cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Advocate IV

SSL Certificates: Paid vs. Free

There are a couple of projects like letsencrypt.org (currently in public beta) advertising free SSL/TLS certificates for websites. Have you used a free SSL certificate on your website? Thoughts about the project? Are there any benefits to a paid SSL certificate over a free one?

1 ACCEPTED SOLUTION

To answer the op's question: I have used both Let's Encrypt and StartSSL on my own (non-commercial) websites that don't collect personal information beyond a username and an email address. I believe these certificates provide just as much "security" as the highest-priced commercial SSL offering: they use the same encryption standards and protocols after all. For a site that isn't collecting any information at all I would definitely go with Let's Encrypt or StartSSL: I too believe all websites should be encrypted, but the price of the lock should fit what is being protected.

 

One benefit of using Let's Encrypt or StartSSL at least once? You get to see what really goes into creating an SSL certificate.

 

I also recognize the liability risks of collecting personal information from web visitors and site members and would not use a certificate without some liability protection on a site that collects more than the 2 pieces of information listed above. Just as I operate my web development work as an LLC (as recommended by roy darling), I protect my business assets and those of my clients from unnecessary risk. It isn't the protection, it's the insurance. 😉

Geeks rule!

View solution in original post

29 REPLIES 29
Super User II Super User II
Super User II

If you are not paying for it, you're not the customer; you're the product being sold. - Andrew Lewis

It is nice to see someone tackling this. While that is a resource I would share in meetups (for those who are budget minded or just starting out) I would not dare advise that any of my clients utilize that service. I'm not just saying that because I sell SSL certificates. Okay, maybe I am partially saying that because I sell SSL certificates but still if something’s free, it’s worth exactly what you paid for it.

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

@rd : your comment pretty much summarizes why I'm leery of free certificates. On the other hand, much in the web dev world is free: WordPress, this community, Google searches, the programming languages we build on, the Linux OS, etc. There was also a great post here about pro bono work, and the benefits of occasionally offering free work.

 

So beyond the initial distrust (and the fact that Let's Encrypt is in public beta so things could still go wrong), is there a technical reason to avoid free SSL/TLS certs? Are they less reliable, harder to maintain, more risky?

Yes, @valasaurus there are a lot of "free things" on the web. Many available free offerings are highly beneficial but being beneficial doesn't mean that you're not the product. Pro bono work is great and though I often offer my company's service free I will tell you for certain that we indeed receive a benefit from pro bono work. Keep in mind that not all benefits are monetary but make no mistake we do benefit. If you feel like taking a bit of time to read whatever was above the box you checked that said something like "I have read these terms" you will probably see that you are indeed the product.

Again please don't take me saying "I would not dare advise that any of my clients utilize that service." as condemnation of free internet offerings. I feel like the internet is a wonderful place and I am indeed a fan of and use tons of free and open source solutions. As mentioned in my initial post for those budget minded people that would be awesome. I don't even feel like free automatically means that the product is somehow inferior or less secure but that is not to say it is robust and comprehensive either. Though I may question the support of a lot of free offerings and ultimately the liability, I can think of people I know that would love letsencrypt.org

I can't begin to tell you how much money free CMS tools have made for me and my company. My only point was just like Facebook, Gmail, Instagram, letsencrypt.org, Hotmail, forum communities... you should see yourself as the product. As in life when understand what you are you can more clearly see the situation.

One other point when I see people with those business cards that are the "get 250 business cards free" I don't think "Wow, this is a reputable company!" I think "They aren't making an investment in their company. Is this the kind of person I want to deal with?" but full disclosure I also have a print business that designs and produces printed products.

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

@rd - I totally understand a certain distrust of free things, and I understand your point that they make you the product. That's exactly why I've made this post - because again, beyond being wary of all free things, I'd like to know if there's a technical difference between the two.

 

While I'm replying directly to you, my comments are to foster a larger dialogue on the subject. If possible, I'm still keen to hear specifically from someone that's used letsencrypt or other free SSL services. 

