Keeping your site secure should be the top priority of website owners, and security starts with a good SSL certificate which is protecting your site. But is there really a need to fork out sometimes hundreds of dollars for a SSL certificate?
In most cases, the answer is no with the often included free AutoSSL or LetsEncrypt certificate offering a superior level of protection.
Level of encryption and protection
The primary purpose of an SSL certificate is to encrypt the traffic between the visitor’s web browser and the web-hosting server.
Almost all SSL certificates offer an identical level of encryption and level of protection, regardless of if they are free or paid.
Level of Validation
There are 3 main types of SSL certificate validation types:
- DV (Domain Validated): For the certificate to be issued, you must add a DNS record or click on an approval email to prove you own and have control over the domain. These certificates are typically generated and issued either instantly or within the hour and are the easiest to get.
- OV (Organisation Validated): For the certificate to be issued, you must complete the DV validation, then further complete validation steps to prove your organisation exists, such as a telephone callback to the listed phone number.
- EV (Extended Validation): The certificate issuer will go to extreme length to verify the organisation exists and that the person requesting the certificate is authorised to do so. This may take several days to complete and require documentation to be submitted.
All free AutoSSL/LetsEncrypt/Cloudflare certificates are Domain-Validated.
OV & EV certificates do not have better encryption, and can only be distinguished by going out of their way to decode the SSL certificate.
Level of Trust
All common web-browsers (Chrome/FireFox, Opera, Edge, Internet Explorer etc) will happily trust the vast majority of Free and Paid certificates without any issues.
Site visitors simpily will not care about the brand or type of SSL certificate you are using given they get the icon in the browser padlock.
Customers are unlikely to know the difference between certificate issuer’s, and some trusted repurtable providers such as Sectigo/Comodo issue both paid and free certificates.
Once installed, a SSL certificate should be set & forget for the validity of the certificate.
SSL vendors can only offer very limited assistance installing a SSL certificate on your own third-party services.
If you are using a free SSL certificate with a good web-hosting provider, they should include support for your included SSL certificate.
Length of Validity
Most free AutoSSL, Cloudflare & LetsEncrypt certificates have very short validity times of approximatly 3 months.
This is as these certificates are designed to renew more frequently and automatically.
The maximum validity of a paid SSL certificate is ~ 1 Year (398 days).
This change was recently implimented by Apple and Google and came into effect on 1st September 2020 removed multi-year certificates from the market.
These changes make paid SSL certificates very inconvient and increase the likelihood of the expiry being overlooked and the site no longer loading securely.
Almost all paid SSL certificate provider will offer a gurantee or warranty on the SSL certificates they issue.
This may then protect you if someone was to crack the SSL certificate or if there was a breach by the issuer that compromised the certificate (ie root certificate or private keys leaked).
This is not a warranty in case hackers break into your site by a different method, such as compromised password
To date, we are unable to find one documented case of a provider paying out one of these policies.
Unless you intend for someone to try and break into your site with a multi-billion dollar supercomputer, warranties may be more gimic than protection
Paid SSL Myths
Myth 1 – “Paid SSL Certificates give a green bar and extra trust in the browser“
False: This use to be true for the most expensive paid EV certificates, however all major web-browsers removed this extra functionality in early 2020.
Myth 2 – “Paid SSL Certificates are better for my SEO“
False: While google will penalise you for not having a valid SSL certificate, it does not discrimate between Free and Paid certificates.
Myth 3 – “Paid SSL Certificates are more secure“
False: There is minimal technical differences between paid and free certificates and they use the encryption.
No certificate is more secure or insecure.
Why do providers still sell paid SSL certificates?
While not every site needs a paid SSL certificate, they still do have valid uses, which include
- They may be a requirment of your payment processor or organisation’s insurance policy
- Securing of complex networks and equipment: Wildcard & Multi-San certificates
- SSL Certificates are a high margin product for the reseller or web-host