Free SSL for everyone - Let's Encrypt revolutionizes the Internet!

Jan Hornung Updated on 23.01.2020
16 Min.
Free SSL
Last updated on 23.01.2020

The launch of Let's Encrypt in May 2016 attracted a lot of attention in the trade press. Because the Americans offer something for free, which until now all site operators had to pay good money for: SSL certificates. The benefit and value of free SSL Certificates cannot be overestimated.

Let's Encrypt not only enables all site operators worldwide to encrypt their offers, but also makes the network a safer, faster and fairer place. In this dossier we explain clearly what Let's Encrypt is, how it works and how you can get your next SSL certificate for free.

 After half a year on the market, Let's Encrypt has already issued more than 14 million free certificates. At first glance, this seems a lot, but compared to the industry giants, it is still quite little. Let's Encrypt has a market share of just 0.02 percent.

And yet the mere existence of free SSL certificates already has a noticeable effect on the German hosting market. Many host and SSL authorities already offer site operators a SSL certificate free of charge to. That was not the case until recently. Granted: Let's Encrypt can't do everything, but offers everything you need as a site operator for the vast majority of blogs, shops and corporate sites.

But besides the encryption of your own site and a speed advantage, Let's Encrypt does another important service: The free SSL makes your site future-proof. Because hard times are dawning for unencrypted sites ones from 2017. Since 2014, Google has been planning something that could cost many site operators massive trust and visitors.sites marked as unsafe. Mozilla, the foundation behind the popular Firefox browser, also has plans to make insecure - i.e. HTTP websites - available to the public. to systematically disadvantage.

But with just a few clicks, thanks to free SSL, you can overcome these concerns. You can make yours site more secure with a certificate, reduce legal uncertainty and even give it a performance boost. In this dossier, we clarify the most important answers and background information.

Part 1 - The basics: The fairy tale of the Premium Certificate

Free does not mean that Let's Encrypt's certificates are less secure. In fact, however, the free certificates differ from those that are subject to a fee. Nevertheless, there is no difference in terms of security. It is therefore all the more important to understand why Let's Encrypt actually provides everyone with an SSL certificate for free and how the system behind it works.

Let's Encrypt is a certification authority for SSL certificates - also known as Certification Authority (CA) - which officially started operating in May 2015. The initiative has created an automated process through which SSL certificates are issued. Because of this almost complete automation, the project gets by with very few employees and can also offer the certificates free of charge. The costs incurred for employees and infrastructure are covered by donations and sponsorships.

No matter whether the certificate is free of charge or subject to a fee: it always fulfils the same task. It shows the user that he is on the "right" website and that the data traffic between browser and web server is encrypted.

Let's Encrypt is free, among other things, because "HTTPS everywhere" is an idea of the industry giants

But the most pressing question first: Is Let's Encrypt really free? Or rather: What's the catch? To make a long story short: Yes, neither the certificates nor the required programs cost money. And: there is no catch. Often, however, this question is not motivated by purely economic reasons, but above all by the broader question of why Let's Encrypt is free. So why suddenly offer a product that other organisations had previously paid for, for free.

"We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure web is for everyone. "” – Let's Encrypt

Let's Encrypt has relatively low personnel costs, since almost all processes are automated. In addition, some of the manual work is carried out by employees of other non-profit organisations - for example, the maintenance of the small programme that issues the certificates, the so-called Certbot.

This eliminates a large financial burden. The required hardware is also largely covered by the cooperation with the Linux Foundation. Sponsorship and donations are intended to cover all other costs. The official sponsorships are estimated at up to $350,000 annually.

In addition to industry giants such as Mozilla, Cisco, Chrome and Facebook, the Let's Encrypt project also has the support of companies from the WordPress -area, such as Automattic. The company of the WordPress co-founder Matt Mullenweg has made a name for itself above all through his standard integration of Let's Encrypt certificates at WordPress.com ...and I've got to say...

The motivation, which all sponsors of the project like to mention prominently, is the desire to create equality on the net. Because it can be assumed that HTTPS will in future be an even more important ranking criterion will be. And if certain websites either cannot afford the certificates or do not have access to them, this will exclude certain sites - and thus certain people and their WordPress - projects from participating in the Internet.

