{"id":432,"date":"2024-01-14T16:38:51","date_gmt":"2024-01-14T16:38:51","guid":{"rendered":"https:\/\/www.orangewebsite.com\/articles\/?p=432"},"modified":"2025-12-29T02:30:01","modified_gmt":"2025-12-29T02:30:01","slug":"lets-encrypt-free-ssl","status":"publish","type":"post","link":"https:\/\/www.orangewebsite.com\/articles\/lets-encrypt-free-ssl\/","title":{"rendered":"The Trouble with Let&#8217;s Encrypt"},"content":{"rendered":"<div class=\"et_pb_section_0 et_pb_section et_section_regular et_block_section\"><div class=\"et_pb_row_0 et_pb_row et_block_row\"><div class=\"et_pb_column_0 et_pb_column et_pb_column_4_4 et-last-child et_block_column et_pb_css_mix_blend_mode_passthrough\"><div class=\"et_pb_text_0 et_pb_text et_pb_bg_layout_light et_pb_module et_block_module\"><div class=\"et_pb_text_inner\"><h1>The Trouble With Lets Encrypt<\/h1>\n<\/div><\/div><div class=\"et_pb_image_0 et_pb_image et_pb_module et_block_module\"><span class=\"et_pb_image_wrap\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.orangewebsite.com\/articles\/wp-content\/uploads\/2017\/04\/cheap-ssl-certificate.png\" alt=\"Lets Encrypt Free SSL\" title=\"Lets Encrypt Free SSL\" width=\"728\" height=\"380\" srcset=\"https:\/\/www.orangewebsite.com\/articles\/wp-content\/uploads\/2017\/04\/cheap-ssl-certificate.png 728w, https:\/\/www.orangewebsite.com\/articles\/wp-content\/uploads\/2017\/04\/cheap-ssl-certificate-300x157.png 300w, https:\/\/www.orangewebsite.com\/articles\/wp-content\/uploads\/2017\/04\/cheap-ssl-certificate-600x313.png 600w, https:\/\/www.orangewebsite.com\/articles\/wp-content\/uploads\/2017\/04\/cheap-ssl-certificate-580x303.png 580w\" sizes=\"(max-width: 728px) 100vw, 728px\" class=\"wp-image-435\" \/><\/span><\/div><\/div><\/div><div class=\"et_pb_row_1 et_pb_row et_block_row\"><div class=\"et_pb_column_1 et_pb_column et_pb_column_4_4 et-last-child et_block_column et_pb_css_mix_blend_mode_passthrough\"><div class=\"et_pb_text_1 et_pb_text et_pb_bg_layout_light et_pb_module et_block_module\"><div class=\"et_pb_text_inner\"><h1 style=\"text-align: center;\">Lets Encrypt Free SSL<\/h1>\n<p style=\"text-align: left;\">SSL certificates all perform the same task, but they aren't all equal in quality. <a href=\"https:\/\/letsencrypt.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Let's Encrypt<\/a> issues certificates that are free of cost and easy to install, with the aim of making secure Web connections as universal as possible. The downside of this approach is that its certificates don't offer much confidence in their authenticity. At OrangeWebsite, we've decided not to accept them on our shared hosting, though you can use them on a VPS or dedicated server. We'd like to let you know our reasons.<\/p>\n<\/div><\/div><div class=\"et_pb_text_2 et_pb_text et_pb_bg_layout_light et_pb_module et_block_module\"><div class=\"et_pb_text_inner\"><h2><strong>Not all SSL certificates are the same<\/strong><\/h2>\n<p><a href=\"https:\/\/www.orangewebsite.com\/articles\/how-to-boost-your-search-rankings\/\" target=\"_blank\" rel=\"noopener noreferrer\">Having an SSL certificate<\/a> provides an encrypted connection between a browser and a Web server. The protocol family that supports this is widely known as SSL, but current versions are more properly called TLS. Connecting by TLS guarantees that the server belongs to the owner of the certificate. A certificate authority (CA) digitally signs the certificate, indicating it has confirmed its authenticity.<\/p>\n<p>Anyone can create a self-signed certificate. It will enable encrypted connections, but without a CA's signature, there's no guarantee that the site owner is who it claims it is. Browsers warn users against trusting self-signed certificates.<\/p>\n<p>Let's Encrypt acts as a \u201cfree, automated, and open certificate authority.\u201d It allows anyone to set up a secure website at no cost and with little effort. This is good, but prominent figures in the tech industry have expressed <a href=\"http:\/\/www.datamation.com\/security\/lets-encrypt-the-good-and-the-bad.html\" target=\"_blank\" rel=\"noopener noreferrer\">serious concerns about its certificates<\/a>.<\/p>\n<p>The process for setting up a certificate is simple. A couple of commands on a Linux server will do the whole job. The problem is with the level of authentication provided. The only validation is that the applicant for the certificate controls the domain it's issued to. If you're getting a certificate for example.com, you have to register it from example.com. There's no checking who you are. This type is known as a \u201cdomain validated\u201d certificate. Let's Encrypt isn't the only CA to issue domain validated certificates, but it's the only one that doesn't charge anything for them.<\/p>\n<\/div><\/div><\/div><\/div><div class=\"et_pb_row_2 et_pb_row et_block_row\"><div class=\"et_pb_column_2 et_pb_column et_pb_column_4_4 et-last-child et_block_column et_pb_css_mix_blend_mode_passthrough\"><div class=\"et_pb_text_3 et_pb_text et_pb_bg_layout_light et_pb_module et_block_module\"><div class=\"et_pb_text_inner\"><h2><strong>Certificates and trust<\/strong><\/h2>\n<p>Just having an SSL certificate, especially one that's only domain validated, doesn't make a site trustworthy. It could be a near-lookalike for a well-known domain (e.g., micros0ft.com). Let's Encrypt has reportedly issued over 14,000 certificates to <a href=\"https:\/\/www.thesslstore.com\/blog\/lets-encrypt-phishing\/\" target=\"_blank\" rel=\"noopener noreferrer\">domains that impersonate PayPal<\/a>.