 

Thanks for your input! Robot Happy

I was really bad at looking at things without my geek hat on, I suspect that is a difficult thing for a lot of people? Back when I was working a corporate job and had some crazy title on my business card like software engineer customer use model manager or whatever it was, one of the best things I did was just shoulder surf. I would go to a location and take in the environment and customer training. What I discovered was that users did not see or use the system as I did. I remember going to one user's desk who had written her password on the border of her monitor screen in silver permanent marker (the monitor was black) and when I asked why she replied "They told me that I shouldn't write my password on a piece of paper because it wasn't secure." Good thing the monitor had a Kensington cable on it?

What I now know is that the causal (probably the typical) internet user does not care much about what SSL certificate is used OR if a website has one. I had one user ask me if I had changed the address bar on my website to green for Saint Patrick's Day, it has actually always been green but thanks for noticing? I've seen users who have gotten viruses because they mistyped one letter in the domain and went to a clone website. I've seen users enter their information (including credit card numbers) on websites without SSL encryption, I've seen users enter information on websites with mock SSL encryption and just about anything else you can imagine. 

Looking at it with what I know, your SSL certificate ABSOLUTELY makes a difference and I would prefer the customer service and company liability of a paid service and advise my clients the same way. I even think that within the paid companies that offer SSL certificates there are superior offerings (though I won't mention names). From a user perspective I'm not so sure that it matters at all? Actually, on my company websites I have forced SSL security on all of the pages. What we found was that users often questioned the change from non secure to secure and thought "Hmmmmm, something is wrong with this website? What is this security thing?" rather than "Oh, now I have entered a secure area of the website." I'm more than sure that whatever advantages, disadvantages, security level of whatever SSL cert would most likely go unrecognized by a user @valasaurus and again free does not mean inferior in my view. A free SSL certificate is probably fine for 70% of whatever website you want to secure but free service is not premium service. I suppose it just depends on the type of service you would like. The bottom line is that you would have to most likely educate your client, they would come to you already educated or it wouldn't matter if their website was secured with a zip tie. 

I promise I'm not saying this to toot my own horn. About three years ago I went away from virtual independent contracted per job coders to full time employees and a building of my own. I'm paying all of the bills that comes with a brick and mortar business like commercial garbage, insurance, benefits, taxes... I'm not a huge business but you know what I am now? I'm sueable, as in liable to be sued in a court. Because I (in particular my business) is sueable there is some stuff we have to do. We have a company who makes sure our walks are shoveled in winter, we make sure the cleaning company we use has the proper insurance, cleaning instruments, personnel... and most of all we make sure that the websites we design and maintain are as secure as we can make them.

I could not imagine I would take on the liability of managing a website that used a free SSL certificate. I'm not claiming that we build bulletproof websites but we do secure our websites to the best of our ability. I would not like to open my company up to the potential liability that comes with a free service and that includes some CMS solutions. Be aware also that I'm the same guy who won't put free email addresses on business cards. I honestly feel like it is a waste of my time and talents to produce a business card and throw a hotmail.com, gmail.com, yahoo.com... on it or more specifically that's not the kind of person/company I would want as my client.

Many of coders I have met run as an LLC or Inc. and I advise those who are doing paid work as an individual to create a company because if you are accepting money you are sueable.

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

To answer the op's question: I have used both Let's Encrypt and StartSSL on my own (non-commercial) websites that don't collect personal information beyond a username and an email address. I believe these certificates provide just as much "security" as the highest-priced commercial SSL offering: they use the same encryption standards and protocols after all. For a site that isn't collecting any information at all I would definitely go with Let's Encrypt or StartSSL: I too believe all websites should be encrypted, but the price of the lock should fit what is being protected.

 

One benefit of using Let's Encrypt or StartSSL at least once? You get to see what really goes into creating an SSL certificate.

 

I also recognize the liability risks of collecting personal information from web visitors and site members and would not use a certificate without some liability protection on a site that collects more than the 2 pieces of information listed above. Just as I operate my web development work as an LLC (as recommended by roy darling), I protect my business assets and those of my clients from unnecessary risk. It isn't the protection, it's the insurance. 😉

Geeks rule!

