First of all, I’m super impressed by the Galaxy SSL feature. It’s like one click of a button and 2 minutes and BOOM! you’ve got it.
Now for my question, and keep in mind I’m a security n00b: Is it really safe?
Besides the 10K-1M warranty you get from a commercial suppliers like Comodo, which shouldn’t be ignored, from technical perspective - is the Let’s Encrypt’s certificate + Galaxy configuration really the same as the certificate you’d get from a commercial supplier?
Thanks for any answer.
DISCLAIMER: I am absolutely no security expert, I am giving the info I could sum up from what I have read in the past months researching on SSL Certificates myself. Please take everything with a grain of salt, and I’d love to be corrected if need be.
I cannot say anything about galaxy. But Let’s Encrypt is just a certificate provider like any other, we call those CA (Certificate Authority).
Let’s Encrypt’s certificates are as good as any other for SSL connection-wise. Even a self-signed certificate would secure a connection! The reason why we use a CA is to provide our users with a certificate that has been verified (it belongs to the right domain and it was issued to the domain owner)
The only drawback from using let’s encrypt as a CA (from what I can think of) is that it may not be recognized as a trusted provider since it provides free certificates, it is easy for anyone to grab a dozen… But they issue a server challenge just like the specifications require. Also their certificates expire quite faster than others, which may or may not be liked… They are also not that old so they could still be lacking in some trusted sources lists.
The bigger issue is that since Let’s Encrypt is automated, there is no more secure validation that you’re the owner of the domain/business, which is why LE doesn’t give you a nice and fancy custom name for your certificate in the browser bar, i. e. [My Fance Business]. This does give additional credibility which your visitors may want to see based on what kind of site it is.
If this is somehow possible to get, awesome please tell me how to get it 
You are right! Although Let’s Encrypt do make sure that the machine requesting the certificate is the same as the one answering the challenge sent to the domain the request was made for, it lacks other validations.
Also I forgot to say that let’s encrypt’s goal is to provide easy and free SSL to who ever needs it in the fight against unencrypted internet data transfers. They’re goal is not to replace well know authorities like Symentec, DigiCert or GoDaddy.
The big authorities do charge for the certificate but they aren’t harder to generate than let’s encrypt’s one. But they take responsibility over the certificates they provide so they do manual/human checks which cost money…
I wouldn’t use Let’s Encrypt for securing customers’ data of a corporate product. Just as it yells out “I’m too cheap to pay a real CA”
Those are extended level certificates and unnecessary unless your business is already doing really, really well. Let’s Encrypt is fine for any small app / business.
Thanks for that guys!
Well, My certificate generated by galaxy will be expired on 2021, so somehow they managed to get over the short-term expiration.
Do you guys think that customers actually look into the certificate name? I personally don’t know anyone who actually checks that.
With self-signed certificates, you aren’t protected against man in the middle attacks, unless you manually “install” the certificate on the clients as well (which you can’t do for public websites since anyone might want it).
Thanks I went and read a bit about this kind of attack. I thought that the user has to add exceptions on self signed certificates on their browser, so if there is a man in the middle attack the certificate wouldn’t be the same and need another exception…? The user will certainly just accept it anyways I guess.
Last time I visited a website using a self-signed certificate in Chrome, I had an option saying something like “Visit the site anyway”. If you do, then you will be using the certificate, and it will only be the one that has created the certificate that will be able to read your encrypted messages.
However, the catch is that you can’t be certain that the certificate actually comes from the websites you’re visiting, because no one can verify it (no one that the web browser trust has signed the certificate). The certificate might come from the man in the middle, and if it does, he will be able to read all the messages you think you send directly to the website.
Note: If you manually add the self-signed certificate to the web browser in advance (before you visit the website), then you’re safe, but you can’t do that for all of your visitors on the Internet.
To summarize, the Let’s Encrypt certificates ensure that the traffic is encrypted, but they don’t prove server identity. They’re sort of a SSL Light.
They do provide server identity because it needs to pass a HTTP or DNS challenge before it’s issued.
What it doesn’t provide is business identity, which only commercial certs in the $2000+ range do (and several security researchers have demonstrated how poor the checks are and how easy it is to “shadow” an existing business name)