The era of “Post-Let's Encrypt”. Who still needs to pay for SSL certificates?

In July, integration with Let's Encrypt became available to ISPmanager users. Now you can get SSL not only for free, but also as convenient as possible. Release, installation on the server, renewal - everything is automatic. And this is the way it should be, because already today LE certificates handle most tasks. They provide strong encryption, are “friendly” with popular browsers and do not allow to lose SEO points according to Google rules. With this layout, free SSL is suitable for 90% of sites. Then who are the remaining ten, who must continue to pay? Who will Comodo and Symantec fight for in the near future?



These are mainly e-commerce projects. And there are several reasons why they should not rush to install our module. Let us dwell on each in more detail.

1. Use by startups

Let's start with the simple. Take a typical e-commerce startup. Nobody knows the name. The complete lack of references on the Internet. Domain registered a month ago. Everything hints to the user: make a payment here and you will not see any product or money. Therefore, confidence is zero!

')

And now we will try to present how with this certificate Let's Encrypt, issued for 3 months, should help to increase its (trust). Rather, he will only make things worse. What can not be said about the EV certificate with a green line. At least he will show that you are set to work for another year or two.





Use of Let´s Encrypt certificate by a startup

2. Warranty for buyers

Do not forget that Let's Encrypt only issues certificates with domain verification. They give not so many guarantees. To be frank, none at all. The presence of a DV (Domain Validated) certificate indicates only the encryption of data on the site, which in itself does not mean anything.



I will try to illustrate with an example. Let's say you are going to get a DV certificate for an online store. Be prepared for the fact that not all potential customers will risk making purchases from you. Experienced users will pass by, and here's why.



The fact is that neither the free Let's Encrypt nor the paid RapidSSL will not prevent fraudsters from turning the most popular phishing scheme. They will make a copy of your site, buy a similar domain, and even install a DV certificate. There are no checks! They will only have to intercept traffic and continue to collect payments hapless customers.



If this happens to you, the reputation will be irretrievably lost. Therefore, it is worthwhile to worry about this problem in advance. This will require not only installing at least the simplest certificate with verification of the organization, but also to accustom visitors to pay attention to it. You can start small. For example, from placing in a prominent place the so-called trust seal (Site Seal).





Seal of trust Thawte on Alfa-Bank website

3. WildCard ... not really

There is no support for WildCard in LE, which means that for each level 3 domain you will need to install protection separately. The problem is, of course, so-so. In ISPmanager, even releasing a couple of dozens of Let's Encrypt certificates is a question of three minutes. But there are times when you need not 10 or 20, but no limit. Here things are not so rosy.



Level 3 domains often donate hosting providers to their customers. Usually a bonus to the main service. Agree with the free certificate offer would be even more interesting. All right, only LE supports only a limited number of similar domains. 128 pieces, to be exact. Therefore, in this matter, integration with Let's Encrypt is not an assistant.

4. Use of blogs

The goal of each blog is to get the maximum number of subscribers. For this form of entering email addresses specifically placed in the most prominent place. For a subscription often give some small bonus. And I believe that every copyright owner is interested in the visitors leaving real addresses, not spam boxes. For this you need trust. Therefore, it is worthwhile to install a certificate more seriously than Let's Encrypt. Otherwise, you will not convince visitors that their addresses will not reach third parties and spam will not begin to fall on the mail. About why this happens, I already told in paragraph 2.



Another example is various blogs with a specific audience. Like the ones that write about Luxury Lifestyle. Using a free SSL certificate with similar projects at least looks weird. As if the editor from the glossy, talking about high fashion, would go in a free t-shirt "Beer at Mikhalych", issued by the promoter. Far from the fact that the audience of such blogs appreciate the savings.

Conclusion

Security and trust can and should be used as marketing tools. They directly affect the level of income that you can get from visitors to your site. Therefore, in my opinion, SSL certificates with verification of the organization are still the minimum acceptable for all online stores and various sites of commercial projects.



I would be glad to hear your opinion on this in the comments. It is also very interesting to know how you see the future of paid SSL certificates.



PS I can not do without metrics. Here's the discount code: habrssl5 . It is for those who hit ten percent, which I mentioned above. You can apply here: www.ispsystem.ru/ssl