Free SSL for All - How Let's Encrypt is Revolutionizing the Internet!

Jan Hornung Last updated 23.01.2020
16 Min.
Free SSL
Last updated 23.01.2020

The launch of Let's Encrypt in May 2016 attracted a lot of attention in the trade press. This is because the Americans offer something free of charge for which all website operators previously had to pay good money: SSL certificates. The benefit and value of free SSL certificates cannot be overestimated.

Let's Encrypt not only enables all site owners worldwide to encrypt their services, but also makes the web a safer, faster and fairer place. In this dossier we explain clearly what Let's Encrypt is, how it works and how you can get your next SSL certificate for free.

 After half a year on the market, Let's Encrypt has already issued more than 14 million free certificates. At first glance, this seems like a lot, but compared to the industry giants, it is still quite little. Let's Encrypt has a market share of just 0.02 percent.

And yet the mere existence of free SSL certificates is already having a noticeable effect on the German hosting market. Many host and SSL authorities already offer site operators an SSL certificate for free today. This was not the case until recently. Admittedly: Let's Encrypt can't do everything, but it offers everything a site operator needs for the vast majority of blogs, shops and company sites.

But besides the encryption of your own site and a speed advantage, Let's Encrypt provides another important service: The free SSL makes your site future-proof. Because hard times are ahead for unencrypted sites as of 2017. Since 2014, Google has been planning something that could cost many site operators massive trust and visitors. sites without HTTPS will be marked as insecure in the in-house browser from 2017. Mozilla, the foundation behind the popular Firefox browser, also has plans to systematically disadvantage insecure - i.e. HTTP - websites.

But with just a few clicks, you can put those concerns to rest with free SSL. You can make your site more secure with a certificate, reduce legal uncertainty and even give it a performance boost. We clarify the most important answers and background information in this dossier.

Part 1 - The basics: The fairy tale of the premium certificate 

Free does not mean that the certificates from Let's Encrypt are less secure. In fact, the free certificates are different from the paid ones. Nevertheless, there is no difference in terms of security. It is therefore all the more important to understand why Let's Encrypt actually provides everyone with a free SSL certificate and how the system behind it works.

Let's Encrypt is a certification authority for SSL certificates - also called Certification Authority (CA) - which started its official operation in May 2015. The initiative has created an automated process through which SSL certificates are issued. Because of this almost complete automation, the project gets by with very few employees and can also offer the certificates free of charge. The costs incurred for employees and infrastructure are covered by donations and sponsorships.

Regardless of whether the certificate is free or paid for, it always performs the same task. It shows the user that he is on the "right" website and that the data traffic between browser and web server is encrypted.

Let's Encrypt is free, among other things, because "HTTPS everywhere" is an idea of the industry giants

But the most pressing question first: Is Let's Encrypt really free? Or rather: What's the catch? To make a long story short: Yes, neither the certificates nor the required programs cost money. And: there is no catch. Often, however, there are not purely economic motives behind this question, but rather the further question of why Let's Encrypt is free of charge. So why should a product that other organisations have previously paid for suddenly be offered free of charge?

"We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure Web is for everyone." - Let's Encrypt

Let's Encrypt has relatively low personnel costs, as almost all processes are automated. In addition, some manual work is done by employees of other non-profit organizations - for example, maintaining the small program that issues the certificates, the so-called Certbot.

Thus, a large financial burden is eliminated. The required hardware is also largely covered by the cooperation with the Linux Foundation. All other costs are covered by sponsorships and donations. The official sponsorships are stated to be up to $350,000 per year.

In addition to industry giants such as Mozilla, Cisco, Chrome and Facebook, companies from the WordPress sector are also supporters of the Let's Encrypt project, such as Automattic. The company of WordPress co-founder Matt Mullenweg has distinguished itself primarily through its standard integration of Let's Encrypt certificates on WordPress .com stood out.

The motivation, which all sponsors of the project like to mention prominently, is the desire to create equality on the web. Because one can assume that HTTPS will become an even more important ranking criterion in the future. And if certain websites either can't afford the certificates or don't have access to them, this will exclude certain sites - and thus certain people and their WordPress -projects - from participating on the Internet.