In addition, some sponsors will soon introduce technologies that mark unencrypted sites ones, thus increasing the pressure on operators to obtain certificates. For example, in July 2018 Google implemented that all HTTP-sites in Chrome browser as "not secure must be marked.

HTTP warning in Google Chrome
This is the warning that Chrome has been issuing on all HTTP-sites since July 2018.

A certificate authority that issues an SSL certificate free of charge to every site operator therefore fits perfectly into the plans of the largest sponsors of Let's Encrypt. Such providers, which "HTTPS everywhere" propaganda are therefore also significantly involved in the establishment of a free SSL infrastructure.

Let's Encrypt is no longer a small NGO    

Let's Encrypt itself is merely the certificate authority, i.e. the authority that issues the certificates. However, the overall organisational construct is much larger. The parent organization of Let's Encrypt is the Internet Security Research Group (ISRG) based in San Francisco. The board of directors of this non-profit organisation includes scientists, company representatives and representatives of foundations and other non-profit organisations.

At least two other organizations are also becoming important in connection with Let's Encrypt. Firstly the Electronic Frontier Foundation (EFF)which since May 2016 Certbot, the certification software for the creation of Let's Encrypt certificates. The second is the Linux Foundation, which provides the technical infrastructure for Let's Encrypt through its Collaborative Projects program. All in all, several teams from non-profit organizations support Let's Encrypt and the corresponding infrastructure.

In September 2016, the organisation published a detailed cost statement for 2017, which shows that per employee about 200.000$ employer costs be taken into account. So the Let's Encrypt personnel is quite well paid. In the USA, however, such pay levels are apparently necessary, whether in competition with industry giants.

Staff costs Lets Encrypt
The budgeted costs for Let's Encrypt and its 10 employees for the year 2017 amount to almost 3 million US dollars.
SSL is SSL is SSL - When it comes to security there are no premium certificates

The free certificates of the US-Americans are not more insecure than those of German providers who charge for them. The result is therefore always the same: the site operator can encrypt the data traffic between server and client (i.e. the browser) and thus prevent the tapping of personal data such as address, telephone number, but above all bank data.

As a German website operator, you are obliged to protect your personal data site from being tapped as soon as you collect them. That means: Theoretically you should already a contact form for the squad of relevant cases.

Of course, this applies all the more if you ask for the bank details or other confidential data of the customers. If you want to use payment systems such as PayPal, an SSL certificate is also a basic requirement. So without HTTPS, not only is the path to eCommerce closed to you, but you also put yourself in danger of being warned.

The principle of SSL encryption is the same for all certificates: the certificate authority issues a kind of insurance for the website visitor with the SSL certificate. In the case of domain validation, this means that the certificate confirms that the website you are currently visiting is also located on the server that holds the certificate for the domain you are visiting.

Free SSL domain validation
The green lock and "Secure" in the address line are the typical example of a domain validation. The certificate assures that the domain and the visited site domain really belong together.

So for example, if you were hRAIDBOXES ttps:// .de then the green lock in the address line indicates that the server on which it is site located is also the server of the domain owner. So you know that you are surfing on the right site one.

In addition, there are also Organization Validated and Extended Validation certificates. These indicate that this site really belongs to the organization whose website you want to visit. This is especially relevant for banks or payment providers such as PayPal or Stripe.

PayPal SSL Certificate
Especially payment providers & organizations, which need to deal with particularly sensitive data such as address information, rely on these extended certificates. For such validations, the respective company is displayed in the address bar.

If you site call one that is encrypted by one of the free Let's Encrypt certificates, the following happens:

SSL certification process
This is how the SSL authentication process works from the ground up. No matter whether it is a free SSL certificate or a paid one. Two components always play a role in this security process: the certificate authority and the SSL certificate itself.

A certification authority (CA) issues and signs certificates, thus confirming their authenticity. In this process, certificates are stored on the web server. If a customer visits a website on this web server, this website can identify itself as the owner of the certificate.

