How to Secure Your Website with a SSL/TLS Certificate for Free in a Few Minutes

And why some people still like to pay for a certificate

What’s SSL or TLS?

Transport Layer Security (TLS) is a cryptographic protocol which provides authentication and data encryption between machines over a network. In simple terms, it is when you access the Internet and your browser shows a lock symbol, plus it says https rather than http. SSL (Secure Socket Layer) was originally developed by Netscape. Version 1.0 was never released to the public. Version 2.0 went public in 1995, which was soon replaced by SSL 3.0 when vulnerabilities were found. TLS came to the scene in 1999 as a replacement of SSL 3.0.

Why use TLS on my website?

This is not just so that traffic between your client and the server is encrypted, it is also to boost your website’s ranking in Google Search Engine.

Why is it sometimes called SSL certificate and sometimes referred as SSL/TLS certificate?

The certificates are not dependent on protocols. While many vendors tend to use the wording “SSL/TLS Certificate”, it may be more appropriate to call them “certificates for use with SSL or TLS”, since the protocols are determined by your server configuration, not the certificates themselves. Some vendors simply call them SSL certificates because that’s the term people are more familiar with.

How can it be free?

Internet Security Research Group (ISRG) was formed in 2013 with the mission “to reduce financial, technological, and educational barriers to secure communication over the Internet.” In an effort to increase the use of SSL/ TLS on the web, ISRG’s created its first project Let’s Encrypt. Normally, it would cost you some money per year to get a certificate authority (CA) to issue certificate to you. Let’s Encrypt it’s free and it renews automatically through software running on your web server.

Sounds great, free and automatic renew before expiry, so now what’s the catch?

The free certificates are just as secure as the paid-for ones. Let’s Encrypt is backed by many people from big organizations such as Cisco, ACLU, Facebook, Univ. of Michigan, OVH, RedHat, Internet Society and Mozilla.

These are the main points to watch out for regarding to Let’s Encrypt certificates:

1. They only support domain validation (DV). Organization Validation (OV) and Extended Validation (EV) are not supported. DV certificates are issued in a matter of minutes, without any particular checks. OV certificates are only issued after document checks, verifying the company trying to get them. These commercial certificates offer a higher level of customer trust and recognition. I will explain Extended Validation in another section below.
2. They only last 90 days. Paid SSL Certificates are valid for up to five years. The renewal is automatically done through Let’s Encrypt software, but it is still a good idea to check manually that it has gone through properly.
3. Commercial SSL Certificates include a warranty in case of security compromise, often in the order of $250,000 or even higher for EV certificate (go here for an example).
4. Some e-commerce sites need to comply with PCI requirements. It is recommended to use OV or EV certificate for transactions (in that pdf, look at the section headed “4.1 Certificate Types (DV, OV, EV) and Associated Risks”).

The following were some reasons to go for a more expensive EV certificate, but I believe they no longer important but useful for reference:

1. EV certificates were even better than OV, as they are not only verified before issuance like OV type, it came with the green bar where you can display your company’s name next to the URL. It can established a higher level of trust from your user. This is no longer the case since Chrome 69 and it doesn’t even show the word “Secure”. The higher warranty monetary compensation that comes with an EV certificate is probably the only reason to get it.
2. Paid SSL Certificates come with static or dynamic site seals which show the logo of the issuer on your website. Static one is just a picture, while the dynamic actually link back to the issuer’s website, displaying the details of the certificate. I am not sure if it adds any value, considering even big companies like banks don’t use them.
3. You might have read articles saying you need to go for a commercial certificate if you need to cover subdomains (also known as wildcard), or multiple websites under a single SSL installation (also known as multiple domains). Looking at Let’s Encrypt forum, that’s no longer the case.

Conclusion

So should you use Let’s Encrypt? I would say if you are not doing something highly critical, e.g. an early stage startup with not many users, then you probably can start with Let’s Encrypt. Go here to get started. If your organization is already making a profit, then you should go for a paid certificate, to get a higher level of customer trust and recognition. Also, Let’s Encrypt is supported by a community. If you need support, then you may want to go for a commercial solution.

Regardless of which type of SSL certificate you choose, make sure you have the relevant technical personnel to look after your SSL matters. He/ she needs to handle the rare event of your CA being compromised (switch to the new certificates ASAP), and also to check certificates are renewed correctly before expiry.