In the vast forest of ecommerce, website security is important to every aspect of a company's operations. One of the most iconic symbols of trust between a store and its clients is HTTPS. The once fabled “green lock” now sets the basis of whether or not a customer trusts a store to handle their confidential information. In recent years Let’s Encrypt has completely changed the SSL landscape, with free and legitimate security certificates (SSL). Understanding the current state of SSL could save you time and money.
HTTPS is the modern standard for websites and is a requirement to be PCI compliant (something every ecommerce store should prioritize). For a site to use SSL, an encrypted connection, the website must purchase an SSL certificate which allows the use of the HTTPS protocol. Given this, most sites have bought and setup various types of certificates on their websites from certificate authorities such as DigiCert, GoDaddy, or GeoTrust, to name a few. These can range in price from a few dozen to thousands of dollars.
Most people know the importance of the SSL certificate, but in 2018, what defines the “best” certificate for your buck? The answer to that is...not much. Certificates are either trusted by “root programs”, or they are not. These root programs are what tell your browser that a website has a secure connection. If they trust a certificate, the site’s connection is encrypted. There are several types of certificates, but for most websites it comes down to two types: the cheapest and most used “Domain Validated” (DV) certificate, and the popularly advertised “Extended Validation” (EV) certificate. DV certificates display your site as secure with a padlock while EV certificates have the added benefit of showing you the company name next to the site URL. EV certificates also require physical verification to obtain and prove it is in use by the company it says it is. To most companies this is appealing as it makes it clearer a site is safe and secure to use (and is the legitimate site).
Example of Extended Validation SSL as displayed in Chrome
Example of Domain Validated SSL as displayed in Chrome
However, as of Autumn 2018 browsers are increasingly hiding the only information that distinguishes between these two types of certificates. It is fully possible some users will never know a site has an EV certificate in use. Google and Apple have already shown that they can and will stop showing the added benefits of higher cost security certificates, and most others will surely follow. Moreover, most users do not care or know the difference between a DV or EV certificate. To most people a site either has the padlock, or it does not, and if an EV certificate is visible, they often find the additional information confusing.
So then, why pay for these fancy certificates? Some certificate providers will offer a “warranty” on a certificate purchase. Cutting to the chase, it is not clear what value these warranties provide. There is no record of anyone using a certificate warranty, and there may not ever be. As the benefits of the higher end certificates continue to dwindle into irrelevance, all that remains is the normal, trusted, DV certificates that throw up the padlock and say it has a secure connection. This lock could be green, or grey, or whatever color the browser chooses to display. The fact of the matter is that the browser controls how the certificate displays to the user, not the certificate.
Example of Extended Validation SSL as displayed on Mobile Chrome
Example of Domain Validated SSL as displayed on Mobile Chrome
Where does this leave the market? As of August 2018, Let’s Encrypt, a certificate authority like the ones mentioned earlier, became fully trusted by all the major root programs. This is just another certificate authority, right? Except Let’s Encrypt offers the same certified and secure certificates for the low cost of $0. For $0 you can have a secure site that works in every browser and can also be setup to auto-renew itself, removing the hassle of renewing and re-purchasing SSL certificates every 1-2 years.
If anyone can get a free certificate, how will someone know a site is trustworthy? It is important to remember HTTPS does not truly mean a site is safe to use, or that the site is trustworthy. It does mean that there is a far less chance of a middleman appearing. To any consumer, any valid certificate will be one and the same. The purpose of this article is to make it clear that HTTPS is simply becoming an open standard. It is becoming such an open standard that there are no longer any benefits to having to pay for it. Browsers and tech companies are slowly unwinding the usefulness of the costlier certificates, which means soon there will be no difference between one that is free and one that is paid, has extended validation, or even a warranty. Let’s Encrypt just makes it cheaper and less of a hassle to get the same results as any paid certificate authority would provide.
This article was inspired and heavily watered down from Troy Hunt’s article “Extended Validation Certificates are Dead”. It is a long read, but he offers far more details and supporting information on the reasons why we are heading in this direction, and why switching to Let’s Encrypt is the best option for your ecommerce store. If you fancy yourself a deeper dive into this topic, please give his article a read.
Sources:
Aas, Josh. “Let's Encrypt Root Trusted By All Major Root Programs”. https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html
Hunt, Troy, “Extended Validation Certificates are Dead”. https://www.troyhunt.com/extended-validation-certificates-are-dead/
Hunt, Troy, “On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt”. https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/
Hunt, Troy. “The 6-Step "Happy Path" to HTTPS”. https://www.troyhunt.com/the-6-step-happy-path-to-https/
Lawrence, Eric, “Certified Malice”. https://textslashplain.com/2017/01/16/certified-malice/