Some sponsors will also soon introduce technologies that mark unencrypted sites , increasing the pressure on operators to get certificates. For example, Google implemented in July 2018 that all HTTP-sites will be marked as "not secure" in the Chrome browser.

HTTP warning in Google Chrome
This is the warning Chrome has been issuing on all HTTP-sites since July 2018.

A certificate authority that issues an SSL certificate free of charge to every site operator thus fits perfectly into the plans of Let's Encrypt's biggest sponsors. Such providers who propagate "HTTPS everywhere" are therefore also significantly involved in the establishment of a free SSL infrastructure.

Let's Encrypt is no longer a small NGO    

Let's Encrypt itself is merely the certification authority, i.e. the authority that issues the certificates. The overall organizational construct, however, is much larger. The parent organization of Let's Encrypt is the Internet Security Research Group (ISRG), based in San Francisco. The board of this non-profit organization includes scientists, company representatives and representatives of foundations and other non-profit organizations.

At least two other organizations are also becoming important in connection with Let's Encrypt. One is the Electronic Frontier Foundation (EFF), which has been managing Certbot, the certification software for creating Let's Encrypt certificates, since May 2016. The other is the Linux Foundation, which provides the technical infrastructure for Let's Encrypt through its Collaborative Projects program. In total, several teams from non-profit organizations support Let's Encrypt and the corresponding infrastructure.

In September 2016, the organization published a detailed cost breakdown for 2017, which shows that employer costs of around $200,000 are calculated per employee. The Let's Encrypt staff is thus quite well compensated. In the US, however, such salary levels are apparently necessary due to the competition with industry giants.

Employee costs Lets Encrypt
The budgeted cost for Let's Encrypt and its 10 employees for 2017 is nearly $3 million.
SSL is SSL is SSL - When it comes to security, there are no premium certificates

The free certificates of the US-Americans are not more insecure than those of paid German providers. So the result is always the same: The site operator can encrypt the data traffic between server and client (i.e. the browser) and thus prevent the tapping of personal data, such as the address, the telephone number, but especially bank data.

As a German website operator, you are obliged to secure your site against the tapping of personal data as soon as you collect it. This means: Theoretically, even a contact form is one of the relevant cases.

Of course, this is even more true if you request the bank data or other confidential data of the customers. If you want to use payment systems such as PayPal, an SSL certificate is also a basic requirement. Without HTTPS, not only is the path to e-commerce closed to you, but you also put yourself in danger of legal action.

The principle of SSL encryption is the same for all certificates: with the SSL certificate, the certification authority issues a kind of insurance for the website visitor. In the case of domain validation, this means that the certificate confirms that the website just visited is also located on the server that holds the certificate for the accessed domain.

Free SSL domain validation
The green lock and "Secure" in the address line are a typical example of domain validation. The certificate is used to ensure that the domain and the visited site really belong together.

For example, if you visit https://raidboxes.de, the green lock in the address bar indicates that the server on which site is located is also the server of the domain owner. So you know that you are surfing on the right site .

In addition, there are also so-called Organization Validated and Extended Validation certificates. These indicate that the site really belongs to the organization whose website you want to visit. This is particularly relevant for banks or payment providers such as PayPal or Stripe.

PayPal SSL Certificate
Especially payment providers & organizations that deal with particularly sensitive data such as address information rely on these extended certificates. With such validations, the respective company is displayed in the address bar.

If you go to site which is encrypted by one of the free Let's Encrypt certificates, this is what happens:

SSL certification process
This is how the SSL authentication process basically works. No matter whether it is a free SSL certificate or a paid one. Two components always play a role in this security process: the certificate authority and the SSL certificate itself.

A certification authority (CA) issues certificates and signs them, i.e. confirms their authenticity. In this process, certificates are stored on the web server. If a customer now visits a website on this web server, this website can identify itself as the owner of the certificate.

