Free SSL certificates - the better alternative?
Since September 2019, the presentation of secure (encrypted) websites on most end devices has changed fundamentally. Are there still arguments in favor of expensive and elaborate Extended Validation (EV) certificates?
In principle, any unencrypted data transmission on the Internet can be "intercepted" and, in the worst case, also manipulated. However, if the website has a valid security certificate, an encrypted connection is established and the data transmission is protected. Therefore, especially if sensitive data is requested via a website, this should only be done via encrypted pages.
At the latest since the European Data Protection Regulation (GDPR) came into force on May 25, 2018, personal data may generally only be transmitted in encrypted form in the EU. This means that every website must be encrypted if personal data is collected on it, even if it is a simple contact form. A so-called SSL or TLS certificate ensures the encryption of data transmission when a website is called up.
SSL is the abbreviation for "Secure Sockets Layer" and encrypts the data that is transported between the computer and the server. With the further development of SSL also came a new name in version 3.1. Since then, it would actually be correct to speak of TLS ("Transport Layer Security"). However, since the term has not become established in linguistic usage, SSL and TLS are used synonymously. We have therefore decided to use the term SSL throughout the following.
The SSL certificate is a data record that links one or more domain names with cryptographic data for their identification. This enables the authentication of the server or the website. In a session, end-to-end data transfer then takes place using symmetric encryption, which is made possible by the use of a shared session key. This ensures encryption at the transport layer.
Beyond the security aspect, the use of SSL certificates offers further advantages - for the user, but also for the website operator:
More trust: Users have more confidence in secured websites and feel safe from phishing attacks.
Increased conversion: The inhibition threshold to initiate a payment transaction is lower for customers on a secured website.
Increased customer loyalty: Customers who feel safe on a website will prefer it to an unprotected site and are also more likely to visit again.
Better Google rankings: HTTPS pages are ranked higher by Google than unencrypted pages.
An SSL certificate is always issued for a specific domain (e.g. www.maxcluster.de). It is checked whether the applicant is actually the owner of the domain or at least has the authorization or control as a service provider to set up a certificate for this domain. The purpose of this check is to prevent criminals from setting up a certificate for someone else's domain.
The more elaborate this verification or validation, the more secure the corresponding certificate is. Third parties, such as the Internet service provider, cannot decrypt sessions in this case.
So how do the various classes of security certificates differ?
There are three classes of security certificates, all of which serve the purpose of authenticating the server/website for communication between a browser and a website:
Domain validated certificates (DV certificates): This certificate checks whether the applicant is also the domain owner or whether he has control over the domain. For this purpose, a file with a special name is usually stored under the domain or an e-mail requiring confirmation is sent to a mail address of the domain. A third possibility are special DNS records. In this way, the HTTPS page is encrypted and the successful encryption is indicated by the lock icon in the address bar of the web browser.
Organisation-validated certificates (OV certificates): With this certificate, the Certification Authority (CA) not only checks the domain owner, but also the existence of the company and the authority of the applicant to apply for the certificate. As with the DV certificates, the security of the website is also indicated by the lock icon in the address bar.
Extended validation certificates (EV certificates): Since the applying company is checked extremely thoroughly according to the EV guideline, this certificate has the highest trust level. This is made visible by the fact that in the address bar of the web browser, in addition to the lock icon, the company name is mentioned in green letters or has a green background.
Unlike DV and OV certificates, Extended Validation certificates can only be issued by a select group of certification authorities (CAs). The lengthy verification of the applicant's identity makes these certificates more secure, but above all more expensive for the applicant.
The aim of the comprehensive check is to give users the certainty that they are at their intended destination. It should thus be made visible that, for example, the website maxcluster.de belongs to its rightful owner and is not a cover address used for phishing or packed with malware. However, the additional verification does not per se guarantee that the respective site is really safe, as an example on the following page shows.
What other arguments could there be for EV certificates?
