Is there any reason to not use Let’s Encrypt? I wanted to talk about that a little bit in this piece because most of my clients, the ones on a maintenance agreement, always complained about SSL renewals. For those who do not know, Let’s Encrypt provides free security certificates for your websites. They also provide all the tooling to make the entire process completely automatic if you know how to set cron jobs on the server-side. Now, before I get into the actual merits of Let’s Encrypt, it is probably worth examining exactly how we got to this point in 2021,
From the start of the mainstream internet, through the 80s and 90s, and to a lesser degree, the 2000s, sites were not using any kind of security. They were all just HTTP sites. Some sites loaded over HTTPS, but they were typically sites that required it, like people who are conducting e-commerce online. This was true for everyone. It did not matter the size of the business. In fact, Google’s main search page was actually insecure for quite a long time.
The trend of selectively securing sites continued through the 2000s and into the 2010s. To be fair, a lot of the sites did not really need to be secure. I mean, most of the sites had just a landing page that had hours of operation, a map, and things like basic information about the site/business. Whatever was secure back then were websites that had people using emails and passwords, credit cards, and other sensitive or personal information. Even then, there were plenty of unsecured sites, even though they were taking sensitive information, and it was what it was.
Everybody was learning as they go and doing their best. In 2013, everything changed when Edward Snowden blew the whistle on the American government for conducting mass surveillance, and not just the American governments, but other governments of western countries using that same technology in coordination with the American government.
Anyway, in the next year or so, as more information came out, this huge renewed interest in secure encrypted communication over the internet had re-emerged. From 2013, 2014 to the present day, roughly the last seven years, there has been a non-stop unrelenting push for everybody on the internet to encrypt everything.
What does this all have to do with Let’s Encrypt? Well, when we think of the internet in 2021, client devices like phones, tablets, computers, TVs, IoT devices, and other things that are connecting to the back-end services, need to be protected because you never know who is looking for your information. This is done by the use of security certificates.
If the technology to get certificates existed for the last 20 years, why do we even need Let’s Encrypt? Simple. See, for the last 20 years, companies have been selling the ability to have a secure site, rather than just giving it. The only way to get a security certificate before was to do a manual process and then pay a company some money, and then you would have one installed. The amount you would pay was dependent on the vendor.
That was a lucrative business, right? Sure, but we have a renewed interest in encrypting everything now. So, if we are going to ask everybody to encrypt every web server on the planet, we have to do so with the lowest friction and the lowest barrier possible, and for sure, it cannot include them having to pay anything. This is why Let’s Encrypt was born. The fully automated free way to get unlimited security certificates.
Now, even though Let’s Encrypt came out five years ago, there are other commercial vendors of security certificates still selling these security certificates. How are they managing to compete with Let’s Encrypt, which is offering what they are offering for free? The first potential reason is that people are just not aware that Let’s Encrypt even exists. There is honestly not a whole lot we can do about that other than just tell people that it exists and that they can just get security certificates for free.
The second potential reason is that people believe some of the rumors that commercial security certificate vendors are putting out about Let’s Encrypt. Such rumors include things like it does not work on all browsers and has compatibility issues or that Let’s Encrypt is a less secure security certificate than when you get from another vendor. Look, compatibility issues might have been true when Let’s Encrypt first came out, but in 2021, it is just as compatible as anything else out there. As far as Let’s Encrypt giving out certificates that are somehow less secure than other vendors, that is just a flat-out lie. In terms of the security technology, and the way the handshake works, it is identical to the certificates that are deemed worthy.
The third reason that I consider somewhat reasonable is that other vendors sell you more than just the actual certificate. They can offer things like customer service, a warranty, and extended validation.
An Extended Validation (EV) SSL Certificate is a certificate which is issued by a Certificate Authority (CA) only after performing an extensive verification of the company and owner. For this reason, the validation and issuance process usually takes between one and seven days. Yet, if you keep your company’s records up-to-date, the EV SSL Certificate is issued quickly, typically within a few business days.
Obviously, these things require human intervention. So, it makes sense to charge for that human intervention.
Do you need customer service or extended validation? In my opinion, you do not. Actually, I would take that back and say that it depends. See, if you, as a client, do not want to pay a developer a monthly fee for maintenance, you can get the services so that if anything goes wrong, you can have the support required if the certificate turns out to be the issue. If you are a techie who can do everything by yourself, you do not. As it turns out, a lot of people seem to agree because there are a lot of sites that keep popping up, that are all using Let’s Encrypt certificates, and the number grows every single day.
Using Let’s Encrypt is not that hard. If you know how your way around your Cpanel or SSH, you should be good. If you are not a techie, get a techie to help save you some cash. On the topic of how far we have come on securing the internet, the statistics never lie. In 2013, it was estimated that only about 22% of the sites out there were using HTTPS. Fast-forwarding to the present day, Google is reporting that as of January 2021 in Google Chrome, for all users with anonymous usage statistics enabled, 97% of the pages are viewed over HTTPS. That is a shockingly high number!
If you are reading this article and you happen to be among the 3% using HTTP, consider looking into securing your site, and you can use Let’s Encrypt for free. For anyone reading this article and is still paying for security certificates, check out Let’s Encrypt. If you cannot do it by yourself, get a techie to do it for you for a small fee, and you will be all set for stress-free business.