The browser then checks the certificate stored on the site with the "certificate tree" stored with it (see illustration below). The so-called root certificate is at the top of the tree. All other certificates and ultimately also the free certificates from Let's Encrypt are based on this. If the root certificate and all other upstream certificates are valid, then an encrypted connection is established. The certification authorities are therefore the linchpin of domain validation. And trust is the be-all and end-all for these instances.

The certificates in turn serve to authenticate the communication partners - i.e. the web server and the browser - and to initiate the actual encryption mechanism. They ensure that the web server and browser receive the correct public and private keys to initiate the protected communication.

First, the server authenticates itself to the client as the certificate holder. Then an asymmetric encryption is established and corresponding keys are exchanged. These then enable symmetric encryption. From this point on, all communication between client and server is encrypted.

The keys are regularly renewed during the entire communication. Thus, the data stream remains protected against eavesdropping and modification even if an attacker should succeed in a one-time hack. The strength of this encryption then depends on the web server configurations of the hoster and not on the certificate.

The central element of SSL Certificates is the Chain of Trust

The Chain of Trust is the fundamental principle behind all classic SSL certificates. An organisation guarantees that a certain certificate of origin (root certificate) is trustworthy. That the statements contained in the certificate - such as "site X belongs to Domain Y", or "Domain Y belongs to Provider Z" - are correct. As long as this original certification authority is trusted, the system works.

The certificates of all SSL providers are usually based on such root certificates. In this way, the providers gain trustworthiness and can in turn fulfil their task of signing certificates. Smaller providers therefore rely on the trustworthiness of larger providers. Or the other way round: Larger providers pass on their trustworthiness to the smaller ones. This is how they create the chain of trust:

Chain of Trust Diagram
This illustration shows the connection between the root certificate from Let's Encrypt and the free SSL certificates issued later.

If the root certificate is now corrupted, however, the chain breaks and the certificates theoretically become worthless. However, this applies to all SSL certificates, regardless of whether they are free or paid.

The limited validation is the central disadvantage of the Let's Encrypt certificates.

SSL certificates work by guaranteeing that the visited website belongs to a certain counterpart. As a rule, this is the domain, i.e. the address of the website. In such a case, the certificate assures that the accessed site really belongs to the accessed domain. This is the lowest validation level.

In addition, there is also an organization validation and extended validations. The latter assure that the site really belongs to the company that is assumed to be behind the site . This is essential for banks and payment providers.

Let's Encrypt certificates only offer domain validation. Extended validations are currently not yet possible and will probably not be introduced in the future. This is because the authentication process for organisations and companies is complex and requires human labour. However, Let's Encrypt can only offer its certificates free of charge because all processes are automated as far as possible. This means that you do not need human labor.

Multiple domains can be validated with Let's Encrypt certificates

site a few weeks, the free SSL certificates allow multiple domains to be combined under one certificate. This makes the free certificates also applicable for more complex site structures with multiple top-level domains and subdomains.

Conclusion: No one needs to pay for SSL Certificates these days

The free SSL certificates from Let's Encrypt are just as secure and perform similarly to paid certificates. With this, the US-Americans have put especially the German hosting providers under pressure. This has led to the fact that already today nobody has to pay for SSL. The decisive insight of Let's Encrypt is: Free HTTPS is possible and important for the Internet as a whole. And by the way, especially small and medium-sized website operators benefit from it. Because on the one hand they save costs and on the other hand they create legal security for their offers.

In the second part of this dossier, we show how Let's Encrypt stands today and how future-proof the certificates are. Because we have often heard the question of what would happen to our own site if Let's Encrypt were to fail. In part 3 of this dossier, we show which concrete advantages Let's Encrypt brings in terms of performance and security, what to look out for and how to set up such a certificate.

Part 2 - Let's Encrypt has huge potential, especially for small and medium websites.

We hear the question over and over again, "What happens if Let's Encrypt fails?". With its now more than 100 million certificates issued, Let's Encrypt has already reached an important milestone. In the market comparison of certification authorities worldwide, Let's Encrypt has already risen to 10th place.

