Since May 2016, Let's Encrypt has been available as a full version and offers every website operator the opportunity to set up SSL for free. But what is the difference between a free SSL certificate and a paid one? Technically nothing, but organizationally all the more.
The most important answer right at the beginning: No, a free SSL certificate is not more insecure than a paid one. But what is the key difference? Somehow, free SSL certificates have to be cross-financed. There is a quick answer to this as well: through sponsoring. Let's Encrypt shows how the system works.
The mission of the Let's Encrypt initiative can be summarized as follows: Encrypted communication should be a basic right on the Internet. Because until 2016, users usually had to pay for the encryption of communication between web server and browser. Free access to the certificates was therefore not guaranteed.
With Let's Encrypt, however, a new certification authority has existed since last year that issues a free SSL certificate to every user and thus makes encryption available to every website owner worldwide. This changes a lot: Because with the free certificates, demands for HTTPS as the new standard on the web are within reach.
For shop operators or companies, the lock in the address line has always been an important trust indicator - if only for legal reasons. But actually every website operator, whether blogger, freelancer or shop owner, should rely on encryption. Because this brings many advantages - regardless of the cost of the certificate. Because in terms of the technical principles of encryption, the certificate types do not differ.
So in this article, I'm going to talk about the benefits and technical basics of SSL authentication and encryption.
An SSL certificate makes your site more secure and is good for Google
First of all, the security aspect is of course decisive in connection with SSL. On the one hand, a certificate confirms the authenticity of the controlled server. On the other hand, the communication between the web server and the client - i.e. the browser - is encrypted. This protects the communication from access and changes and thus makes personal data, such as address or bank information, inaccessible.
An SSL certificate also plays an important role for search engine optimization. Although it is not known to what specific extent SSL is relevant as a ranking criterion for Google, it is proven that HTTPS is a ranking signal. A good two years ago, Google announced that it would give preferential treatment to encrypted sites in the search results and that it would gradually expand this trend.
In addition, it has recently become clear that Google's Chrome browser will soon brand unencrypted pages with a "Not secure" in the address bar. At least if the pages on which passwords or credit card information are requested are not encrypted. At the Google I/O developer conference in January 2016, developers from the security company CloudFlare presented a screenshot that gives a foretaste of what Google is planning.
Last but not least, Google also prefers HTTPS for crawling.
- Even absolutely trustworthy sites like t3n.de are marked as insecure with Google Chrome. In this case, however, the marking does not come from an insecure site , but from my browser configuration when calling up site .
An SSL certificate makes your website faster and more trustworthy
HTTPS means that the communication of the web server with the client is encrypted. However, this does not mean that SSL is a performance killer. Quite the opposite: Since the HTTP/2 standard has been in existence, encrypted sites runssignificantly faster than unencrypted sites . This also applies to their mobile versions. So anyone who has so far refrained from using encryption for performance reasons should know that this concern is unfounded!
Ultimately, an SSL certificate always has a psychological effect on visitors to your site . The lock symbol in the address bar and the good feeling about the encryption have an effect on conversions. One would think that encryption is therefore more relevant for shop systems, payment providers, etc.. At the latest since Let's Encrypt offers free SSL certificates, bloggers and other Internet professionals can also enjoy the benefits of HTTPS - and without additional costs.
A free SSL Certificate provides the same technical benefits as a paid SSL Certificate.
When discussing the security-related features of SSL, it is first important to distinguish between the Certificate Authorities and the SSL Certificates themselves.
A certification authority (CA) issues certificates and signs them, i.e. confirms their authenticity. In this process, certificates are stored on the web server. If a customer now visits a website on this web server, this website can identify itself as the owner of the certificate.
The browser then checks the certificate stored on the site with the "certificate tree" stored with it (see illustration below). The so-called root certificate is at the top of the tree. All other certificates and ultimately also the free certificates from Let's Encrypt are based on this. If the root certificate and all other upstream certificates are valid, then an encrypted connection is established. The certification authorities are therefore the linchpin of domain validation. And trust is the be-all and end-all for these instances.
- This is basically how the SSL authentication process works. Whether it's a free SSL certificate or a paid counterpart.
The certificates in turn serve to authenticate the communication partners - i.e. the web server and the browser - and to initiate the actual encryption mechanism. They ensure that the web server and browser receive the correct public and private keys to initiate the protected communication.
First, the server authenticates itself to the client as the certificate holder. Then an asymmetric encryption is established and corresponding keys are exchanged. These then enable symmetric encryption. From this point on, all communication between client and server is encrypted.
The keys are regularly renewed during the entire communication. Thus, the data stream remains protected against eavesdropping and modification even if an attacker should succeed in a one-time hack.
But how strong is the encryption actually? That depends entirely on the web server configurations of the respective hoster.
- This figure shows the so-called chain of trust of the Let's Encrypt certificates. You can see: The Let's Encrypt certificates are based on root certificates of the certification authority IdenTrust.
Whether you have a free SSL Certificate or not, trust is everything
From a technical point of view, there is no fundamental difference between paid and free SSL certificates. What is massively different, however, is the certification authority. Opinions differ on the question of the trust that can be placed in the CA.
Behind classical certification bodies there is an economically more or less successful company. The most important capital object of this company is the trust of the customers and the public in its certification service.
In contrast, Let's Encrypt and its parent organization, the Internet Security Research Group, is not for profit, but pursues a non-profit mission. However, industry giants such as Chrome, Facebook, Mozilla and Linux stand behind Let's Encrypt.
Thus, the question of trust in the certification body is to some extent a matter of judgment: am I more likely to trust the company that does marketing to maximize the trust placed in it, or the non-profit certification body that relies on the reputation of the industry leaders who support it?
Conclusion: There are hardly any technical differences - but there are organizational ones.
Whether it comes from Comodo, Thawte and Co. or from Let's Encrypt: SSL encryption brings many advantages to your site and makes it more competitive overall. On a technical level, the certificate types hardly differ: HTTPS is HTTPS. The encryption strength, on the other hand, has mainly to do with the web server configuration.
If you have a free SSL certificate, you don't have to worry about disadvantages compared to paid certificates. Because the most important security-relevant starting point for domain-validated certificates is the certification authority, not the certificate itself. Which Certification Authority you trust is again a matter of discretion. Both the open source initiative, which is promoted by industry giants, and the profit-oriented company, whose most important corporate value is the trust of its customers, have an interest in being seen as trustworthy as possible.
We, the Raidboxes team, have decided to trust the Let's Encrypt project. This is because it enables us to pass on the many advantages of SSL directly - and above all free of charge - to our customers.