Why should you pay for something that people are just giving away for free?
If you’ve developed a website — especially one that collects data from customers or community members — you have come across offers to provide an SSL Certificate.
More than offers, you’ve come across recommendations from your host or platform that you add an SSL Certificate to your site.
There are so many things involved in setting up a new business and establishing an online presence that SSL may have been an acronym that simply slipped under the radar for a while.
Besides, when you started investigating SSL, you realized it was important but then found there were so many different options for getting an SSL Certificate that you got a bit lost. When you looked left, you were offered a free Certificate.
But maybe your host or platform wouldn’t let you use a free one, or they would, but they wouldn’t support it.
Of course, you could pay for an SSL Certificate and let it all happen in the background, but why pay for something you can get for free? Maybe, for a while, you just couldn’t see the value in an SSL Certificate anyway.
But now maybe you’re ready to launch an online store or marketplace or to collect credit card information to process memberships or service fees. Suddenly the offer to provide and recommendation that you arrange an SSL Certificate is becoming much more strident and less optional.
In fact, it feels like an essential and mandatory step that you’ve put off for too long. It feels that way because it is. Well, you haven’t put it off for too long, but you shouldn’t put it off any longer.
Maintaining the security of your website and data that your customers provide is essential to any web presence and online business activity.
There is significant value in establishing the trust that security and encryption can engender. Beyond that, there is a significant opportunity cost to neglecting to invest in that trust.
Why pay for something — an SSL certificate — that you can get for free? Understanding the value proposition and opportunity costs around SSL Certification options depends on understanding the fundamentals of internet security, SSL, and SSL Certificates.
Only then can we really consider the question What is the difference between free and paid SSL certificates? And why should I ever consider paying for one when they’re given away for nothing?
What is an SSL Certificate?
While surfing, filling in a form, or shopping online, have you ever noticed that the URL in your address bar suddenly says “https” rather than “http”? And that it also includes a little padlock graphic?
The shortest possible answer to What is an SSL certificate? is that it’s the feature of the website that adds the “s” to http and generates the padlock graphic in the address bar. What’s the significance of that extra “s” and that padlock graphic?
“SSL” stands for Secure Sockets Layer. SSL is the “standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems….” SSL is a protocol that ensures that the link between networked computers is authenticated and encrypted.
How does it work? Internet security and cryptography is a fascinating rabbit hole, but a rabbit hole beyond the scope of this article. If you’re interested in knowing more about the details of internet security, check out resources like this one and others at SSL.com.
Essentially, cryptography works by managing two sets of codes — or keys.
Someone can create encrypted data using a public key (entering data into an internet form for example) that can only be read by someone with the matching private key that authorizes them to receive and read that information.
Security works because no one without the private key can get the data encrypted using the public key.
Without SSL security, that data you enter into the form — your credit card and social security number, for a common example — is sent as plain text rather than encrypted text.
Anyone who can intercept the data being transmitted — and there are plenty of nefarious network lurkers trying to intercept it — can read that text without needing any key to translate or decrypt it.
But we haven’t answered the question yet. What is an SSL certificate? An SSL certificate is a small file that links the cryptographic key that underlies cryptography to your organization.
Once that bond between key and organization is established the s and padlock are activated, meaning that credit card transactions, transfers of data, login credentials, and the like are fully encrypted.
Why Do You Need an SSL Certificate?
There are several reasons you and your website should have an SSL certificate.
- To establish trust. You need people who visit your website to know and believe that data that they enter into your website is secure and that it will be kept secure.
- To ensure security. Quite beyond your customers’ legitimate demands and expectations, you as a website owner who may collect information on which your business relies need to protect your data and your business from hackers.
- Are you concerned about SEO (Search Engine Optimization) — the strategies and techniques to ensure that your website is findable and found by search engines like Google? Google uses algorithms to determine where a website should rank in search results for various search terms entered into their search engines. Google has confirmed that it has, since 2014, used “HTTPS as a ranking signal.”
- Since roughly 2018, browsers have not only advised visitors when a website is encrypted (by using the extra “s” and the padlock, for example), but they also tell visitors when a website that collects data is not secure. Do you want to be the website in your competitive niche that flags your potential customers that your website is not secure? Of course not.