Since Let's Encrypt officially launched in May 2016, the milestones have been coming thick and fast: Two million, five million, 14 million, then recently 100 million free SSL certificates. However, this number does not mean that these 100 million issued certificates are active. Rather, one must approach the actual number from several sites and question it: What is actually behind it?

Let's Encrypt Growth Graphic
This graph shows how the growth of Let's Encrypt certificates has developed since 2016. In February 2018, the milestone of 50 million active certificates was reached.
Not all of the 100 million certificates issued are valid

The number 100,000,000 initially says very little. Because it contains data garbage: Certificate renewals, multiple certifications and expired certificates are counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the number quickly becomes relative.

More informative is the number of currently valid certificates: Let's Encrypt currently counts about 53 million valid certificates. This does not mean that there are actually so many sites that are encrypted with Let's Encrypt. But the number already gives a first approximate value.

Let's Encrypt currently in 10th place in worldwide comparison

Another good source to properly assess Let's Encrypt is the data from w3techs.com. The service collects the shares of certain Internet technologies on the basis of the top 10 million websites issued by Alexa. The corresponding websites are searched specifically for certain technologies. If a hit is achieved, this is included in the count. You can find more details about the sample used here.

According to w3techs, Let's Encrypt is currently still a dwarf in the ranks of Certification Authorities with just over 0.2% market share and 0.1 usage among the top websites. At least Let's Encrypt has now made it to 10th place, which is nothing to sneeze at given the competition from heavyweights in the market like IdenTrust (45.1% market share), Comodo (31.5%), DigiCert (11.1%) and GoDaddy (6.9%) in the top ranks.

Let's Encrypt market share
This chart shows what percentage of the top websites use Let's Encrypt. Let's Encrypt was able to increase its market share from 0.02 in 2016 to 0.2 percent in 2018.

In this context, it should be mentioned that the certification authority IndenTrust supplies the root certificates for Let's Encrypt. The fact that they occupy first place is therefore a good sign. Because if the source of the root certificates enjoys high trustworthiness, then the services based on these root certificates also tend to be in a good position.

Market share Certification Authorities SSL
Market share and absolute usage of the largest Certification Authorities according to w3techs.
Let's Encrypt certificates are currently used more by small and medium sites

Since extended validations are currently not usable with Let's Encrypt, mainly smaller sites use the free certificates, which can well do without extended validation. The w3techs data clearly show that Let's Encrypt is currently mainly used by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. It can be assumed that these sites are mainly commercial offers that rely on extended validation or cannot easily switch to the free SSL certificates due to their complex structure.

Certification Authority-Lets-Encrypt provider field
Conclusion: Let's Encrypt has great potential, since almost 17% of sites are still unencrypted.

For a look into the future, less interesting are the sites with, but more the sites without SSL certificate. According to w3techs, this is 16.9 percent. Although the reasons for not having an SSL certificate are not broken down for these sites , for a good percentage of them the costs in combination with the technical hurdles are likely to be the main obstacles.

Both the cost hurdle and the setup problems are now largely eliminated by Let's Encrypt. And if the hosting providers integrate the certificates accordingly into their offers, it will be even easier. Because mostly 1-click solutions are then the result. The more awareness the Californian initiative gains, the smaller the number of sites without an SSL certificate should become.

So far, it seems that Let's Encrypt has yet to make the transition into exponential growth. This could change in 2018, when Chrome starts to mark websites without HTTPS. Also, the behavior of other browser vendors on this matter will have an impact going forward. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for the site operators and for the hosting providers.

The providers are also the ones who determine how easy or complicated it is to set up free SSL. In the last part of this dossier, we will show you the advantages of the free SSL certificates from Let's Encrypt and how you can get one.

Part 3 - Added Value of SSL Certificates and Let's Encrypt Setup

Of course, the security aspect is the most important advantage of HTTPS. But on the right infrastructure, encryption even brings a performance advantage. You can usually order your free SSL certificate via your host . Or you have a clue and can set it up yourself.

An SSL certificate switches your own site from the unencrypted HTTP to the secure HTTPS. The data that is exchanged between the browser and the web server is encrypted. Thus, an SSL certificate brings a total of three key benefits: (1) Encryption of personal data. (2) Legal security for the site operator. (3) Shorter loading time thanks to HTTP/2.