The browser then checks the certificate stored on the site deposited certificate with the "certificate tree" deposited with it (see figure below). The so-called root certificate is at the top of the list. All further certificates and finally also the free certificates of Let's Encrypt are based on this root certificate. If the root certificate and all other upstream certificates are valid, an encrypted connection is established. The certification authorities are thus the linchpin of domain validation. And trust is the be-all and end-all for these instances.

The certificates in turn serve to authenticate the communication partners - i.e. the web server and the browser - and to initiate the actual encryption mechanism. They ensure that web servers and browsers receive the correct public and private keys to initiate the protected communication.

First the server authenticates itself to the client as the certificate holder. Then an asymmetric encryption is established and the corresponding keys are exchanged. These then enable symmetrical encryption. From this point on, all communication between client and server is encrypted.

The keys are regularly renewed during the entire communication. In this way, the data stream remains protected against eavesdropping and modification even if an attacker succeeds in a one-time hacking. The strength of this encryption then depends on the web server configurations of the hoster and not on the certificate.

The central element of SSL certificates is the Chain of Trust

The Chain of Trust is the fundamental principle behind all classic SSL certificates. An organization guarantees that a certain certificate of origin (root certificate) is trustworthy. That the statements contained in the certificate - such as "site X belongs to domain Y", or "domain Y belongs to provider Z" - are correct. As long as this original certificate authority is trusted, the system works.

The certificates of all SSL providers are usually based on such root certificates. In this way, the providers gain trustworthiness and can in turn fulfil their task of signing certificates. Smaller providers therefore rely on the trustworthiness of larger providers. Or vice versa: Larger providers pass on their trustworthiness to the smaller ones. This is how they create the Chain of Trust:

Chain of Trust Diagram
This diagram shows the connection between the root certificate of Let's Encrypt and the free SSL certificates issued later.

However, if the root certificate is corrupted, the chain is broken and the certificates theoretically become worthless. This applies to all SSL certificates, whether they are free or chargeable.

Limited validation is the central disadvantage of Let's Encrypt certificates

SSL Certificates work by guaranteeing that the website you are visiting belongs to a specific counterpart. Usually this is the domain, i.e. the address of the website. In such a case, the certificate assures that the visited site website really belongs to the visited domain. This is the lowest validation level.

There is also an organization validation and extended validations. The latter ensure that the one being targeted site really belongs to the company that is site suspected to be behind it. This is essential for banks and payment providers.

Let's Encrypt certificates only offer domain validation. Extended validations are currently not possible and will probably not be introduced in the future. This is because the authentication process for organizations and companies is complex and requires human labour. However, Let's Encrypt can only offer its certificates for free because all processes are automated as far as possible. So you do not need any human labour.

With Let's Encrypt certificates, several domains can be validated

site some weeks the free SSL certificates allow to combine several domains under one certificate. This makes the free certificates also applicable for more complex site structures with several top-level domains and sub-domains.

Conclusion: Nobody has to pay for SSL certificates these days

The free SSL certificates from Let's Encrypt are just as secure and perform similarly to paid certificates. The Americans have thus put pressure on German hosting suppliers in particular. As a result, no one has to pay for SSL today. The decisive insight of Let's Encrypt is: Free HTTPS is possible and important for the Internet as a whole. And incidentally, small and medium-sized site operators in particular benefit from this. On the one hand, they save costs and, on the other, create legal certainty for their offers.

In the second part of this dossier, we show how Let's Encrypt looks today and how future-proof the certificates are. Because we have often heard the question what happens to our own site certificates if Let's Encrypt fails. In part 3 of this dossier, we will show you the concrete performance and security advantages of Let's Encrypt, what you need to pay attention to and how to set up such a certificate.

Part 2 - Let's Encrypt has huge potential, especially for small and medium-sized websites

We keep hearing the question, "What happens if Let's Encrypt fails?" With his meanwhile more than 100 million certificates issued Let's Encrypt has already reached an important milestone. In a market comparison of the Certification Authorities worldwide Let's Encrypt already on place 10 ascended.

Since Let's Encrypt was officially launched in May 2016, the milestones have been rolling: Two million, five million, 14 million, recently 100 million free SSL certificates. However, this figure does not mean that these 100 million certificates issued are also active. Rather, one must approach the actual number of several sites and question them: What is actually behind them?

