even give it a performance boost. We clarify the most important answers and background information in this dossier.
Part 1 - The basics: The fairy tale of the premium certificate
Free does not mean that the certificates from Let's Encrypt are less secure. In fact, the free certificates are different from the paid ones. Nevertheless, there is no difference in terms of security. It is therefore all the more important to understand why Let's Encrypt actually provides everyone with a free SSL certificate and how the system behind it works.
Let's Encrypt is a certification authority for SSL certificates - also called Certification Authority (CA) - which started its official operation in May 2015. The initiative has created an automated process through which SSL certificates are issued. Because of this almost complete automation, the project gets by with very few employees and can also offer the certificates free of charge. The costs incurred for employees and infrastructure are covered by donations and sponsorships.
Regardless of whether the certificate is free or paid for, it always performs the same task. It shows the user that he is on the "right" website and that the data traffic between browser and web server is encrypted.
Let's Encrypt is free, among other things, because "HTTPS everywhere" is an idea of the industry giants
But the most pressing question first: Is Let's Encrypt really free? Or rather: What's the catch? To make a long story short: Yes, neither the certificates nor the required programs cost money. And: there is no catch. Often, however, there are not purely economic motives behind this question, but rather the further question of why Let's Encrypt is free of charge. So why should a product that other organizations have previously paid for suddenly be offered free of charge?
"We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure Web is for everyone." - Let's Encrypt
Let's Encrypt has relatively low personnel costs, as almost all processes are automated. In addition, some manual work is done by employees of other non-profit organizations - for example, maintaining the small program that issues the certificates, the so-called Certbot.
Thus, a large financial burden is eliminated. The required hardware is also largely covered by the cooperation with the Linux Foundation. All other costs are covered by sponsorships and donations. The official sponsorships are stated to be up to $350,000 per year.
In addition to industry giants such as Mozilla, Cisco, Chrome and Facebook, companies from the WordPress sector are also supporters of the Let's Encrypt project, such as Automattic. The company of WordPress co-founder Matt Mullenweg has distinguished itself primarily through its standard integration of Let's Encrypt certificates on WordPress .com stood out.
- — WordPress .com (@wordpressdotcom) 8. April 2016
The motivation, which all sponsors of the project like to mention prominently, is the desire to create equality on the web. Because one can assume that HTTPS will become an even more important ranking criterion in the future. And if certain websites either can't afford the certificates or don't have access to them, this will exclude certain sites - and thus certain people and their WordPress -projects - from participating on the Internet.
Some sponsors will also soon introduce technologies that mark unencrypted sites , increasing the pressure on operators to get certificates. For example, Google implemented in July 2018 that all HTTP-sites will be marked as "not secure" in the Chrome browser.
A certificate authority that issues an SSL certificate free of charge to every site operator thus fits perfectly into the plans of Let's Encrypt's biggest sponsors. Such providers who propagate "HTTPS everywhere" are therefore also significantly involved in the establishment of a free SSL infrastructure.
Let's Encrypt is no longer a small NGO
Let's Encrypt itself is merely the certification authority, i.e. the authority that issues the certificates. The overall organizational construct, however, is much larger. The parent organization of Let's Encrypt is the Internet Security Research Group (ISRG), based in San Francisco. The board of this non-profit organization includes scientists, company representatives and representatives of foundations and other non-profit organizations.
At least two other organizations are also becoming important in connection with Let's Encrypt. One is the Electronic Frontier Foundation (EFF), which has been managing Certbot, the certification software for creating Let's Encrypt certificates, since May 2016. The other is the Linux Foundation, which provides the technical infrastructure for Let's Encrypt through its Collaborative Projects program. In total, several teams from non-profit organizations support Let's Encrypt and the corresponding infrastructure.
In September 2016, the organization published a detailed cost breakdown for 2017, which shows that employer costs of around $200,000 are calculated per employee. The Let's Encrypt staff is thus quite well compensated. In the US, however, such salary levels are apparently necessary due to the competition with industry giants.
SSL is SSL is SSL - When it comes to security, there are no premium certificates
The free certificates of the US-Americans are not more insecure than those of paid German providers. So the result is always the same: The site operator can encrypt the data traffic between server and client (i.e. the browser) and thus prevent the tapping of personal data, such as the address, the telephone number, but especially bank data.
As a German website operator, you are obliged to secure your site against the tapping of personal data as soon as you collect it. This means: Theoretically, even a contact form is one of the relevant cases.
Of course, this is even more true if you request the bank data or other confidential data of the customers. If you want to use payment systems such as PayPal, an SSL certificate is also a basic requirement. Without HTTPS, not only is the path to e-commerce closed to you, but you also put yourself in danger of legal action.
The principle of SSL encryption is the same for all certificates: with the SSL certificate, the certification authority issues a kind of insurance for the website visitor. In the case of domain validation, this means that the certificate confirms that the website just visited is also located on the server that holds the certificate for the accessed domain.
For example, if you visit https://raidboxes.de, the green lock in the address bar indicates that the server on which site is located is also the server of the domain owner. So you know that you are surfing on the right site .
