Because of the rise of the use of encryption across the Web, people have begun associating it with trust. This, of course, created a snowball effect where more websites felt the incentive to adopt SSL/TLS encryption lest they fall behind. E-commerce sites, in particular, were among the first to feel that pressure as customers were wary of making transactions online without encryption.
When it comes to websites owned by entities, encryption becomes something more than just some algorithm used to secure online processes. It is a more complicated matter, with certificate authorities (CAs) and different levels of authorization. Now, with the appearance of free CAs like Let’s Encrypt, people are asking themselves why commercial alternatives even exist. Are they “better?” Or is there more to the story?
Understanding CAs and Their Importance
To use HTTPS and have your website recognized as “secure” (meaning the URL bar turns green when a user visits your site) requires some form of authorization. You need an SSL certificate issued by a certificate authority. A certificate will “validate” your online presence as something “real.” There are different kinds of validation:
- Domain validation (DV), which proves irrefutably that you are you and you own the domain you want secured
- Organizational validation (OV), which proves that you own the domain and verifies a few things about the organization behind your site
- Extended validation (EV), which performs a thorough and rigorous analysis of your domain, your organization, and its legal status
The certification process for DV is obviously a lot easier to obtain since all you have to do is submit proof that you own your domain. In fact, this is something that can be automated.
Now Let’s Get to Free CAs
Certificate authorities like Let’s Encrypt issue DV certificates without a cost. They manage to automate the process of domain ownership verification to an extent that it costs them almost nothing to validate you. This is all fine and dandy if you have some run-of-the-mill website that doesn’t require users to share sensitive data (such as credit card numbers, bank account details, passport numbers, etc.).
If you are running an e-commerce website, perhaps you should look into going for a commercial certificate authority. The level of trust that an extended validation provides will legitimize your organization further than any other form of certification can. At the very least, get an OV certificate if you don’t want to bother with the red tape behind getting EV.
If you own a large web entity that hosts websites on multiple subdomains, you might be disappointed to find out that you cannot get a wildcard certificate for free either (not even from Let’s Encrypt). This certificate will allow you to validate every subdomain you create under your main domain name.
The conclusion here is simple: if you’re running a simple website that doesn’t require the exchange of sensitive data, a domain validation certificate such as those offered by Let’s Encrypt will be just fine. You do not need anything fancier!
Otherwise you should stick to the commercial authorities. In some countries you can even run into legal trouble because you didn’t use an extended validation certificate for legally-binding agreements.
Do you think we may eventually automate all certificate validation? Or is that just one giant leap too far for mankind? Tell us in a comment!