Your customers’ online security depends on the safety procedure you have been through when you ordered your SSL certificate.
You may recently have read about the vulnerability to which Let’s Encrypt was exposed due to the way in which they issue digital certificates. If not, please find this link to a discussion about vulnerability issues.
More people have their websites encrypted with SSL certificates
Since the launch of Let’s Encrypt in 2016, the organization has stormed ahead and has since early 2017 contributed to a situation where more than half of all websites now use a digital certificate.
Within the industry of digital SSL certificates, we are pleased with all the attention that Let’s Encrypt has significantly contributed to.
Not only does it create more awareness of a corner of the digital world that only a few know of, but the organization has also contributed to a situation where more companies today make use of encryption and security of sensitive data in connection with online communication – a communication task that TRUSTZONE and others within the IT security industry have been poor at handling.
Let’s Encrypt issues SSL certificates for phishing sites
But all good things have a bad side. The way in which Let’s Encrypt issues its certificates is subject to uncertainty – uncertainty which in a market that is not always transparent can be difficult to spot with the naked eye.
In line with the explosive growth that Let’s Encrypt has experienced, the number of phishing sites using HTTPS has also exploded due to the fact that Let’s Encrypt does not employ the same rigorous validation methods as other approved CAs (Certificate Authorities).
A thorough survey from March 2017 shows e.g. that approx. 15,000 certificates (97% of which were issued by Let’s Encrypt) containing the word PayPal were issued to phishing websites.
The number of certificates ”issued by mistake” had thus exploded from 10 in March 2016 to 5,101 by February 2017.
You get what you pay for
Few people would refuse to accept something free of charge and something that other providers demand money for. But, if we scratch the surface, there may be a reason why Let’s Encrypt is free of charge and why others demand money for an identical product that is hardly distinguishable.
The biggest difference in terms of validation when you have to choose between an SSL certificate from Let’s Encrypt (Domain Validated SSL certificate) or an SSL certificate from TRUSTZONE (Extended Validation (EV) SSL certificate) is the thorough validation process which is the only way in which you can rest assured and thus also assure your customers that they are safe when they use your website.
The approval procedure of an SSL certificate is crucial
A major part of the benefit of a digital certificate is that the user/customer is able to identify the website and the organization behind it when sensitive information, such as sensitive personal data, financial data or similar, is shared online. If this element is eliminated, credibility should correspondingly be lower. Therefore, very strict rules apply to how a digital certificate is issued and also who can issue SSL certificates.
Today, there are only a few approved CAs that are trusted globally and who are thus capable of issuing approved digital certificates; Let’s Encrypt is one but due to a fast – and actually a rather smart, though not so safe – way of dealing with the validation and verification process, it is also possible to have certificates issued for phishing websites though you only have little knowledge of the procedures.
Think things through before you pick your SSL certificate provider
As the headline suggests, it’s important to make the right choice. If you only need the encryption function in a digital certificate, Let’s Encrypt will do in most cases.
But, if you also need authentication so that you can create a sense of trust for the user/customer, Let’s Encrypt will rarely be the right choice. There are better alternatives though they are not free – but the choice is yours.