<\/p>\n<p>Some domains allow users control of subdomains (e.g., mydomain.example.com). They can obtain certificates for their subdomains. This can give the impression of approval by a well-known site. The subdomain may redirect to a different domain, on an independent server which the primary domain has no control over.<\/p>\n<p>The most trustworthy SSL certificates are EV certificates. EV stands for \u201cextended validation\u201d and signifies that the CA has met certain standards for checking the applicant's identity. It has checked and confirmed that the applying organization legally exists and is who it claims to be. Browsers generally indicate an EV certificate with a green symbol, such as a padlock.<\/p>\n<p>Unfortunately, most people don't recognize the nuances. If they see a padlock, they're likely to assume the site is trustworthy. Since Let's Encrypt doesn't even require a payment method, its bar to registering a certificate is very low. It plans to check the Google Safe Browsing API for known phishing or malware sites, but that's about the extent of its checking. There have been confirmed reports of <a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/lets-encrypt-now-being-abused-by-malvertisers\/\" target=\"_blank\" rel=\"noopener noreferrer\">malvertisers using its certificates<\/a>. When certificates are free, it's easy to set them up with throwaway domains.<\/p>\n<p>We hope that in time, Internet users will better understand the difference between a secure site and a legitimate one. When the large majority of sites display a padlock in the address bar, browsers will need to make a clearer distinction among the levels of validation. Eventually they may warn users about sites whose certificates are only domain validated. If a browser did that today, though, it would have to issue a constant stream of warnings.<\/p>\n<p>For the present, it's a good habit to click on the padlock symbol of a secure site if there's any doubt about it. The browser should give information about the site's level of validation and its owner of record. Some browsers, though, will say nothing more than \u201cThis site is secure.\u201d<\/p>\n<\/div><\/div><\/div><\/div><div class=\"et_pb_row_3 et_pb_row et_block_row\"><div class=\"et_pb_column_3 et_pb_column et_pb_column_4_4 et-last-child et_block_column et_pb_css_mix_blend_mode_passthrough\"><div class=\"et_pb_text_4 et_pb_text et_pb_bg_layout_light et_pb_module et_block_module\"><div class=\"et_pb_text_inner\"><h2><strong>Openness and trust<\/strong><\/h2>\n<p>Let's Encrypt has <a href=\"https:\/\/letsencrypt.org\/2015\/10\/29\/phishing-and-malware.html\" target=\"_blank\" rel=\"noopener noreferrer\">explained its policy<\/a>. It argues that a CA is in a poor position to police a site's content. It's difficult to determine if a site is clean, and harder to check if it stays clean. The primary aim of the project is to make as much of the Web as possible use TLS. That will inevitably include rogue websites. These sites exist anyway; the only difference is that some people may trust them more when they see the padlock symbol.<\/p>\n<p>Any issuer of domain validated certificates faces this risk, and even the EV level isn\u2019t completely safe against malicious sites. A signed certificate isn't and can't be proof of trustworthiness. Let's Encrypt doesn't want to take on the role of a censor, and we appreciate that. At the same time, we don't want to give dishonest websites the appearance of legitimacy if we can avoid it.<\/p>\n<p>We offer <a href=\"https:\/\/secure.orangewebsite.com\/cart.php?gid=5\" target=\"_blank\" rel=\"noopener noreferrer\">several options for purchasing SSL certificates<\/a>. The lowest priced ones are domain validated, but the annual fee will discourage acquiring certificates for throwaway domains. For a better level of validation, we offer the Comodo InstantSSL certificate with business-level validation. The best validation comes with our Comodo EV certificates, either for a single domain or for multiple domains sharing the same IP address.<\/p>\n<p>Balancing trust and openness can require some difficult tradeoffs. One of our chief goals is to enable free expression, but we don't want to be a magnet for deceptive and dangerous sites. We hope you understand the reasons for our choice. Feel free to <a href=\"http:\/\/www.orangewebsite.com\/contact.php\" target=\"_blank\" rel=\"noopener noreferrer\">contact us<\/a> with any questions.<\/p>\n<\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":5,"featured_media":435,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[31,30,29,33,32],"class_list":["post-432","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-cheap-ssl","tag-free-ssl","tag-lets-encrypt","tag-professional-web-hosting-company","tag-web-hosting-security"],"_links":{"self":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts\/432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/comments?post=432"}],"version-history":[{"count":11,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts\/432\/revisions"}],"predecessor-version":[{"id":1671,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/posts\/432\/revisions\/1671"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/media\/435"}],"wp:attachment":[{"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/media?parent=432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/categories?post=432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.orangewebsite.com\/articles\/wp-json\/wp\/v2\/tags?post=432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}