Let’s Encrypt Vs Premium SSL _ An Insightful Comparison

1
Lets Encrypt Vs Premium SSL An Insightful
Comparison
Back in 2014, an announcement was made by Google
that the websites served through HTTPS will
secure better SEO rankings along with the call of
HTTPS everywhere. This announcement gave rise
to a lot of controversies between the web
developers and website owners. Some people were
quite happy with this idea because they agreed
with the concept of generalized HTTPS use as it
makes the internet a safer place while there
were other people that thought that this
initiative was unnecessary, complicated and
expensive. Another reason for people to be
unhappy with this announcement was that they
would have to re-code their websites to use HTTPS
and also spend more money on purchasing SSL
certificates that they didnt need earlier. At
that time, people might not have thought that
HTTPS will conquer the internet world so easily.
Many non-believers might have dismissed Googles
decision but here we are in the year 2017 where
Google determines the non HTTPS websites that
request passwords or credit card information as
unsafe. This makes Googles initiative more
convincing and important and now it is inevitable
to have an HTTPS website, especially if you
accept online payments.
MilesWeb.in
2
In order to comply with Googles standards and to
avoid getting your website flagged as not
secure, every website owner should make sure
that all the website pages are served through
HTTPS. Many browsers have also made the switch to
warn their users whether the website that they
are browsing is safe or not. The most important
fact that you should be aware of is that It is
not enough to simply enable HTTPS on your
domain, but it is important that every element of
your page is loaded through HTTPS including
images, CSS files, Javascript etc. It is
important to analyze your website to check if any
third party services are integrated in the code
of your website like analytics, social plugins
etc. and ensure that they are configured in the
correct way. What Is Lets Encrypt? And what
makes it different from a traditional
Certificate Authority? Lets Encrypt is an
automated, free and an open certificate authority
(CA) that runs for public benefit. This service
is provided by the Internet Security Research
Group (ISRG). While you might be allured by the
free aspect of this service, it is important
for you to know the rest of the implications
that are a part of using Lets Encrypt. Lets
Encrypt works with a simple principle They
provide support for the generalization of HTTPS
and want to make it available for every website
owner. However, as their business runs on a
non-profit concept and as they have a limited
amount of resources, they have to focus more on
sustaining the core principle that is creating
easy and automated SSL issuance process. They
are not driven with the goal of providing any
end user support for certificate generation or
renewals given the nature of this initiative,
this fact is understandable. Lets Encrypt is
still comparatively a young service. They left
Beta in 2016 this means that they dont have
the credibility and experience of a proper
established certificate authority. This is the
reason why they lack an extremely important
feature that is provided by the traditional
certificate authorities that is ubiquity or
omnipresence. All the browsers and operating
systems comprise of a root repository that
contains a list of approved or trusted
certificate authorities along with their root
certificates. The root certificate states which
Intermediately Certificate should be trusted and
the ones that shouldnt be trusted therefore
being a part of this group is extremely important
for every certificate authority.
MilesWeb.in
3
To look at it in another way, as Lets Encrypt is
still a new company, the certificates issued by
this authority are not 100 accepted by all the
browsers, especially the certificates that were
released before this organization came into
existence. This is the reason why they reached
out to IdenTrust that is another certificate
authority trusted by the main browsers in order
to cross-sign their CAs. Even though this solves
most of the browser warnings, it still does not
cater to some compatibility issues that are
discussed further in this article. On the
positive side, Lets Encrypt makes use of their
self-issued root and intermediate certificates
and the private keys are stored in accordance
with their website on the hardware security
modules (HSMs) and they are out of the reach of
the hackers. Benefits And Limitations Of Lets
Encrypt Speed Of Issuance As Lets Encrypt
certificates are free of charge and their
issuance process is completely automated, the
certificates are generated really fast if not
instantly. The validation process is quickly
performed with the help of an ACME protocol based
software. Users can have a valid certificate
effective on their domain within a few
seconds. In contrast to the traditional
certificate authority, it is important for the
user to put an SSL order first. Users can put
the order directly on their website or through a
reseller and then the users have to perform the
validation steps manually. The validation process
can take up to a few hours to several days
depending on the type of certificate
purchased. Validation / Visitor Trust Level The
certificate types available through Lets Encrypt
include the basic or SAN (multi-domain) DCV SSL
certificates. Recently established Lets Encrypt,
does not have any plans to offer Organization
Validated or Extended Validation certificates
in the coming future. DCV stands for Domain
Control Validation, this validation process
states that the only thing that is checked
before issuing the certificate is that the
requester of the certificate has the access to
the domain either by uploading a simple .txt file
in the domains root folder or by adding a
particular DNS record in the domain zone. As a
result of this process, a lot of questions are
raised over HTTPS credibility since anyone can
get access to a free SSL certificate including
the malicious organizations. The malicious
MilesWeb.in
4

