At this moment, we are using GeoTrust Quick Premium SSL Certificate. We Are Trying to Clarify the Difference Between Let’s Encrypt Versus Paid DV SSL Certificates. SSL Resellers Often Make the Users Confused. They try to say – Let’s Encrypt is bad because it is free. GNU/Linux Operating System is also free, OpenStack is also free. Very few use paid REHL, even Red Hat will point towards the free options for wrong clients. Free does not mean that there is no cost of production. That needed fund is coming from donations and sponsorship.
Let’s Encrypt Versus Paid DV SSL Certificates
You can read the guide on which SSL certificate to choose. Paid SSL certificates essentially carry a warranty of a mentioned sum in case of breech of security and some has wider browser support. Essentially there is no difference between a cheap DV SSL certificate and Let’s Encrypt except the possibility of personal support over email, number of years you want to get a certificate, chance of claiming money in case the browser raises a security flag etc. The difference between Let’s Encrypt versus paid DV SSL Certificates particularly the under $10 is nil. If you need genuine warranty, that starts from GeoTrust Quick Premium certificate. It costs whooping $ 84/year cost. We are seriously thinking to shift towards Let’s Encrypt from GeoTrust Quick Premium. No human does anything to “validate” GeoTrust Quick Premium DV SSL certificate. It is fully automated.
Let’s Encrypt Versus Paid DV SSL Certificates Has Difference in Duration
Let’s Encrypt uses ISRG as root Certifying Authority. Let’s Encrypt’s ISRG root CA is not included in any browsers yet as far we know at the time of publication of this article. Therefore the LetsEncrypt Authority certificate is cross-signed by IdenTrust. Which is known as DST Root CA X3 Root CA. Now the ISRG Root is included in the browsers, so actually we can say which browsers/systems the Let’sEncrypt certificates are trusted.
+ Android >= 2.3.6
+ Mozilla Firefox >= 2.0
+ Apple Safari 4.0+ with OS X 10.4 upwards
+ iOS >= 3.1+
+ Google Chrome Newer Versions
[Does not works]
- Below Windows XP SP3
- Java devices
- Possibly IE 1, 2, 3, 4, 5, 6, 7...
Keep in mind, for HSTS configuration we need higher security. For the cipher suites, many devices with odd browsers automatically get blocked to access from the old Android and Java devices. The only bigger difference remaining is the duration of issuance. Let’s Encrypt does not currently support IDN issuance, ECDSA Intermediates etc. Matters are not really to bigger.
For smaller websites to small businesses can easily use Let’s Encrypt without fear. GeoTrust or any paid does not gives any other service unlike a paid DNS monitoring the rejection. DV SSL actually a solid slap at near $100/year cost. At $10/year, the number of browsers supported are not fully clear for all. After a year from the date of publication, Let’s Encrypt can be easily be used.
If you fear too much, to switch from HTTP to HTTPS, you can keep HTTP option open via a separate subdomain. Arbitrary example –
insecure.jima.in can have the full website what
https://jima.in has over HTTP. You can test at this moment. Who has more Java based clients will face trouble. Let’s Encrypt is great for the subdomains of the websites like that of us, personal websites etc.
Criticism of Anti-Let’s Encrypt Resellers
This is an example misleading writing :
We are pointing the wrongs.
Also, Let’s Encrypt will not be able to provide a few major types of SSL certificate solutions, like Extended Validation (EV) or multi-domain certificates and we definitely don’t think that a free certificate solves a user’s most pressing problem when browsing on the web: Authentication.
SSL/TLS certificate has nothing to do with Authentication itself. Extended Validation (EV) is a different breed. Mixing it with Domain Validation (DV SSL) is not right. For higher security, you need HSTS, 256 bit SHA, Public Key Pinning and more stuffs which has nothing to do with a SSL certificate. Qualys SSL Lab’s SSL Server Test is most robust and A+ is possible with Let’s Encrypt. If one have a backdoor on the server, no SSL certificate can save.
Because they will only be offering free certificates, they will only be able to provide automated, basic encryption only/Domain Validated (DV) SSL certificates with no other frills that typically come with SSL certificates.
These limited certificates only confirm the ownership of your domain, and don’t involve any vetting of your business information (which typically takes a validation expert’s time and effort to manually verify) or any additional features found in basic certificates, like a site seal or a warranty.
Geotrust Quick Premium uses 100% automated SSL certificate issuance, possibly all the DV SSL do the same. How much it is logical to fetch $10/year to $84/year without any manual checking? Both Let’s Encrypt and Paid DV SSL does not involve any human on the issuer’s end for just getting a certificate.
In general, businesses that want to offer their potential customers an additional layer of safety & security like activating all SSL indicators in browser or from promoting authentication should opt for OV or EV certificates from trusted 3rd party security companies/commercial CAs such as Symantec and Comodo.
No. HSTS is more important to prevent man in the middle attack than buying a costly EV SSL certificate like a moron and not configuring it on web server. The paid certificate companies should offer the human for configuration on their client’s server. Currently Let’s Encrypt does not support all the devices, that is different matter.
Most run non-commercial server OS at backend, Apache2, Nginx community are non-commercial too. Out of fear innocent users can not pay Microsoft’s paid server and OS. Indeed, Microsoft involved in NSA’s PRISM spyware activities. The reason to use Let’s Encrypt by the businesses at present is for wider browser security NOT the others. Most funnily, the browsers most commonly are non-commercial, community based.
Green colored, Red colored can be made later by Let’s Encrypt project and the browers. Few thousands users are contributing is more powerful than a paid, close source company. In strict sense, Let’s Encrypt with HSTS, 256 bit SHA etc is more secure than a paid DV SSL.
Update on May 2016 : Let’s Encrypt is now CertBot.
Update on June 2016 : Let’s Encrypt (CertBot) now supports ECC SSL Certificate (ECDSA). GeoTrust DV SSL do not support it for lower plans!
We can not see much wrong in their saying. Indeed, they clearly said :
If you are currently paying for a DV SSL certificate, you may wish to consider Let’s Encrypt for the same product at no cost.