If the security of website has been the focus of attention for several years already, it has become even more central since the start of the year and the American presidential elections. The emails exchanged in an insecure way by one of the candidates is something which occupied the media space and made aware to the general public of the importance of protecting his messages and more generally his digital data , as well personal than professional. These debates around data protection will undoubtedly take the step of securing messages to many website owners.
If the encryption of messages is present in more and more specifications of websites today, the administrators of online shops know this problem perfectly and have adopted this good practice overwhelmingly. The lock indicating to internet users in their browser the security of exchanges is indeed a minimum required to develop a commercial activity. Without this indicator, it is indeed impossible to convince a user to put on his client clothes and especially to transmit information relating to a means of payment.
If Internet users have for a long time been only attentive to security at the time of checkout, the coming months will undoubtedly see habits evolve. Everyone now sees very well the value of their digital personal data. The presence of the lock ensuring secure transmission and also the attention paid by the administrator of the website to security could be scrutinized by the Internet user before creating a simple user account.
This vigilance will also be reinforced by the democratization of the security of exchanges between web servers and Internet users. Ultimately, data encryption will no doubt become a standard. The path leading to standardization is all the more certain as it is encouraged by Google. Websites which do not offer this service are already a priori lower ranked than their “unencrypted” counterparts in the search results.
Let’s Encrypt has favored and will favor the security of the exchanges carried out with Internet sites
Securing exchanges between a website and users is carried out by means of a certificate and the TLS protocol. The certificate notably allows internet browsers to check the integrity of the data transmitted. It is therefore impossible for a hacker to substitute a message during its routing. This certificate can only be issued to a website by a certification authority. This organization is responsible in particular for signing the certificate issued on the website and verifying the identity of the owner.
The administrator of the website is responsible for installing the certificate and configuring his web server to use the TLS encryption protocol. This installation and the cost of the certificate have been a major obstacle to the democratization of encryption of exchanges. Let’s Encrypt came into play in November 2015. This project, supported by major internet players, allows website administrators to install a free certificate and, better still, in an automated manner.
Let’s Encrypt – not only providing a free certificate – also provides a script for creating and installing the certificate, as well as configuring the web server . Apache2 and Nginx are notably supported. An automatic renewal script is also available.
This free and easy installation has already enabled several tens of millions of websites to offer secure exchanges to their users.
Different types of certificates
While the certificates provided by Let’s Encrypt allow exchanges to be encrypted quickly and easily, they do not guarantee Internet users the highest level of security or, more precisely, confidence.
Let’s Encrypt provides so-called domain validation (DV) certificates . It is issued on one condition; the requestor must be a contact listed on the WHOIS or be able to manage the website.
The second level of certificate is said to validation of organization (OV) . It is issued by a certification authority after telephone validation with the administrative contact, WHOIS control and registration control at the Chamber of Commerce.
The third level of certificate is said to be extended validation (EV). The level of verification is higher. An additional telephone validation is carried out in particular against the OV certificate. The EV certificate allows you to change the address bar of browsers to green and display the certificate regulator next to the url. Internet giants all have this relatively expensive type of certificate .
Organizational validation and extended validation certificates not only guarantee internet users secure exchanges thanks to certificates and TLS, but also reliable and strong identification of site managers.
SSL certificates can be multi-domain or multi-IPs. They can then be used to secure a set of websites but also to secure several services such as for example a mail server. Let’s Encrypt unfortunately does not offer this feature.
Which certificate to choose?
If the certificates provided by Let’s Encrypt allow all website administrators to offer secure and encrypted exchanges, the service due to its mode of operation cannot meet all needs.
An online store has every interest in opting for a certificate at least of the second level – a certificate with organizational validation – in order to easily transform visitors into customers thanks to the increase in the level of trust. In addition, a company wishing to launch numerous websites or set up different services will also have to turn to a certification authority issuing multi-domain / multi-ips certificates.