- Published on
Free vs. Paid SSL Certificates
- Authors
- Name
- Alex Lee
- @alexjoelee
It used to be that only the biggest names on the internet were able to afford to run HTTPS with a signed SSL certificate. This was due to the cost and manual validation requirements of SSL certificates, until ACME came along and automated the process of Domain Validation (DV).
The Origin of SSL: Back to the mid-1990s
Due to the increasing threat of insecure data transmission, a data encryption system was designed and implemented in 1994. These systems were designed to secure the data while it's in transit, requiring both the client and server to encrypt outgoing traffic and decrypt incoming traffic using a shared certificate.
Types of SSL Verification: DV, OV, EV
SSL certificates always required some form of verification. Domain Validation (DV) is the lowest validation level, requiring only verification that a user has control of a domain before issuing a certificate. Organizational Validation (OV) is the next level up, requiring additional verification of business and organizational details, such as address, entity type, and legal name. Extended Validation (EV) is the highest level of verification, and requires an additional nine verification steps, including telephone number verification, length of time in business, and more.
All three types of SSL certificate provide a secure connection. One type of SSL certificate is not more secure than another. The difference is only in the perception of your domain. You might possibly impress your clients by using an EV certificate, if they happen to look. I suppose it shows that you are serious about your security. It will make no operational difference.
Introduction to Free SSL and ACME
ACME, or Automated Certificate Management Environment, is a standard for the automated renewal and management of SSL certificates. It allows a web server to automatically contact an ACME-compliant SSL certificate provider, create a request, verify that request using HTTP or DNS, and then download and install the certificate to the server. All of this happens in just a few minutes, usually in less than 30 seconds. Most ACME services, especially free ones, only offer DV certificates.
Let's Encrypt is a free, automated, and open certificate authority provided by the Internet Security Research Group (ISRG). ZeroSSL is an alternative free ACME provider. Several other SSL providers on the market offer an ACME component, including SSL.com and GlobalSign.
Free vs. Paid SSL in 2024: The Verdict
For 99% of folks, free SSL certificates from a trusted provider are certain to satisfy web security requirements. Traffic is encrypted using the same secure cryptography algorithms used for OV and EV certificates, and the certificate itself is issued quickly. Here are five reasons why a business might consider purchasing an SSL certificate in 2024:
Warranty and Support: Paid SSL certificates often come with warranties and support services. If something goes wrong with the certificate or if there are technical issues, having dedicated support can be valuable.
Extended Validation (EV) Certificates: EV certificates provide the highest level of assurance to website visitors by displaying the company name in the browser's address bar. These certificates are typically not available for free and are often used by larger organizations or those with specific security and branding needs.
Wildcard or Multi-Domain Certificates: While Let's Encrypt offers wildcard certificates and support for multiple domains, some paid certificate authorities may offer more flexibility or additional features tailored to specific needs.
Specific Requirements or Compliance: Some industries or organizations may have specific security or compliance requirements that necessitate using a certain type of SSL certificate, which might not be available for free.
Perceived Trust or Reputation: Some businesses may believe that paying for an SSL certificate from a well-known certificate authority adds a level of trust and credibility to their website, especially if their target audience is sensitive to security concerns.
We manage SSL certificates for our customers using a combination of multiple ACME service providers. You can learn more about Skip2 by visiting our website.