Let's Encrypt Growth Graphic
This chart shows how the growth of Let's Encrypt certificates has developed since 2016. In February 2018 the milestone of 50 million active certificates achieved.
Not all of the 100 million certificates issued are valid

The figure of 100,000,000 says very little at first. This is because it contains data garbage: certificate renewals, multiple certifications and expired certificates are counted as well. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the number is quickly put into perspective.

More informative is the number of currently valid certificates: Let's Encrypt currently counts about 53 million valid certificates. This does not mean that there are actually that many sites that are encrypted with Let's Encrypt. But the number gives a first approximate value.

Let's Encrypt currently ranked 10th in a worldwide comparison

Another good source to get a good idea of Let's Encrypt is the data from w3techs.com. The service charges, on the basis of the information provided by Alexa spent top 10 million websites, the shares of certain Internet technologies. The corresponding websites are searched specifically for certain technologies. If a hit is scored, it is included in the count. You can find more details on the sample used here.

According to w3techs, Let's Encrypt is still a dwarf in the ranks of the certification authorities with a market share of just over 0.2 percent and 0.1 usage among the top websites. After all, Let's Encrypt has now made it to 10th place, which is not to be sneezed at when competing with heavyweights in the market such as IdenTrust (45.1% market share), Comodo (31.5%), DigiCert (11.1%) and GoDaddy (6.9%) in the top ranks.

Let's Encrypt market share
This chart shows what percentage of the top websites use Let's Encrypt. Let's Encrypt was able to increase its market share from 0.02 percent in 2016 to 0.2 percent in 2018.

In this context it should be mentioned that the certification body IndenTrust which provides root certificates for Let's Encrypt. The fact that they occupy first place is therefore a good sign. This is because if the source of the root certificates is highly trusted, then the services based on these root certificates tend to be well positioned.

Market share Certification Authorities SSL
Market share and absolute use of the largest certification authorities according to w3techs.
Let's Encrypt certificates are currently rather used by small and medium-sized sites companies

Since extended validations with Let's Encrypt are currently not usable, especially smaller sites ones use the free certificates, which can easily do without extended validation. The w3techs data clearly shows that Let's Encrypt is currently used mainly by sites low to medium traffic. The largest players on the market, on the other hand, tend sites to serve with average high traffic. It can be assumed that these sites are mainly commercial offers that are dependent on extended validation or cannot easily make the switch to the free SSL certificates due to their complex structure.

Certification Authority-Lets-Encrypt Provider field
Conclusion: Let's Encrypt has great potential, since still almost 17% of the sites unencrypted

For a look into the future, less those sites with than more those sites without SSL certificate are interesting. According to w3techs this is 16.9 percent. Although the reasons for the absence of an SSL certificate are sites not itemised for these, for a good percentage of them, however, the costs in combination with the technical hurdles are probably the main obstacles.

Both the cost hurdle as well as the problems with the setup are now largely eliminated by Let's Encrypt. And if the hosting providers integrate the certificates accordingly in their offers, it will be even easier. Because usually then 1-click solutions the result. As the California initiative becomes more widely known, the number of people sites who do not have an SSL Certificate is likely to decrease.

So far, it seems that Let's Encrypt has not yet managed the transition to exponential growth. This could change in 2018, when Chrome starts tagging web pages without HTTPS. The behaviour of other browser manufacturers in this matter will also influence further development. However, the development that Let's Encrypt has initiated is in any case to be welcomed, both for the site operators and for the hosting providers.

It is also the providers who determine how easy or complicated it is to set up free SSL. In the last part of this dossier we will show you the advantages of the free SSL certificates from Let's Encrypt and how you can get one.

Part 3 - Added value of SSL Certificates and setup of Let's Encrypt

Clearly, the security aspect is the most important advantage of HTTPS. But on the right infrastructure, encryption even brings a performance advantage. You can order your free SSL certificate mostly via your host . Or you have a clue and can set it up yourself.

An SSL certificate converts its own site from unencrypted HTTP to the secure HTTPS. In doing so, the data exchanged between browser and web server is encrypted. Thus, an SSL certificate brings a total of three central advantages: (1) Encryption of personal data. (2) Legal security for the site operator. (3) Shorter loading time thanks to HTTP/2.

