Jun 28

CACert vs Let's Encrypt vs StartSSL

Category: Linux,webserver   — Published by goeszen on June 28, 2017 at 12:17 pm

There are only a few providers, or better Certification Authorities, that do hand-out "proper"/non-self-signed SSL certificates and do so for free. I've done a re-evaluation of these today (June 2017). Here are some findings and pointers for anyone interested:

StartSSL certificates are around for a number of years now, and the basic version is free with very good browser support. Sadly, StartSSL certificates are considered not trustworthy anymore by the community since the acquisition by a Chinese led dubious conglomerate. As can be read in the Wikipedia article on StartCom, the company issuing the StartSSL certificates.

CACert is one of the older issuers of free signed certificates online. Yet, browser support is very limited, still. After all these years, the organisation wasn't able to place root certificates into widespread browsers.

Let's Encrypt is the new offering. They are sponsored by Mozilla, Google and some more. They seem trustworthy and browser support as of now is already very good - only found reports of some Windows versions not having certificates in yet.

Ken Felix outlines differences between CACert and LetsEncrypt here, if you'd like more detail.

One major/last criticism with Let's Encrypt is that it may be exploited by the US government or the sponsoring parties. But that is true for all (mostly US Cert Authorities). Read this rant to learn more. But until encryption gets rid of Cert Authorities all together, I think this can be neglected. It's not a world dominating government like the US spying on you, but criminals etc. Just my two cents...

My conclusion, btw, was to opt for a paid-for commercial SSL certificate, as browser support was important in my project and I'd like a few years more pass by until support of Let's Encrypt certs is near perfect.

