The only information I collect on my sites is demographics - name, email, phone number - on an opt-in form. I don’t take any payment information. I don’t know what type of SSL certificate I need to protect myself and my subscribers. Does Let’s Encrypt cover this? Can you point me to where I can find it in the documentation (I can’t seem to find it!).
Thank you!
Any type of certificate will work! There are really only minor differences, none of those technical (in general). None will affect the security of the connection.
Currently, Let’s Encrypt offers what are called “Domain Validation” (DV) certificates. Some commercial CAs charge for other types such as Organization Validation (OV) and Extended Validation (EV). No matter what you pick, the information is encrypted the same way, so I’d advise picking the lowest-cost widely trusted certificate unless you have reason for something else.
2 Likes
This falls into some interesting territory. There are a number of different standards applied to the collection of personal information, governed by different standards, as well as some statutory requirements depending on the countries you do business in. For example, the EU has much stronger privacy laws than the US.
It doesn’t sound like you would fall under the typical umbrellas of data security such as HIPAA or PCI-DSS, but there are also civil liabilities to consider (e.g. what legal recourse your customers have in suing you if your negligence compromises their personal information.) If you are concerned about the legal ramifications of your decisions, you should consult a lawyer as opposed to an internet support forum.
Now, this being said, the “type” of certificate is largely immaterial. The encryption is determined by your server configuration, not the certificate. Different types of CA-signed certificates merely provide increasing assurance that a browser is communicating to an authorized endpoint. There are arguments both for and against increased assurance certificates such as EV or OV, but that comes down to a business decision in the end.
1 Like
I agree with @motoko. In the past a lot of people were inspired to get certificates in order to accept credit cards and financial information. This is partly because the financial industry pressure people to do this and partly because many people felt that was what certificates were “for”.
Nowadays we’re seeing that secure encrypted connections to web sites help protect any kind of information, and there’s plenty of information that’s sensitive or private other than just financial data. So even if industry rules don’t require people to use secure connections, we have a new near-consensus that they’re important anyway.
The different kinds of certificates differ in whether they allow a user to check the legal identity of the site operator, but (maybe unfortunately?) most users don’t actually know how to do this, so they might not get that much benefit from it. The underlying encryption and security technology is otherwise exactly the same so one kind of certificate does not provide stronger encryption or privacy than another, as @motoko explained.
When industry organizations have a specific requirement for a site to have a secure connection, most of them seem to agree that Let’s Encrypt certificates are OK for that purpose.
1 Like
This exactly. The company I work for is in the Telemedicine industry. For clients that run custom domains on our product, we use Let's Encrypt for the certificates. It's good enough for protecting PHI and PII in transit and we have not had any company have an issue with it.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.