20i
Security

8 Reasons Why I ❤️ Let’s Encrypt

Ricky Hayes is a Platform Developer at 20i. Here he talks about his abiding love for Let’s Encrypt SSL certificates.

Let’s Encrypt (TM) is a Certificate Authority – meaning that they’re trusted to sign SSL certificates (technically x509 TLS certificates).  These certificates are used to secure network communication at 20i, mainly for HTTP but also for email.

Before SSL certificates, computers passing your requests around the internet could read the information you sent. A certificate encrypts the information passing from a browser on your device and the remote server in a data centre.

How SSL certificates work

It helps prevent interested parties reading the data passed on by your browser. That data could be anything, from your favourite kitten gifs to your payment card details.

Let’s Encrypt (LE) issue more than 500K certificates every day. As such, they’re largely responsible for drastic decline in the number of websites marked as ‘not secure’.

Google have also been instrumental in driving the uptake of SSL certificates on websites (‘https’). They first promoted it as a positive ranking signal, and gradually made Chrome’s address bar more insistent in ‘naming and shaming’ those sites without a SSL cert.

Not secure website

But it’s LE who’ve done the most in promoting ‘https’. That’s because they have a really strong and persuasive selling-point: their SSL certificates are free.

How can they offer free SSL certificates?

Let’s Encrypt is run for ‘public benefit’ by the Internet Security Research Group (ISRG). Members include representatives from Mozilla, Google, Cisco and Akamai. 

They’re pretty big players in the industry, and LE’s board members have a lot of overlap with its sponsorship. So we know it’s well-funded and well-led.

But beyond that, why do I love Let’s Encrypt..?

Here are my 8 reasons why…

1. Their API is JSON

JSON is both human and machine readable, it’s widely understood, and it’s pretty – but that’s a matter of opinion!

2. Their API is not XML

XML is hard for humans to understand, difficult to compose and needlessly complicated.

3. They support SAN

Subject Alternative Names means that one certificate can contain multiple names, so domain.com and *.domain.com can cover all your name-securing needs.

4. They are as cryptographically-secure as a £1000 certificate

SSL Certificates aren’t made of paper: the ones you pay a lot for are not written in gold leaf on parchment.

They’re made of maths. Complex maths – which I won’t go into here. Rest assured, whether you pay nothing or £1000 for an SSL, the maths behind them is the same.

5. If you have a domain you should have the right to secure it

20i - secure as standard

Let’s Encrypt make their certificates free because they:

Want to create a more secure and privacy-respecting Web.

Source: Let’s Encrypt 

Like LE, we believe that you shouldn’t have to pay for website security.  That’s why we don’t charge extra for our security measures.

But why? It’s not totally altruistic.

The companies behind LE and ourselves rely on a secure and working web (where people are willing hand over their details and buy things!) to make our living.

It’s our lifeblood – and that’s why we find it strange that other companies in our industry try to make money out of online security. An insecure web will only harm them.

6. They have many clients for many platforms

With their powerful backers, LE have been able to write many clients. They’ve been written in all the major (and some minor!) languages on all computing platforms (Linux, Windows, cPanel, etc).

7. They support wildcard certs

That means that a single SSL certificate will be able cover both yourdomain.com and blog.yourdomain.com.

8. Did I mention they were free?

They don’t charge owt. A bargain.

Free!

What’s the downside?

For balance, it’s only fair to talk about what you don’t get with Let’s Encrypt.

They don’t offer Extended Validation (EV) certificates. You can tell when a site has EV, as their company name and country code will show up in the address bar (like on this site).

It’s something that may be valuable for a larger company. In order to get an EV certificate, the company needs to provide the certificate authority with information which will allow them to ‘vet’ them.

Put simply, they’ll make checks that the company is genuine, legal and have rights to that domain. It helps prevent people creating duplicate sites and pretending to be a company.

This is an expensive process as meat-based computers (humans) have to be involved. Ours cost £249.99/year.

No warranty

Premium SSL certificates include a warranty. In theory, means that if the certificate fails, you’re covered. But it’s more complicated than that.

How does an SSL certificate fail?  They’re made of maths. If maths was prone to fail then reality as we know it would be…very different. So it’s not like the multiplication function suddenly starts subtracting or whatever.

What it really means is that the warranty covers your clients – not you – if the security of the certificate authority (such as GeoTrust) is breached, either through error or malice. Criminals could theoretically get hold of the certificate and use it to hack the security on your site or pretend to be you.

As far as we know – and we’d appreciate any evidence to the contrary – this has never happened. A warranty has never been paid out on.

But that doesn’t mean that it’s never gonna happen. If you run a multi-million turnover business, £250 is a relatively small expense compared to what could potentially happen if your customers lost billions…

However, we believe that for 99% of websites – including most businesses – a warranty isn’t necessary.

You have to use our domain nameservers

Let’s Encrypt wildcard certificates are only available using DNS (domain name system) Verification. For us to automate this process, we need to add the TXT record to your domain automatically. So we need to be in control of the domain’s DNS server.

For example, if you were validating the domain for 20i.com, the validation subdomain would be _acme-challenge.20i.com. When the token is added to the DNS zone, the client tells LE to go ahead validating. LE will then make a DNS query towards the authoritative servers for the domain, and if they both match, issue the certificate.

We use wildcard certificates for your security and convenience. Services like the control panel, file manager and webmail system are all hosted on physically different servers – and in some cases, networks!

Using a single wildcard certificate and a single DNS Verification challenge means the process remains quick and simple. That way, it’s presented as a single click for you in our control panel.

But anyway

…all the good things about LE outweigh the bad, by a long, long way. I only mentioned those drawbacks for the sake of balance. 

So that’s why I (and all of 20i) ❤️ Let’s Encrypt.

If you have any feedback let us know below.

4 comments

  • Do you have any plans to allow Let’s Encrypt via A-record verification? This would be very useful for occasions when we aren’t able to control a client’s nameservers.

    • We don’t have plans to add any kind of verification outside of TXT record in the nameservers we control. If people need a free cert and they’re not on our NS, they can get one direct from LE and install it in My20i.

  • Fantastic you have included this in your hosting, its a real game changer especially for small starters with multiple websites who can’t afford SSL for each.

    One of the many reasons we moved over to you.