Let's Encrypt for e-commerce sites?

Django29 · December 12, 2020, 6:06pm

Hello
Is let's Encrypt enough secured for e-commerce sites ?

rmbolger · December 12, 2020, 6:10pm

Yes. The certificates provided by Let's Encrypt (and any publicly trusted certificate authority) all provide the same level of cryptographic protection because they must all use the same industry standard algorithms and bit lengths.

I should add that the certificate itself is also only a tiny part of a site's overall security posture.

JuergenAuer · December 12, 2020, 6:14pm

Hi @Django29

that's a question of your local configuration.

It's not a question if you use Letsencrypt or another CA.

If your local configuration is bad (deprecated protocols, cipher suites, wrong order, missing redirects http -> https) or not so good (missing HSTS) or if you forget to renew the certificate, that's a problem.

rg305 · December 12, 2020, 10:36pm

I apologize in advance for my cynical view on things...
But I can't help hearing "Will an LE cert protect my site (for me)?" in that question.
No certificate will protect your site, certificates can only encrypt the conversations.
Encryption is NOT protection.

schoen · December 12, 2020, 11:05pm

It might just be: do merchant banks/payment processors/PCI standard validators/sophisticated users accept Let's Encrypt certificates? And the answer to that is generally yes.

Django29 · December 13, 2020, 3:24pm

Of course, my question was not : "If I use Let's encrypt, am I sure that my site will never be hacked ?". I know we need to comply with other techniques for that.
But I was asking if the encryption of Let's Encrypt is only suitable for sites using non personal informations, and especially no financial informations as in e-commerce sites. In other words, would you recommend to use "Premium" paid certificates for these sites ?

petercooperjr · December 13, 2020, 5:05pm

The only certificate that might be worth paying for could be getting an "Extended Validation" (EV) certificate (where rather than just proving you own the domain name, you prove your actual corporate identity). Let's Encrypt doesn't offer these but other Certificate Authorities do. They show up slightly differently in some browsers, and perhaps some customer on the fence about whether to order from you would be reassured if they looked at the certificate details and found out exactly what company they were ordering from. It wouldn't shock me if the companies selling EV certificates has some statistics about how much conversion rate improved by getting one. But of course one would need to take those statistics with a pinch (or heap) of salt since they're of course trying to sell you on their premium services.

But in terms of technical suitability, as others are saying a regular Domain Validation certificate (like Let's Encrypt offers for free) uses the same industry-standard encryption algorithms and is perfectly suitable for securing personal information and financial transactions. It's just that "all" Let's Encrypt validates is that the holder of the private key owns the domain name that it's being used for. That's usually good enough for customers to trust enough to put their credit card number in.

Cryptography is just a big lever, it makes the security of a large amount of information (the data being transmitted to your server) dependent on the security of a small amount of information (the private key on your server and the validation done by the Certificate Authority of who that key belongs to). That's a really useful thing, but that's all it does. As others are saying, that's not enough to say "we're secure" all by itself. But whether you paid a CA to validate that the private key is owned by you or if you use a free domain validation certificate to do so, it doesn't fundamentally change how it works. Cryptography is just math, after all.

Django29 · December 13, 2020, 5:34pm

Thanks a lot for this detailed answer (on Sunday!). To complete the security, I also use :

ModSecurity firewall in my CPanel.
As all my sites are made on Joomla, I always install a very good and sophisticated security component : RSFirewall.
Security rules in .htaccess.
Strong passwords.
For e-commerce sites, the payment is made directly on the bank site or by Paypal, not on my clients sites.
After more than 100 sites built, with Let's Encrypt, I had never any problem.

rg305 · December 13, 2020, 7:24pm

Maybe a one-word answer would have been enough...
"Let's Encrypt for e-commerce sites?"
YES.

[or might that leave other readers wondering... we may never know]

schoen · December 14, 2020, 4:07am

I wrote a more detailed answer about this question back in April:

avdija · December 14, 2020, 11:07am

what give you an impression that Let´s encrypt is only for sites using non personal information?

system · January 13, 2021, 11:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.