In addition, there are also so-called Organization Validated and Extended Validation certificates. These indicate that the site really belongs to the organization whose website you want to visit. This is particularly relevant for banks or payment providers such as PayPal or Stripe.
If you go to site which is encrypted by one of the free Let's Encrypt certificates, this is what happens:
If the root certificate is now corrupted, however, the chain breaks and the certificates theoretically become worthless. However, this applies to all SSL certificates, regardless of whether they are free or paid.
The limited validation is the central disadvantage of the Let's Encrypt certificates.
SSL certificates work by guaranteeing that the visited website belongs to a certain counterpart. As a rule, this is the domain, i.e. the address of the website. In such a case, the certificate assures that the accessed site really belongs to the accessed domain. This is the lowest validation level.
In addition, there is also an organization validation and extended validations. The latter assure that the site really belongs to the company that is assumed to be behind the site . This is essential for banks and payment providers.
Let's Encrypt certificates only offer domain validation. Extended validations are currently not yet possible and will probably not be introduced in the future. This is because the authentication process for organizations and companies is complex and requires human labour. However, Let's Encrypt can only offer its certificates free of charge because all processes are automated as far as possible. This means that you do not need human labor.
Multiple domains can be validated with Let's Encrypt certificates
site a few weeks, the free SSL certificates allow multiple domains to be combined under one certificate. This makes the free certificates also applicable for more complex site structures with multiple top-level domains and subdomains.
Conclusion: No one needs to pay for SSL Certificates these days
The free SSL certificates from Let's Encrypt are just as secure and perform similarly to paid certificates. With this, the US-Americans have put especially the German hosting providers under pressure. This has led to the fact that already today nobody has to pay for SSL. The decisive insight of Let's Encrypt is: Free HTTPS is possible and important for the Internet as a whole. And by the way, especially small and medium-sized website operators benefit from it. Because on the one hand they save costs and on the other hand they create legal security for their offers.
In the second part of this dossier, we show how Let's Encrypt stands today and how future-proof the certificates are. Because we have often heard the question of what would happen to our own site if Let's Encrypt were to fail. In part 3 of this dossier, we show which concrete advantages Let's Encrypt brings in terms of performance and security, what to look out for and how to set up such a certificate.
Part 2 - Let's Encrypt has huge potential, especially for small and medium websites.
We hear the question over and over again, "What happens if Let's Encrypt fails?". With its now more than 100 million certificates issued, Let's Encrypt has already reached an important milestone. In the market comparison of certification authorities worldwide, Let's Encrypt has already risen to 10th place.
Since Let's Encrypt officially launched in May 2016, the milestones have been coming thick and fast: Two million, five million, 14 million, then recently 100 million free SSL certificates. However, this number does not mean that these 100 million issued certificates are active. Rather, one must approach the actual number from several sites and question it: What is actually behind it?
Not all of the 100 million certificates issued are valid
The number 100,000,000 initially says very little. Because it contains data garbage: Certificate renewals, multiple certifications and expired certificates are counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the number quickly becomes relative.
More informative is the number of currently valid certificates: Let's Encrypt currently counts about 53 million valid certificates. This does not mean that there are actually so many sites that are encrypted with Let's Encrypt. But the number already gives a first approximate value.
Let's Encrypt currently in 10th place in worldwide comparison
Another good source to properly assess Let's Encrypt is the data from w3techs.com. The service collects the shares of certain Internet technologies on the basis of the top 10 million websites issued by Alexa. The corresponding websites are searched specifically for certain technologies. If a hit is achieved, this is included in the count. You can find more details about the sample used here.
According to w3techs, Let's Encrypt is currently still a dwarf in the ranks of Certification Authorities with just over 0.2% market share and 0.1 usage among the top websites. At least Let's Encrypt has now made it to 10th place, which is nothing to sneeze at given the competition from heavyweights in the market like IdenTrust (45.1% market share), Comodo (31.5%), DigiCert (11.1%) and GoDaddy (6.9%) in the top ranks.
In this context, it should be mentioned that the certification authority IndenTrust supplies the root certificates for Let's Encrypt. The fact that they occupy first place is therefore a good sign. Because if the source of the root certificates enjoys high trustworthiness, then the services based on these root certificates also tend to be in a good position.
Let's Encrypt certificates are currently used more by small and medium sites
Since extended validations are currently not usable with Let's Encrypt, mainly smaller sites use the free certificates, which can well do without extended validation. The w3techs data clearly show that Let's Encrypt is currently mainly used by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. It can be assumed that these sites are mainly commercial offers that rely on extended validation or cannot easily switch to the free SSL certificates due to their complex structure.
Conclusion: Let's Encrypt has great potential, since almost 17% of sites are still unencrypted.
For a look into the future, less interesting are the sites with, but more the sites without SSL certificate. According to w3techs, this is 16.9 percent. Although the reasons for not having an SSL certificate are not broken down for these sites , for a good percentage of them the costs in combination with the technical hurdles are likely to be the main obstacles.