Encryption of the communication between browser and web server

The main benefit of an SSL certificate is that the communication between web server and browser is encrypted. The authentication process precedes the encryption and ensures that the certificates fulfill a second purpose, namely the identification of the certificate owner.

Both of these factors create confidence in the user. Not only does the user know that he is on the right website, but also that nobody can simply read the data he site enters on the website. For example, address information or bank details.

This increased trust can be beneficial to your own online business. However, in most cases an SSL certificate is mandatory anyway.

When personal data is requested, it must be protected

Irrespective of the amendment that came into force on 25 May 2018 General Data Protection Regulation (GDPR)the protection of sensitive data has been obligatory in Germany for years. At least in theory. Because according to §13 of the Telemediengesetz applies:

service provider "[...] to ensure, insofar as this is technically possible and economically reasonable, within the scope of their respective responsibility for business-like telemedia services offered, that [...] the technical equipment used [...] is secured against violation of the protection of personal data [...]".

Above all, the unclear wording has caused a great deal of uncertainty among German site operators: Is your own blog businesslike? From when can it be classified as such? What is technically possible? What is economically reasonable? Some of these and other questions have already been discussed in detail. Without clear result.

However, the tenor seems to be: SSL encryption is not mandatory. But just a backup of the data. This does not have to be done via an SSL certificate. Encryption of the communication between browser and web server is a very good and relatively simple way to protect the sensitive data of the site visitors.

For site operators, this means that an SSL certificate very quickly takes away a lot of legal uncertainty and massively reduces the risk of being warned. It does not matter whether the certificate is free of charge or subject to a fee. It's the encryption itself that matters.

HTTPS a performance killer? A misconception - If the one has taken host appropriate precautions

Time and again, site operators express concerns about whether the page load time suffers due to encryption. These are more than unfounded. Not only is the authentication process not particularly performance-hungry, but SSL makes its own site even faster. At least if the so-called HTTP/2 standard is set up on the web server.

Thanks to parallel loading of the data packets and optimized communication between browser and server - the so-called server push - this ensures that the data is loaded site faster.

The support of your hosting provider can provide information about whether HTTP/2 is active.

Depending on host your needs, setting up a free SSL certificate can be simple or more complex

In principle, the following applies: Any user who has appropriate access rights to the server can Let's Encrypt relatively easy to set up yourself. In most cases, however, this is not necessary at all. Many hosting providers have now integrated correspondingly convenient solutions into their product range.

Basically one can distinguish between:

Providers that allow Let's Encrypt, but where you have to set it up yourself. Providers who do not allow Let's Encrypt themselves, but still offer free certificates and providers who have integrated Let's Encrypt into their user interface.

The second group includes some large European hosters. Although they have not integrated Let's Encrypt, they have followed suit since the initiative was launched and now offer free SSL from their cooperation partners. In most cases the certificates are included in the tariffs. However, how exactly these are activated can vary from provider to provider.

Ideally, the providers have integrated free SSL into their user interfaces and the installation is conveniently automated. A few providers have done this with the Let's Encrypt certificates. The function can then look like ours, for example:

Enable SSL RAIDBOXES
At RAIDBOXES you can activate and deactivate SSL for free with just one click.

With a simple click, SSL can then be activated and, if necessary, deactivated again. With some providers SSL is also simply activated automatically.

Conclusion: SSL has many advantages and is actually free of charge everywhere

In principle, every website operator can use an SSL certificate free of charge in one way or another. Also the setup is limited in most cases to one or a few clicks. Therefore, we can only advise you to deal with your own hosting offer as soon as possible and to make your own site future-proof as soon as possible. Because in addition to Google, Mozilla has also announced that unencrypted sites ones will be disadvantaged accordingly. With a little preparation however no side operator must worry.

RAIDBOXER of the first hour and Head of Support. At Bar- and WordCamps he likes to talk about PageSpeed and website performance. The best way to bribe him is with an espresso - or Bavarian pretzel.

Related articles

Comments on this article

Write a comment

Your email address will not be published. Required fields are marked with * .