• organizations will not miss the opportunity to
  use the HTTPS padlock that is recognized for web
  security throughout the world to pass as
  genuine business organizations.
• Easy and free access to the trusted SSL
  certificates reduces the importance of HTTPS and
  this can trick the uneducated users more easily.
  How will the visitors differentiate between a
  genuine respectable business organization and a
  phishing website? This is where the
  Organization Validated or Extended Validation
  certificates come into the picture. The
  validation process is extended further for these
  types of certificates. In addition to the DCV
  step, businesses also have to prove their
  legitimacy. Businesses can do this either by
  showing a proof of the incorporation or by
  providing other important documents that state
  that the existence of the business as a bona fide
  trading entity. Moreover, for the Extended
  Validation certificates, the validation process
  goes even more deeper. In the case of Extended
  Validation certificates, the certificate
  authorities carry out independent checks to
  confirm that the information provided by the
  certificate requester matches the information
  available in the public registers.
• Also check Lets Encrypt Accomplishes Its
  Promise with Free Delivery of Wildcard
• Certificates
• The Organization Validated and Extended
  Validation certificates always comprise of some
  details about the website owner, on the basis of
  the level of validation and browsers display
  this certificate information to the website
  visitors. For instance, you may have seen a
  green address bar that includes the company name
  this green bar substantially increases the trust
  level of the users. The OV/EV SSL certificates
  also provide branded website seals that further
  increase the users confidence.
• Browser Compatibility
• As stated earlier, Lets Encrypt certificates are
  not completely compatible with all the browsers.
  With light to the fact that they are still a new
  certificate authority and the main browsers or
  operating systems do not recognize them. Lets
  Encrypt publishes a list of incompatibilities
  mentioned below
• Possibly Incompatible
• Sony PS3 and PS4 game consoles
• Known Incompatible
• Blackberry OS v10, v7, v6 (Comodo support 4.3.0
  )

MilesWeb.in
5

• Nintendo 3DS
• Windows XP prior to SP3
• Java 7 lt 7u111
• Java 8 lt 8u101
• In practical terms, most of the website owners
  will find that Lets Encrypt is compatible with
  the devices used by a majority of their clients.
  However, in the case of SNI, if your clients are
  still using the older operating systems, browsers
  or mobile devices, then there are chances of
  encountering some problems.
• Purchasing a premium SSL certificate that is
  issued by an established certificate authority
  will generally avoid the compatibility issues.
  This is because the established certificate
  authority is already recognized and trusted by
  all the major software and hardware combinations
  and this is not just a fact now, but this was
  the fact in the past as well (this means that
  even the older devices worked as expected).
• Certificate Lifetime And Reliability
• The certificates provided by Lets Encrypt have a
  maximum lifetime of 90 days. Given the fact that
  the renewal process is 100 automated, this might
  not seem to be an issue at first. However, the
  renewal process is not completely error free some
  issues were already reported on the community
  page of Lets Encrypt. Users have complained
  about the renewals getting failed for various
  reasons that include problems with the
• .config files, failed domain control
  authentication etc.
• In absence of a reliable renewal system and with
  no support staff available for troubleshooting
  the technical issues, renewal of the SSL
  certificates turns into a daunting task. Even if
  you have a lot of technical skills, as the
  renewals of the certificates have to be done
  quite frequently, undertaking the renewal process
  on your own can take up a lot of your time.
• The fact that Certbot asks the users to run the
  auto-renewal cronjobs multiple times everyday
  should raise some doubt about the reliability of
  this process.
• As quoted by Certbot if youre setting up a
  cron or systemd job, we recommend running it
  twice per day (it wont do anything until your
  certificates are due for renewal or revoked, but
  running it regularly would give your site a
  chance of staying online in case a Lets
  Encrypt-initiated revocation happened for some
  reason).