- Because your competitors will have an SSL certificate and because your customers will expect it of you. And the customer is always right.
Free Versus Paid SSL Certificates
Entities that issue SSL Certificates are called Certificate Authorities. There are not-for-profit Certificate Authorities that issue SSL Certificates for free as part of a mission and commitment to encrypt the entire web and to assert HTTPS (as opposed to HTTP) as the default protocol.
One example of a leading not-for-profit Certificate Authority that issues free SSL certificates is Let’s Encrypt. As of February 2020, Let’s Encrypt had issued over 1,000,000,000 — that’s billion with a b — certificates around the world.
Here’s what Let’s Encrypt, as an example of a Certificate Authority that issues free SSL Certificates, says about its free-ness:
We do not charge a fee for our certificates. Let’s Encrypt is a nonprofit, our mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.
Whether or not you use a free or paid SSL Certificate, you receive the same level of encryption. While there are many differences between free and paid SSL certificates that we will summarize and then discuss, paid SSL certificates do not provide stronger encryption than free SSL certificates.
|Free SSL Certificates||Paid SSL Certificates|
|Let’s start with an easy one. It’s free.||See the section below about the range of costs associated with paid SSL certificates.|
|They provide only a Domain Validation option providing basic authentication for a single website or blog. A free SSL certificate does not validate who actually runs the website or whether the business itself is legitimate but only identifies your server. Some issuers of free SSL Certificates offer a wildcard SSL Certificate that can be used for a subdomain, for example, but only in limited circumstances and for the shorter duration referred to below.||Paid SSL Certificates offer Organization Validation and Extended Validation certificates that conduct in-depth verification of the organization’s business rather than just the owner of the domain. These deeper levels of certification come with visual indicators on the website that free certificates can not provide. The coveted green address bar, for example, is triggered only after an extensive vetting process through a paid SSL Certificate issuer. Unlike a free SSL Certificate, paid SSL Certificates are available for subdomains and multiple domains.|
|Free SSL Certificates are of shorter duration than paid certificates, often as short as 30 to 90 days following which they must be renewed.||Paid SSL Certificates are generally issued for one or two years at a time.|
|Available support is minimal, and may be limited to user forums and documentation.||Certificate Authorities and resellers of paid SSL certificates generally provide 24/7 support in a wide variety of formats or, at minimum, significantly more support than a free provider offers.|
|Free Certificate Authorities require new certificates much more frequently than paid Certificate Authorities, but offer no management platforms for managing expiries and renewals.||Paid Certificate Authorities provide management platforms essential for managing multiple certificates.|
|Free SSL Certificates are generally not backed by a warranty.||Paid SSL Certificates are backed by warranties generally of a minimum of $10,000 and up to several million dollars.|
|Not-for-profit Certificate Authorities such as Let’s Encrypt rely on donations and industry support to sustain their not-for-profit business model.||For-profit Certificate Authorities are not dependent on charitable donations.|
Where to Buy Paid SSL Certificates?
Paid SSL Certificates can be purchased directly from Certificate Authorities or from resellers who purchase certificates in bulk from those Certificate Authorities, then resell them through their own retail platforms that may include additional products, services, and supports.
Leading paid SSL Certificate providers include RapidSSL, Sectigo, Symantec, Comodo, GeoTrust, Thawte, Entrust, DigiCert, GlobalSign, GoDaddy, Network Solutions, SSL.com, StartCom, SwissSign, Trustwave, and RapidSSL.
AboutSSL.com, a website established to provide a knowledge hub for all-things-SSL, offers reviews of 14 different Certificate Authorities.
As of June 2020, the top five-reviewed providers were (in alphabetical order): Comodo, GeoTrust, RapidSSL, Symantec, and Thawte. The top-rated providers are in that position for several reasons, including the wide range of certificates offered.
Keep in mind that a free SSL Certificate generally offers only a single Domain Validation.