As described, the goal of an SSL certificate is to provide the user with the assurance that he is on a protected website. In order to convey this information as simply and visibly as possible, EV certificates not only use a lock icon in the browser's address bar, but also display the verified legal identity of the domain in the address bar with a field highlighted in green. Legal identity here means the company name of the company for which the certificate was issued (see examples below).
However, as various tests have shown, test persons pay less attention to the type of certificate used to secure the website. For them, the green company name is less important. The lock icon, which symbolizes a secure connection for them, is the most important factor for website users' sense of security.
Based on this experience, Google and Mozilla have decided to remove the visual signals of EV certificates in their Chrome and Firefox desktop browsers, respectively.
Google's Chrome77 (as of Sept. 10, 2019) now no longer shows the information in the address bar, but in the page pop-up when you click on the lock icon:
Firefox from Mozilla also abandons the original display since version 70 (Oct 22, 2019):
Apple's Safari has already dispensed with listing the company since version 12, but it still colors the URL green. And Microsoft Edge has always dispensed with all EV indicators.
Now that Google and Mozilla have also removed the highlighting of EV certificates, there are hardly any arguments left for using an expensive EV certificate. Free SSL certificates, such as those from "Let's Encrypt", offer the same encryption protection and merely dispense with the time-consuming company validation, which actually provides no added value to the user. However, the domain itself is still checked - the short validity of the certificates of only three months even increases security in a certain sense.
Let's Encrypt's free certificates are issued by the Internet Security Research Group (ISRG), a non-profit organization based in San Francisco. This certificate authority, which is sponsored by Mozilla, GitHub, Cisco and Facebook, among others, aims to provide free SSL certificates to all users and companies. With the ACME protocol introduced by Let's Encrypt, certificate creation, validation and renewal is automated with the created key later retrieved through a multi-tier system.
This combination of advantages has ensured rapidly increasing user numbers. Especially since mid-2018, the provider of free SSL certificates has enjoyed high popularity. As can be seen in the chart below, the number of domains encrypted via Let's Encrypt has also increased significantly since the beginning of 2020.
Since the beginning of 2018, we have been offering our customers the option of integrating Let's Encrypt certificates quickly and easily. We have integrated the "Certbot", the technical basis for the ACME protocol, in our Managed Center, so that the website operator does not have to leave the familiar interface. By the way, it does not matter whether you use an Apache or NGINX web server - maxcluster supports both equally.
In our Managed Center not only the validation of the certificate can be done, but also the fully automated renewal of the certificate. This also eliminates the time-consuming communication regarding cost approvals and information validation between agency, online store operator and hoster.
This is how you proceed:
First, select your web server and call up the "New Domain" or "Edit Domain" section according to your situation - new or existing domain. In the "General" section, enter your domain, save it and then select the "SSL" tab.
Then check the "Let's Encrypt certificate" box and confirm your IP address. We also recommend checking "Automatically forward to SSL" and "Monitor expiration date of certificate", as this will enable maxcluster support to monitor your certificates. We recommend this because it allows our support to react quickly in case of an error or an expiring certificate. If, for example, the Certbot from Let's Encrypt should fail to renew a certificate automatically, we can react accordingly in support so that you are always comprehensively secured.
The restrictions imposed by Let's Encrypt regarding the activation or modification of a certificate are presented in a simple and comprehensible manner in the Managed Center. You can read the underlying rules in the Let's Encrypt documentation.
Once the Let's Encrypt certificate is set up, you don't need to take any further action: We will take care of both renewing the certificate and updating it should there be any changes to your domain.
The security and performance of your online store is our top priority. So we have also developed our new product feature ShopSecurity on this basis. We are happy to answer all your questions about security and look forward to your message by e-mail to firstname.lastname@example.org or your call at 05251 / 41 41 30.
Published on 11.03.2020 | NM
You have questions, requests, criticism, suggestions or just want to tell us your opinion about our blog? Here you have the opportunity to contact us directly.Send e-mail