View solution in original post

Thanks, @SiteGeek! I also noticed recently that WordPress.com has made all of its sites HTTPS by partnering with Let's Encrypt (source). I trust WordPress, so having them back Let's Encrypt gives it a bit more credibility imo.

 

Thanks again for your insight!

Wordpress.org uses let's encrypt for all its hosted wordpress sites and Facebook is a promotor, sponsor and user of it too. I doubt it would be crappy of these firms use Let's encrypt.

It's obvious that the SSL gravity train is ending and GoDaddy is trying as hard as possible to milk it. look at all the hosting firms that support Let's encrypt:

https://github.com/certbot/certbot/wiki/Web-Hosting-Supporting-LE

GoDaddy is now one of the most expensive hosting firms and never comes in the top 5 hosting firms for speed. They have let their guard down...

hi there i am looking through this post because recently my website that I host on Godaddy as well as manage my domains, now after years i get ssl certificate invalid everytime anyone goes to my gallery page. my webpage is www.thecatsgrafix.com if you click the inventory page which is like i said a gallery script that godaddy offers in thier cpanel and now my customers are scared thinking its a virus, i refuse to pay for the certificate because i already pay for a hosting package, cpanel and my domains are always paid to go daddy if anyone knows how to get around this please let me know. i hate money grabs and I been with godaddy almost a decade now this? its disrupting my webpage and its again only popped up in the last few months. so coming across this topic interests me

There is a long discussion of Lets Encrypt above, and I said previously that they are free on Bluehost.

@rd... I selected you for correspondence because of all those amazing kudos that I found when logged into Plesk Desk support. And then I found you wrote related posts to something driving me crazy.

 

the Devil in Daddy...

 

Summary: I found two sources for creating SSL code. One was on a site called Getacert.com and the other Digicert.com

 

Digicert allows you to download a tool to create a CSR.... and Getacert goes a step further and let's you divide that up in four segments for download. These are: Private Key,  CSR,  Public Key and then the whole ball of wax converted into a single .p12 file

 

 I don't need an SSL on my site, but I want one because it improves Google search. (did you know that?  I'm sure you did because you sell SSL service!) So after buying my yearly hosting, I asked tech support if I can buy a cert... or... install my own. They said yest to both. But when they offered to do this FOR me for $ 65 a year, I was annoyed. That's almost as much as I paid for my entire hosting.

 

In the current world.. when you know the proper sources and apply your own research.. most of this is FREE. And you probably know or use the same tools I found, for that matter. ::grin::

 

Mind you, if Devil Daddy (or someone) else charged me a one time fee of $10 to convert this silly text file so that GoDaddy could read it... or even charged 'said reasonable price' once a year, I would NOT be whining. I would just do it and be done.

 

My next phase was to spent hours on the web learning and researching. And then I learned about the can of worms that has ensued because NO ONE follows a uniform file format.

 

See here: https://www.sslshopper.com/ssl-converter.html

 

Back I went to the self-insertion area in the PLESK menus.

 

And though I have a perfectly fine Private key... Devil Daddy is having none of it.

 

 

Furthermore, they do NOT hint to the required file format for upload after the rejection. And no matter how many formats I have tried after that, my file will NOT be accepted.

 

So  I called GoDaddy and no one is willing to tell me what that format is supposed to be.. which is wrong on part of GoDaddy, as they document EVERY SINGLE ASPECT of their service as a rule.

 

Can you assist on this matter? 

@MiniBoxGenius I have great news for you and I read something on your post that I disagree with.

 

The good news is your issue is easy to fix. All you need is a good SSL certificate. If you read my views in this thread you would know that I don't call those free solutions good. Not that they aren't good, I just don't feel like they are good for you.

 

I disagree with you when you say "I don't need an SSL on my site" and you disagree with yourself in the same sentence when you say "I want one because it improves Google search." Everyone needs a SSL certificate and 18 cents a day is a great price for security.

