Question

This post stems from a Facebook post I saw about IT pushing back on use LetsEncrypt SSL Certificates.

Does anyone have a good resource to send IT professionals who question whether we should be using LE on client sites?

I’m not talking big sites or ecommerce sites, I’m talking brochure sites so small I can’t even be bothered getting into this with an IT consultant…

A Facebook Group 🙂

So I decided to respond to the Facebook post with helpful information on some points you may want to share with someone pushing back on LetsEncrypt certificates.

I suggest you change the wording to fit your demographic and context 🙂

Response

It would be interesting to see their communication; sharing it here wouldn’t be a good idea.
I would use these points and make them digestible as needed 🙂

  • SSL/TLS is an IETF standard, and there is no proprietary method used by any company to provide SSL Certificates. At its core, it’s an encrypted connection between two devices, with a certificate authority providing the SSL Certificate and signing off that it’s valid.
  • Unless you require Extended Validation or a Warranty (if the SSL provider causes a loss to business due to their fault), a validated SSL Certificate from LetsEncrypt or a similar organization is sufficient.
  • For years, SSL organizations/companies or Certificate Authorities (issue SSL Certificates have provided SSL Certificates that are identical to LetsEncrypt for upwards of $500/year with only providing assurance, warranties and extended management features.
  • A few Certificate Authorities have actually been hacked or had issued certificates for high-profile domains to unauthorized users.
  • The broader internet and overall technical professional community view Lets Encrypt as a suitable method for SSL on a website on the internet without any drawbacks from a technical or business standpoint.

End of the day, if the IT professional want’s the client to pay extra, it’s on them and is doable. But the additional cost of manual renewals each year will be incurred versus automated LetsEncrypt renewals using multiple tools that are standalone or baked into platforms.