To give you a sense of the breadth of paid SSL Certificates available depending on your priorities and vulnerabilities, here’s a summary of the range of options available from AboutSSL.com’s top-rated providers. (The lists of certificate types are drawn from each company’s reviews on AboutSSL.com.):
|Company||Types of SSL Certificates provided|
|Comodo||Extended Validated (EV) SSL Certificates Organization Validated (OV) SSL Certificates Domain Validated (DV) SSL certificates|
|GeoTrust||DV OV EV Wildcard SAN|
|RapidSSL||RapidSSL Certificate for single domain validation RapidSSL Wildcard Certificate for unlimited sub-domain validation|
|Symantec||Code Signing Certificates Multi-Domain SSL Certificates Organization Validated Certificates Wildcard SSL Certificates Exchange Server Certificates Extended Validation Certificates|
|Thawte||SSL 123 – Domain SSL Web Server – Domain and Organization SSL Web Server with EV – Domain and Extensive Organization Wildcard SSL – Domain and Organization Code Signing – Domain and Organization SSL123 Wildcard – Domain Multi-Domain Wildcard SSL – Domain and Organization|
About SSL offers an SSL Wizard for selecting the ideal SSL solution for your online security needs. It also offers options for comparing 13 different Certificate Authorities’ products (including each type of certificate offered by each Certificate Authority) to each other to identify the most relevant features.
The tool will permit you to compare individual Certificate Authorities’ certificate options with the following criteria: the number of domains included, lowest price, domains secured, type of website they’re best suited for, availability for additional domains, validation level, paperwork, time to receive your certificate, encryption strength, key length, assurance level, notification level in browsers, server license, SSL site seal, re-issue policy, warranty, refund policy, organization name in URL, wildcard support, SAN/UCC support, browser support, and OS Support (Desktop and Mobile).
What Will a Paid SSL Certificate Cost?
As has hopefully become clear, SSL Certification is a valuable investment to protect valuable information and your valuable business. Certification is also available in a wide variety of formats and with a wide variety of features depending on your particular needs.
Any summary of pricing information can only be just that — a general summary that should not replace careful investigation of the full range of options for your particular needs.
Having said that, here is publicly available online pricing information for some of the most common paid SSL Certificate providers as of information available online in June 2020 from sources including Buildthis.io and their recommended ten best-paid SSL Certificate providers.
|Summary of Paid SSL Certificate Pricing Information from Buildthis.io|
|Provider||Number of Available Certificates||Price|
|SSL.com||Seven types of certificates||$36.75 to $319.20/year|
|NameCheap||Thirteen types of certificates||$7.88 to $167.50/year|
|The SSL Store||Eight types of certificates||$12.95 to $200/year|
|GoDaddy||Four types of certificates||$63.99 to $295.99/year|
|GlobalSIgn||Four types of certificates||$249 to $849/year|
|DigiCert||Four types of certificates||$175 to $595/year|
|Thawte||Four types of certificates||$199 to $260/unit|
|GeoTrust||Five types of certificates||$149 to $745/year|
|Entrust||Five types of certificates||$174 to $609/year|
|Network Solutions||Five types of certificates||$199.50 to $579/year|
Types of Free SSL Certificates
Clearly one of the advantages of Paid SSL Certificates is their wide range of applications, the total scope of which exceeds the grasp of a free SSL Certificate. Having said that, free SSL Certificates are not all the same either. There are two primary types.
Self-Signed Certificates are Free SSL Certificates that you sign yourself as the user. They are not signed by any Certificate Authority. As a general rule, self-signed SSL Certificates lack and fail to convey the credibility generated by a certificate signed by a Certificate Authority.
People who visit a website certified with a self-signed SSL Certificate will see a warning stating exactly that. Conversely, the other type of free SSL Certificate is signed by the Certificate Authority as issuer, not by you as the user.
People who visit a website certified by a free certificate signed by a Certificate Authority see no such self-signed certificate warning.
Should You Pay for an SSL Certificate?
With only limited exceptions, yes. The investment is real but worthwhile. Protecting a personal website or blog with a free SSL certificate may be sufficient.
To the extent that you are operating a business through your website and asking customers to provide you with personal, financial, and credit information and processing commercial transactions that — if that data or those transactions are intercepted — expose you or your customers to risk or liability, you should invest in higher and deeper levels of SSL certification available only via paid certificates.