February 6, 2018
3 min read
Your customers’ online security depends on the safety procedure you go through when you order your SSL certificate.
Increase in websites encrypted with SSL certificates
Since the launch of Let’s Encrypt in 2016, the organization has skyrocketed: Largely thanks to Let’s Encrypt, more than half of all websites now use a digital certificate.
Within the industry of digital SSL certificates, we appreciate all the attention around digital security that Let’s Encrypt has made a significant contribution to.
Not only does this create more awareness of a corner of the digital world that only a few know of. Let’s Encrypt has also contributed to a situation where more companies today make use of encryption and security of sensitive data in connection with online communication.
Let’s Encrypt issues SSL certificates for phishing sites
But there’s a downside: The way in which Let’s Encrypt issues its certificates is subject to uncertainty – uncertainty which in a market that is not always transparent can be difficult to spot with the naked eye.
In line with the explosive growth that Let’s Encrypt has experienced, the number of phishing sites using HTTPS has also exploded due to the fact that Let’s Encrypt does not employ the same rigorous validation methods as other approved CAs (Certificate Authorities):
A thorough survey from March 2017 shows that approx. 15,000 certificates (97% of which were issued by Let’s Encrypt) containing the word PayPal were issued to phishing websites.
The number of certificates issued “by mistake” exploded from 10 in March 2016 to 5,101 in February 2017.
You get what you pay for
Few people would refuse to accept something free of charge and something that other providers demand money for.
But, if we scratch the surface, there may be a reason why Let’s Encrypt is free of charge and why others demand money for an identical product that is hardly distinguishable.
The biggest difference in terms of validation when you have to choose between an SSL certificate from Let’s Encrypt (Domain Validated SSL certificate) or an SSL certificate from TRUSTZONE is the thorough validation process which is the only way in which you can rest assured and thus also assure your customers that they are safe when they use your website.
The crucial approval procedure
A major part of the benefit of a digital certificate is that the user/customer is able to identify the website and the organization behind it when sensitive information, such as sensitive personal data, financial data, or similar, is shared online.
If this element is eliminated, credibility should correspondingly be lower. Therefore, very strict rules apply to how a digital certificate is issued and also who can issue SSL certificates.
Today, there are only a few approved CAs that are trusted globally and who are thus capable of issuing approved digital certificates.
Let’s Encrypt is one of them, but due to a fast—and actually a rather smart, though not so safe—way of dealing with the validation and verification process, it is also possible to have certificates issued for phishing websites though you only have little knowledge of the procedures.
Think things through before you choose your provider
As the headline suggests, it’s important to make the right choice. If you only need the encryption function in a digital certificate, Let’s Encrypt will do in most cases.
But, if you also need authentication so that you can create a sense of trust for the user/customer, Let’s Encrypt will rarely be the right choice. There are better alternatives— however, they’re not free of charge. The choice is yours.