MilesWeb.in
6
have paid a price. As Lets Encrypt certificates
are available free of cost, the limitations
should also be accepted. The premium SSL
certificates offered by Lets Encrypt have a
lifetime duration of 1-3 years. Naturally, as
there is a longer period between renewals, there
is a lower risk involved in the renewal process.
Considering the worst case scenario, it might
have an impact on your business once every 3
years in comparison to once every 3 months! In
addition to this, the premium SSL certificates
are generally renewed manually by users. Even if
you have the proper processes set in place for
ensuring that any certificate expiry doesnt go
unnoticed, the human element can identify and
resolve the issues before they have any negative
impact on your business. At MilesWeb, we take
complete responsibility for every premium SSL
certificate that we provide. Customers are
notified 60 days in advance before the
certificate expires. The entire issuance,
validation and installation process is profoundly
managed by MilesWeb. The reliability of the
renewal process given by MilesWeb Vs. the one
offered by Lets Encrypt is unmatched. The
failures in the SSL renewal process might create
problems for your business therefore you must
consider signing up for a premium SSL
certificate. Certificate Limits Lets Encrypt
does not provide wildcard certificates, this
means that you need a separate certificate for
every sub-domain that you want to secure. It is
important for you to know the exact sub-domain
at the time of requesting the certificate or at
the time of replacement of the certificate. You
can request a maximum of 20 certificates for
every domain for a period of 7 days therefore,
if you have more than 20 sub-domains, this can
get a little difficult to manage. This process
does not have any override mechanism, so in any
way you reach that limit whether it is by
mistake or by the number of domains you own, the
only way is to wait for 7 days until the limit
rests. Even though you can request for multiple
domains in 1 certificate, there is a limitation
of 100 names. In case you need more, the only
option you have is to opt for a premium SSL
certificate. There are some other technical
limits as well for the issuance and renewal
process of the certificates, but normally you
wont encounter them. It is important for you to
note that if you encounter any technical issues,
the only option you have is to wait for the
MilesWeb.in
7

• limit to reset. There is no technical support
  person available at Lets Encrypt for making any
  exception for you.
• Should you still pay for the SSL certificate?
• The answer to this question depends on three
  things
• The type of business you run
• Technical skills possessed by you and your
  technical department
• How much you value your time?
• Yes, Lets Encrypt certificates are free and that
  is a great thing if you are working on a tight
  budget but, the truth is that the average price
  of a premium SSL certificate is less than 1 per
  week and this will be one of the lowest in your
  business overheads. You need to determine for
  yourself if the time and business risk involved
  in dealing with a renewal malfunction justify a
  cost saving?
• As a MilesWeb customer, you are already aware
  that we offer fully managed services and our
  premium round the clock support extends to
  services like SSL and domain names as well. This
  goes on to say that everything right from
  ordering, installation, renewal, reissue of
  certificate, troubleshooting issues etc. is
  MilesWebs responsibility.
• The best thing about purchasing a premium SSL
  certificate is that there is no admin burden but
  apart from that premium SSL certificates are also
  worthy of customers trust. This is an extremely
  important aspect for any business and especially
  for the ecommerce businesses where users have to
  be confident and comfortable with entering their
  card details or giving out personal information.
  A Green Bar or a Site Seal offers the required
  reassurance that the trade is being made by a
  reliable business entity.

MilesWeb.in