 

I'm sure that there is some round about method that you could Frankenstein together but that's probably not worth it in the long run? How much is your time worth? Buy a SSL certificate from a reliable company and rest easy. In my mind no reliable hosting company is going to instruct you on how to get a free SSL to work with their hosting?

 

I don't know what "the Devil in Daddy" is but GoDaddy has ALWAYS been good to me, I wouldn't recommend them if I didn't both use and trust their services. If you don't trust GoDaddy my suggestion is that you don't use their services regardless of how good I feel GoDaddy is. My opinions are my own and though I make money from GoDaddy products and services the money doesn't buy my positive review. Is GoDaddy a corporate juggernaut that seeks to crush the competition at all costs? Of course but the shareholders I'm sure wouldn't have it any other way? Me included. Best of luck with your internetting! 

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head


@rd wrote:

@MiniBoxGenius I have great news for you and I read something on your post that I disagree with.

 

The good news is your issue is easy to fix. All you need is a good SSL certificate...



@rd

What is a good certificate and who is issuing them? If I buy GoDaddy hosting and get a free certificate will I be able to use it or will GoDaddy consider it bad?

I love and use the GoDaddy offered SSL Certificates. If you get a free one and want to use it I say go ahead, you can feel comfortable doing so @indig0F10w. The "free" certificates I was referring to are the ones offered by third party companies not associated with your hosting provider. GoDaddy is concerned about the security of your website (that is one of the reasons they offer you a free SSL Certificate) please take advantage of the offering.

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

When it comes to SSL certs the main thing that matters is...
1 SHA-2 algorithm
2 cert signed by a trusted company
3 company trusted to keep your cert secure and not given to others.

The main diffrents between the free and paid certs is the company that issues them and the support they provide as well as there trustworthyness.
The free certs from Letsencrypt are valid for 90 days and a 5 cert a day limit(you can't request more than 5 certs a day). And from a security point they are the same as a paid cert.

Here is some background and research I did. Free certificates are much harder technically to generate if you don't have access to a shell (ssh) on your host. The fact that letsencrypt certificates expire in 90 days and need renewal maintenance is reason enough not to use them. Many hosts are now giving free certificates to existing plan holders. 1and1.com offered us one and we installed is with a few clicks on www.newpathnetwork.org. Adding .htaccess though was a different story! Read the blog for more details.



Alex Sirota, PMP - NewPath Consulting - Schedule some time with Alex
"At the moment of commitment, the universe conspires to assist you." -Johann Wolfgang von Goethe

Just found this useful tool for checking your SSL installation and various other potential things to look out for (for example SSL vulnerabilities at your host):

 

https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

 

Also don't let your SSL certificate expire. The result is not pretty - you will lose credibility in a big BIG way.



Alex Sirota, PMP - NewPath Consulting - Schedule some time with Alex
"At the moment of commitment, the universe conspires to assist you." -Johann Wolfgang von Goethe

TI no longer use godaddy's SSL but this post was very useful . Via the link the missig second part of my SSL was generated. 

The free certificates at Bluehost are Comodo, and are SHA256 which is SHA-2.  They auto renew every 3 months - that is the only difference.

 I am using free certificate on https://OSFP.org.pk and its rating is  A+

 

https://casecurity.ssllabs.com/analyze.html?d=osfp.org.pk

 

and my paid certificate from godaddy.com has rating F 

 

 

https://casecurity.ssllabs.com/analyze.html?d=owb.com.pk

 

Please suggest what do?

 

 


@rd wrote:
If you are not paying for it, you're not the customer; you're the product being sold. - Andrew Lewis

It is nice to see someone tackling this. While that is a resource I would share in meetups (for those who are budget minded or just starting out) I would not dare advise that any of my clients utilize that service. I'm not just saying that because I sell SSL certificates. Okay, maybe I am partially saying that because I sell SSL certificates but still if something’s free, it’s worth exactly what you paid for it.




 

Please suggest what do?