Fortunately, since more and more host offer Let's Encrypt™ certificates, i.e. free SSL, it's time to take a closer look at the initiative behind this SSL for everyone. What exactly does Let's Encrypt do? Why are the certificates free? What can Let's Encrypt already do and where does it still need to catch up? We discuss these and other questions in this background article.
Encryption of data traffic is becoming more and more standard on the net. Fortunately! Since we have also - about a year ago - integrated Let's Encrypt, it makes sense to take a closer look at the project.
Let's Encrypt is a relatively young certification authority (the beta started in 2015) for SSL certificates - also called Certification Authority (CA). The initiative has created an automated process through which SSL certificates are issued. These show users of site that they are on the "real" website and that the data traffic between browser and web server is encrypted.
What is Let's Encrypt?
The key principles of Let's Encrypt are:
- Free: Everyone who owns a domain name can use Let's Encrypt. Furthermore, Let's Encrypt certificates are free of charge.
- Automatic: Software runs on a web server and can obtain certificates with Let's Encrypt, be secured for use, and automatically renew certificates.
- Secure: Let's Encrypt provides a platform for advanced TLS security, both at the CA site and at the operating company, to assist them in securing the server.
- Transparent: All issued and revoked Let's Encrypt certificates are publicly available to everyone.
- Open: The automatic issuance and renewal protocol is published as open for others to adapt.
- Cooperative: Much like the underlying Internet protocols themselves, Let's Encrypt is a collaborative effort that benefits the community.
What is Let's Encrypt actually?
Yes, Let's Encrypt certificates are really free of charge
First, the most pressing question: is Let's Encrypt really free? To make a long story short: Yes, neither the certificates nor the required programs cost money. For many people, however, this question is not based on purely economic motives, but rather on the question of why Let's Encrypt is free. So why is a product that other organizations have previously paid for suddenly offered free of charge?
Non-profit status and sponsors make Let's Encrypt free of charge
Let's Encrypt is a non-profit project and hardly has to pay any staff. In addition, most of the processes are automated. This eliminates a large financial burden. The required hardware is also largely covered by the cooperation with the Linux Foundation. All other costs are covered by sponsorships and donations.
All can donate any amount of money to the organization via Paypal. A sponsorship system has been created for larger sums and organizations. The most expensive package costs $350,000, smaller companies are in for amounts between $10,000 and $50,000 - depending on the number of people employed.
What are the goals of Let's Encrypt?
Now, not only economic considerations play a role in this context, but also the question of the organizers' motives. On the one hand, there is the altruistic argument: HTTPS should become the standard on the Internet and all website operators worldwide should be enabled to adapt their own website to it easily and free of charge.
It's time for encrypted communications to be the default on the web and Let's Encrypt is going to make it happen. - Let's Encrypt
The second important motivation is the will to create equality on the net. After all, the presence of an SSL certificate has now become a ranking criterion for Google. And if certain websites either cannot afford the certificates or do not have access to such, this excludes these sites - and thus certain individuals and their WordPress -projects from participation on the Internet.
We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure Web is for everyone. - Let's Encrypt
The idea of justice and equality thus seems to be the central element of Let's Encrypt's efforts.
Let's Encrypt is supported by many industry leaders
In addition to the official sponsors, which include big names such as Mozilla, Cisco, Chrome and Facebook, companies from the WordPress sector are also among the supporters of the Let's Encrypt project. For example Automattic or wpbeginner. These companies and organizations in particular are an excellent fit for Let's Encrypt due to their WordPress -specific view of the Internet and their motivation.
Automattic, by the way, is a silver sponsor, which means an annual cost of $50,000. Automattic has been most notable for its standard integration of Let's Encrypt certificates for sites hosted on WordPress .com hosted sites .
Let's Encrypt is the project, the organizational structures are much larger
Let's Encrypt itself is merely the certification service, i.e. the authority that issues the certificates. The overall organizational construct, however, is much larger. The parent organization of Let's Encrypt is the Internet Security Research Group (ISRG), based in San Francisco. The board of this non-profit organization includes scientists, company representatives and representatives of foundations and other non-profit organizations.
At least two other institutions are also important in connection with Let's Encrypt. Firstly, the Electronic Frontier Foundation (EFF), which has been looking after Certbot, the certification software for creating Let's Encrypt certificates, since May 2016. The other is the Linux Foundation, which provides the technical infrastructure for Let's Encrypt through its Collaborative Projects program.
All in all, several teams from non-profit organizations are in charge of Let's Encrypt and the corresponding infrastructure.
The greatest strength of Let's Encrypt is its ease of use
The three biggest strengths of Let's Encrypt are certainly that the certificates are free, that Let's Encrypt and the required software are constantly being developed and improved, and that setting up the certificates is relatively easy.
We have already discussed the aspect of free certificates. In addition to this, Let's Encrypt is also constantly being developed further. Finally, the certificates are also quite easy to set up for anyone with the appropriate skills and access rights. Even learning the necessary steps is not necessarily difficult. You only have to use Certbot and add the necessary modules to your web server. Certificates can then be set up and renewed.
The biggest weakness of Let's Encrypt is compatibility
Currently, the range of certificates is very manageable with only one certificate. This will not change in the future, because the extended validations required for OV or EV certificates cannot be automated and also cost money. However, it is precisely the automation that makes Let's Encrypt certificates free. Extended validations are thus currently difficult to reconcile with the basic idea of Let's Encrypt, even though there were initial ideas about how validation could be outsourced to the community, for example. To our knowledge, however, the plans for the introduction of extended validations have not yet been pursued further.
While the certificates are not difficult to integrate for professionals, for non-professionals, or for people with only limited access to their web server, it may take an unnecessary amount of time to adjust the server configuration for the Certbot, to order the certificates, to integrate them and to renew them regularly. In particular, the duration of a Let's Encrypt SSL certificate is much shorter than that of a "normal" certificate. Let's Encrypt certificates have to be renewed every 90 days. A classic SSL certificate, on the other hand, is valid for 12, 24 or even 36 months and usually requires no technical maintenance during this period.
In case of problems, you are completely on your own and cannot make use of any support services from Let's Encrypt. However, there is an extensive community support forum. In the early days, the compatibility of the free SSL certificates with different browsers was also a problem. In the meantime, however, all major browsers can handle the certificates. There are actually only problems with outdated software.
So if you don't have the necessary skills, integrating a certificate yourself, including testing, troubleshooting and fixing, can be significantly more expensive than buying an SSL certificate. However, this too is now more of a theoretical problem. Because many host either support a simple 1-click installation of the certificates, or offer free basic certificates from other certification authorities.
Conclusion: Let's Encrypt has a noble goal that should be supported
According to Let's Encrypt, it wants to make the Internet safer and faster, especially for users who previously had no access to SSL certificates. For professional website operators, Let's Encrypt has above all a cost, trust and SEO advantage, even if only for domain validations. Whether extended validations will also be offered in the foreseeable future is doubtful - assuming the automation problem cannot be solved.
However, the certificates not only provide free encryption – and for some people a deeper understanding of security on the Internet – but also indirectly supports the good purpose behind Let's Encrypt. We integrated Let's Encrypt mainly because we believe in the benefits of the project. Even though the certificates are free, their use is not for nothing, but hopefully a contribution to a new security standard on the Internet.
Your questions about Let's Encrypt
Contributed image: Unsplash