Itomic is very pleased to announce that we are now supplying free SSL certificates to the owners of all new websites that we develop and host. And for all existing clients, we’ll be offering the same over the coming months.
How are free SSL certificates possible?
Two stars have aligned:
- ‘Let’s Encrypt’: genuine, industry-standard SSL certificates for $0.
- Automation: the certificates self-validate and self-install, so we anticipate minimal involvement from Itomic. Let’s Encrypt certificates are issued for 90 days, and automation ensure that certificates are reissued every 90 days.
Let’s Encrypt SSL certificates are provided by the Internet Security Research Group (ISRG). This group is sponsored by many big players including Cisco, Facebook, Google Chrome, Mozilla and Shopify. It recognised that a) online security is very important, and b) putting a price tag on security will naturally put SSL certificates out of reach for some. You can read more about the how and why here: https://letsencrypt.org/about/.
ISRG has worked hard to ensure that the process of validating and installing the certificates is 100% automated. (author’s note: I’ve been hands-on with SSL validation and installation since about 1998, and it’s always been prone to error, human and machine. It’s been one of my least favourite tasks over the years!). Luckily for us and our clients, the hosting platform that powers all our hosting servers, cPanel & WHM, has integrated their software with the Let’s Encrypt service. They call it AutoSSL. So we are now able to enable this service for our clients.
Are there any catches?
For existing Itomic clients wishing to have this service enabled, you’ll need to have an active service & support contract with a minimum balance of 3 hours of labour. In the unlikely event of any technical issues associated with the SSL installation and configuration, this allows us to attend to these issues without delay. If you don’t have an active service & support contract with Itomic, just ask!
What if my site already has a current, paid, SSL certificate?
A Let’s Encrypt SSL cert will automatically replace your existing certificate shortly after it reaches 3 days to expiry. Your existing paid SSL will be absolutely fine and unaffected until then. If you wish to continue paying for your SSL certificate – and some organisations will (more on that below) – then we will continue to offer this service as before.
Are these free SSL certificates as secure as the paid ones?
They provide identical levels of encryption to the paid ones, and therefore will be suitable for the vast majority of our clients.
It’s important to note the difference between encryption and authentication. A Let’s Encrypt SSL certificate provides a website with genuine, industry standard encryption, but it does not authenticate that the organisation using the encryption is who they say they are.
Let’s Encrypt supplies a type of SSL certificate known as Domain Validated (DV) certificate. This validates that the domain name is registered, and someone with admin rights (in this case Itomic) is aware of and approves the certificate request. No official proof (authentication) of your entity’s official registration is required, e.g. that your organisation has an ABN number, as all recognised entities have here in Australia.
If you evaluate that your website needs to display a higher level of authentication (e.g. because you’re a large high-profile organisation, government department, etc.), then you need an OV (organisation validated) or an EV (extended validation) certificate. These types you have to pay for, not least because of the additional manual overhead in acquiring and installing them. Note that, just because a website is using an OV or EV certificate, it doesn’t guarantee that the organisation behind it is reputable, or handles your data securely or responsibly after receipt, or that the website hasn’t been hacked.
For more information on the different types of SSL certificate: https://support.dnsimple.com/articles/ssl-certificates-types/
Does an SSL certificate (Let’s Encrypt or otherwise) make a website ‘secure’?
Only in the sense that it guarantees that data being transferred between your device (e.g. desktop PC, tablet, etc.) and the hosting server is fully encrypted. This means that it’s extraordinarily unlikely to be unencrypted and read by a 3rd party. An SSL cert is only a single component of a comprehensive data security strategy. Other components include, for example, ensuring that your website and web server is regularly updated with the latest recommended security patches.
My site is basic, with no e-commerce. Do I even need an SSL certificate, free or otherwise?
- Many basic sites have a backend admin area for the purpose of managing the content on your site. It’s better to login to this section of your site using a secure (encrypted) connection, than a non-encrypted one.
- Google prefers sites with SSL protection. All other things being equal, your website will rank more highly in a Google search if it has an SSL certificate, compared with one that doesn’t, i.e. it’s better for SEO (search engine optimisation).
Will Let’s Encrypt issue wildcard certificates?
Currently no, but it is a possibility in the future. Thanks to Let’s Encrypt, wildcards certificates are no longer necessary for the vast majority of websites because it’s easy to get and manage free certificates for all subdomains. Prior to Let’s Encrypt, Itomic always recommended wildcard SSL certificates over single SSL certificates so that the same certificate could protect all subdomains without having to purchase additional single SSL certificates per subdomain.
Yes, they’ve got no choice, e.g. https://ssl.comodo.com/free-ssl-certificate.php. We’ve chosen Let’s Encrypt because they are clearly the first movers and leaders in this field. We want to acknowledge and reward them for their efforts.
Remember that an enormous amount of money has been made over the years by companies who issue SSL certificates. There are some major vested interests who’d prefer to hold back the tide as long as possible.
We assume that, eventually, all hosting companies will. In the meantime, it’s just a question of hosting companies satisfying themselves, like we have, that this service is a) good and b) here to stay. Then they have to ensure that they have the administrative and technical systems and procedures in place to support them.
If a website has an SSL certificate installed, it’s only actively being used when either:
- You directly visit the https version of the site, and not the http version, OR
- You directly visit the http version, and the site or hosting account has been programmed to automatically redirect the visitor to the https version.
When Itomic initially installs the SSL certificate on your site, #1 will apply. Over time (no desperate hurry!), we will work with our clients to ensure that #2 applies as standard.
I’m still unsure about whether or not I should pay for SSL certificates (OV or EV) in the future, as I’ve done in the past.
- As previously mentioned, government departments and larger, high profile business may decide that they wish to demonstrate a higher level of authentication than a DV certificate provides. That’s totally fine by Itomic, we’re happy to oblige.
- Do your own Google searches to better educate yourself about the pros and cons, and see how others are debating this question.
Still unsure? Ask Itomic!
https://letsencrypt.org/docs/faq/ – FAQs about Let’s Encrypt.
https://en.wikipedia.org/wiki/Public_key_certificate – Wikipedia on SSL certificates and related.