“Can you tell us why we should use you and Entrust when we get certs free of charge e.g. from Let’s Encrypt?”
The ICT Manager Teppo Kartano from the city of Rauma sent us a message on Sep-12 2019:
“Hi, we had a discussion here about certificates and their prices. Can you tell us why we should use you and Entrust when we get certs free of charge e.g. from Let’s Encrypt?”
And this is how we responded to Teppo:
the question is good, thank you. In a nutshell:
- Let’s Encrypt provides only encryption for the web site. You can get this certificate within minutes to any domain for which you can present sufficient control. Nobody contacts the organization and checks it. That is why phishing sites are typically protected with Let’s Encrypt. The visitor thinks he is on the intended site as there is the lock symbol in the address bar. And may give some important personal information to the site.
- An Entrust certificate also provides the digital identity. The visitor can check from the certificate the organization which provides the web site. The visitor can also be sure that a reliable third party has contacted the organization and verified the identity. It is all about protecting the security of the visitor on the web site.
And with some more details:
- Google has been for some years saying that mere encryption is enough. They seem to say that the digital identity of an organization plays no role for them. At the same time they seem to be strongly supporting Let’s Encrypt. Google is hiding symbols of digital identities deeper in the Chrome browser.
- However, the vast majority of organizations say that the digital identity for them is more important than encryption. They want that a visitor on their web site can somewhere check that he/she is on the correct site (and not on a phishing site having almost similar address).
- EU is also supporting strong digital identity. The PSD2 regulation was given in September 2019 and it demands that banking systems use SSL certificates with the stronges possible digital identity (QWAC = Qualified Website Authentication Certificate).
Does this help?