Free SSl certificate Vs Paid SSl certificate and their pros and cons

Dear Lets Encrypt community support forums,

We are running our E-commerce website with Lets Encrypt free SSL Certificate.

As a security concern ,We have spent a lot time on web search to find out the security information on free SSl certificate Vs Paid SSl certificate and their pros and cons but no luck to find out the correct information.

Currently, we are running our E-commerce website with Lets Encrypt free SSL Certificate …Can we continue with current Lets Encrypt free SSL Certificate or do we need to go with any paid SSL Certificate. If yes, please suggest about SSL Certificate Selection for E-commerce website Like ( SSL DV / SSL OV / SSL EV / SSL DV UCC)

Thanks & Regards,

Dhananjay Ahire

2 Likes

Hi @dhananjayahire123,

The security provided by the free Let’s Encrypt certificate is the same in every respect as the security provided by a paid certificate. Connections are not more strongly encrypted when a paid certificate is used.

As you’ve seen, Let’s Encrypt certificates don’t include any information about the legal entity that operates a web site (such as a name, address, or country) because Let’s Encrypt doesn’t have an automated way of finding out that information. Some paid certificates do include that information. However, web browsers don’t directly use that information for any authentication purpose and it doesn’t make the connection more secure at a technical level.

If you have individual users who expect or want to check that information (manually, by going further into the browser interface to look it up), then you’ll need a paid certificate that contains identity information.

There could also be an effect where some users may feel, subjectively, that sites that use more expensive infrastructure are more “legitimate” because they can afford to pay for that infrastructure, even though they don’t need to! So there could be some users who feel that they would rather interact with a site that has a paid certificate because it shows that the site operators have more financial resources available.


In some circumstances, that judgment by users might even be correct!

However, it couldn’t be very common right now for users to think about this this way, especially because many web browsers no longer make the information about certificate issuers or certificate types obviously visible to users. So this information wouldn’t be presented in an obvious way to most Internet users and most Internet users probably wouldn’t understand this distinction easily.

I’m not aware of industry or regulatory rules that would prevent the use of Let’s Encrypt certificates by any type of web site. Maybe we should make a list of major sites that use Let’s Encrypt.

7 Likes

That’s not true. First, it is a maximum validity of 2 years. In fact, starting this fall, Safari will only accept new certificates which are valid for at most one year (plus a bit of grace period).

Also the automation is a big plus on Let’s Encrypt’s side IMO: if you don’t happen to have a CA with an API or which also supports ACME or some other good automation (and usually you don’t get that for cheap paid certificates), renewal is a lot of manual work. Even with semi-automation (having to press a button once every two months) it is less work per year than having to renew one certificate manually.

And even if you fully automate it: if you’ve set up proper monitoring, you don’t miss out renewal. And even if you do, it is a lot faster to get back to a new certificate with ACME/Let’s Encrypt than with a paid CA (assuming you can’t use some automation).

So what? :slight_smile: Users have to really know how to look up that info in current browsers. So here you pay for something that most users won’t even notice.

I have some experience with customer support for paid certificates. It depends a lot which support person you end up talking to, in some cases the answers are not helpful at all. Some others are excellent, though. And I also don’t remember support being fully 24x7, it was often restricted to working days or even working hours. I guess it also depends on what kind of paid certificate you are talking about.

In the end you have to decide whether you want to pay (a lot) extra for OV/EV and customer support. If you go for cheap paid options, it’s usually not worth the trouble from my experience, if you don’t have special compatibility requirements. (If you need someone to hold your hand while obtaining/renewing/installing a certificate, customer support can be worth though. But then, I think it also works pretty well in this forum.)

More spammy anti-Let’s Encrypt FUD. :yawning_face:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.