Both the cost hurdle and the setup problems are now largely eliminated by Let's Encrypt. And if the hosting providers integrate the certificates accordingly into their offers, it will be even easier. Because mostly 1-click solutions are then the result. The more awareness the Californian initiative gains, the smaller the number of sites without an SSL certificate should become.
So far, it seems that Let's Encrypt has yet to make the transition into exponential growth. This could change in 2018, when Chrome starts to mark websites without HTTPS. Also, the behavior of other browser vendors on this matter will have an impact going forward. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for the site operators and for the hosting providers.
The providers are also the ones who determine how easy or complicated it is to set up free SSL. In the last part of this dossier, we will show you the advantages of the free SSL certificates from Let's Encrypt and how you can get one.
Part 3 - Added Value of SSL Certificates and Let's Encrypt Setup
Of course, the security aspect is the most important advantage of HTTPS. But on the right infrastructure, encryption even brings a performance advantage. You can usually order your free SSL certificate via your host . Or you have a clue and can set it up yourself.
An SSL certificate switches your own site from the unencrypted HTTP to the secure HTTPS. The data that is exchanged between the browser and the web server is encrypted. Thus, an SSL certificate brings a total of three key benefits: (1) Encryption of personal data. (2) Legal security for the site operator. (3) Shorter loading time thanks to HTTP/2.
Encryption of the communication between browser and web server
The main benefit of an SSL certificate is that the communication between the web server and the browser is encrypted. The authentication process is upstream of the encryption and ensures that the certificates fulfil a second benefit, namely the identification of the certificate holder.
Both create trust with the user. Not only does the user know that he or she is on the right website, but also that no one can simply read the data he or she enters on the site website. For example, address information or bank details.
This more trust can be beneficial for your own online business. In most cases, however, an SSL certificate is mandatory anyway.
If personal data are requested, then these must be protected
Regardless of the General Data Protection Regulation (GDPR ) that came into force on May 25, 2018, securing sensitive data in Germany has been mandatory for years. At least in theory. Because according to §13 of the Telemedia Act applies:
service providers "[...] shall, to the extent technically feasible and economically reasonable, ensure, within the scope of their respective responsibilities for telemedia offered on a commercial basis, that [...] the technical facilities used [...] are secured against personal data breaches [...] by means of technical and organizational measures".
Especially the unclear wording has caused a lot of uncertainty among German site operators: Is one's own blog business-like? At what point can it be classified as such? What is technically possible? What is economically reasonable? These and other questions have been discussed in great detail. Without a clear result.
However, the tenor seems to be: SSL encryption is not mandatory. But just a backup of the data. This does not have to be done via an SSL certificate. Encryption of the communication between browser and web server is, however, a very good and relatively simple way to protect the sensitive data of the site visitors.
For site operators, this means that an SSL certificate very quickly takes away a lot of legal uncertainty and massively reduces the risk of warnings. It doesn't matter whether the certificate is free or chargeable. It is the encryption itself that counts.
HTTPS a performance killer? A misconception - If the host has taken appropriate precautions
Again and again, site operators express concerns about whether the page loading time suffers due to encryption. These are more than unfounded. Not only is the authentication process not particularly performance-hungry, but SSL even makes your own site faster. At least if the so-called HTTP/2 standard is set up on the web server.
This ensures, among other things, thanks to parallel loading of data packets and an optimized communication between browser and server - the so-called server push - that the site is loaded faster.
Your hosting provider'ssupport can tell you if HTTP/2 is active.
Depending on host , setting up a free SSL Certificate can be simple or more complex.
In principle, every user who has the appropriate access rights to the server can set up Let's Encrypt relatively easily themselves. In the vast majority of cases, however, this is not even necessary. Because many hosting providers have now integrated correspondingly convenient solutions into their offerings.
Basically, a distinction can be made between:
Providers that allow Let's Encrypt, but where you have to set it up yourself. Providers that do not allow Let's Encrypt themselves, but still offer free certificates and providers that have integrated Let's Encrypt into their user interface.
The second group includes some large European hosters. Although they have not integrated Let's Encrypt, they have followed suit since the initiative was launched and now offer free SSL from their cooperation partners. In most cases the certificates are included in the tariffs. However, how exactly these are activated can vary from provider to provider.
Optimally, providers have integrated free SSL into their user interfaces and the installation is conveniently done automatically. A few providers have done this with the Let's Encrypt certificates. The function can then look like ours, for example:
With a simple click, SSL can then be activated and, if necessary, deactivated again. With some providers, SSL is also simply activated automatically.
Conclusion: SSL brings many advantages and is actually available everywhere for free.
In principle, an SSL certificate is available to every site operator free of charge in one way or another. The setup is also limited to one or a few clicks in the vast majority of cases. Therefore, we can only advise you to deal with your own hosting offer promptly and to make your own site future-proof as quickly as possible. Because besides Google, Mozilla has also announced that it will penalise unencrypted sites accordingly. With a little preparation, however, no site operator need worry.