Encryption of the communication between browser and web server

The main benefit of an SSL certificate is that the communication between the web server and the browser is encrypted. The authentication process is upstream of the encryption and ensures that the certificates fulfil a second benefit, namely the identification of the certificate holder.

Both create trust with the user. Not only does the user know that he or she is on the right website, but also that no one can simply read the data he or she enters on the site website. For example, address information or bank details.

This more trust can be beneficial for your own online business. In most cases, however, an SSL certificate is mandatory anyway.

If personal data are requested, then these must be protected

Regardless of the General Data Protection Regulation (GDPR ) that came into force on May 25, 2018, securing sensitive data in Germany has been mandatory for years. At least in theory. Because according to §13 of the Telemedia Act applies:

service providers "[...] shall, to the extent technically feasible and economically reasonable, ensure, within the scope of their respective responsibilities for telemedia offered on a commercial basis, that [...] the technical facilities used [...] are secured against personal data breaches [...] by means of technical and organisational measures".

Especially the unclear wording has caused a lot of uncertainty among German site operators: Is one's own blog business-like? At what point can it be classified as such? What is technically possible? What is economically reasonable? These and other questions have been discussed in great detail. Without a clear result.

However, the tenor seems to be: SSL encryption is not mandatory. But just a backup of the data. This does not have to be done via an SSL certificate. Encryption of the communication between browser and web server is, however, a very good and relatively simple way to protect the sensitive data of the site visitors.

For site operators, this means that an SSL certificate very quickly takes away a lot of legal uncertainty and massively reduces the risk of warnings. It doesn't matter whether the certificate is free or chargeable. It is the encryption itself that counts.

HTTPS a performance killer? A misconception - If the host has taken appropriate precautions

Again and again, site operators express concerns about whether the page loading time suffers due to encryption. These are more than unfounded. Not only is the authentication process not particularly performance-hungry, but SSL even makes your own site faster. At least if the so-called HTTP/2 standard is set up on the web server.

This ensures, among other things, thanks to parallel loading of data packets and an optimized communication between browser and server - the so-called server push - that the site is loaded faster.

Your hosting provider'ssupport can tell you if HTTP/2 is active.

Depending on host , setting up a free SSL Certificate can be simple or more complex.

In principle, every user who has the appropriate access rights to the server can set up Let's Encrypt relatively easily themselves. In the vast majority of cases, however, this is not even necessary. Because many hosting providers have now integrated correspondingly convenient solutions into their offerings.

Basically, a distinction can be made between:

Providers that allow Let's Encrypt, but where you have to set it up yourself. Providers that do not allow Let's Encrypt themselves, but still offer free certificates and providers that have integrated Let's Encrypt into their user interface.

The second group includes some large European hosters. Although they have not integrated Let's Encrypt, they have followed suit since the initiative was launched and now offer free SSL from their cooperation partners. In most cases the certificates are included in the tariffs. However, how exactly these are activated can vary from provider to provider.

Optimally, providers have integrated free SSL into their user interfaces and the installation is conveniently done automatically. A few providers have done this with the Let's Encrypt certificates. The function can then look like ours, for example:

Enable SSL RAIDBOXES
At RAIDBOXES you can enable and disable SSL for free with just one click.

With a simple click, SSL can then be activated and, if necessary, deactivated again. With some providers, SSL is also simply activated automatically.

Conclusion: SSL brings many advantages and is actually available everywhere for free.

In principle, an SSL certificate is available to every site operator free of charge in one way or another. The setup is also limited to one or a few clicks in the vast majority of cases. Therefore, we can only advise you to deal with your own hosting offer promptly and to make your own site future-proof as quickly as possible. Because besides Google, Mozilla has also announced that it will penalise unencrypted sites accordingly. With a little preparation, however, no site operator need worry.

RAIDBOXER from the beginning and Head of Support. At Bar- and WordCamps he loves to talk about PageSpeed and website performance. The best way to bribe him is with an espresso - or Bavarian pretzel.

Related articles

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.