Let's Encrypt is for e-commerce / online shops


#1

Hello guys,

I am planning to open a virtual store and would like to know if SSL Certified Let’s Encrypt is recommended for virtual stores?

If yes, then which one of your SSL certificates is appropriate for virtual stores? Or is your SSL one?

I thank you,
Rodrigo Carlos


#2

Hi @rodrigocs

This is not a feature request. So i have changed the topic category and also updated virtual stores to ecommerce/online shop as it’s more commonly used terms.

All let’s encrypt certificates are domain validated certificates which are essentially all the same (i lie a little as there are different key sizes and ECC vs RSA, also SAN vs Single Domain).

Review Organisationally Validated and Extended Validation certificates which some online stores prefer due to the extra steps in verifying you are a legitimate business.

For your review: https://www.ssl.com/article/dv-ov-and-ev-certificates/

As this is a business driven decision you should make up your own mind how much trust your users need that the certificate in use is valid.

There are recommendations from bodies such as Payment Card Industry in their PCI-DSS standard (google search it) around what SSL certificates should be used however most small online shops do not go to the extent of getting audited or complying to PCI-DSS (costs).

Due to the ACME protocol and other considerations Let’s Encrypt does not issue extended or organisationally validated certificates.

Andrei


#3

I agree with @ahaw021’s analysis and I would add that Let’s Encrypt certificates are fine for using with online shops from Let’s Encrypt’s point of view. There is nothing in our terms of service that prevents this and there is no reason that we would consider it an inappropriate use.

One of the largest users of Let’s Encrypt certificates is the Shopify service, which uses our certificates for all of their customers’ online stores.

If I remember correctly, this is over a million shops.

Just as @ahaw021 said, there are some people in other parts of the industry or some customers who might prefer an OV or EV certificate for some purposes, and Let’s Encrypt does not issue those. Therefore, you may want to look into the question of whether you believe, or anyone who would interact with your shop believes, that one of those certificates is more appropriate for your shop for some reason. However, we don’t see that an OV or EV certificate is necessary for online shops in general, and we certainly have lots of existing users who use our DV certificates for this purpose.


#4

FWIW, there is nothing in the PCI-DSS standard that precludes the use of Domain Validated certificates. Let’s Encrypt certificates are perfectly fine for use in computer systems that are in-scope for PCI compliance as well.


#5

hi @Patches

Apologies, you are correct. I reviewed a recent version of the standard (3.2) and it is more concerned with strong cryptography (ECC and Large Keys) and good configurations (which in my mind is a good step forward). I may be thinking of Australia where banks and insurance providers can require use of EV and OV certificates for online shops to get certain levels of insurance cover (and confused this with being written in to the PCI-DSS Standard).

It does lead to some interesting questions about how private keys are stored by some clients but that is not in scope for this discussion.

Andrei


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.