What's the advantage of a Paid SSL vs Free SSL?

[bigredseo]

This topic is spun from a few postings on this thread - https://www.hostingdiscussion.com/p...-not-secure-warning-starting-july-2018-a.html


Aside from the liability aspect (in that a paid SSL is like an insurance up to $10,000 or more depending on your certificate), and aside from Extended Validation and Organization Validation instead of just Domain Validation, what other protection does a paid certificate offer?

I'm looking for specific things that a paid certificate can do versus a free one, and cite your source to back it up.

 

[zomgmike]

Some paid SSLs involve a vetting process in which they actually look into the person they're selling the SSL to. Free SSLs would completely background checks.

Not that consumers would generally know the difference though.

 

[webconfigure]

Paid SSL used yo provide the higher level of security. The have solid technique which encrypt your data on the website as well as it provides the green bar in the web browser.

Free SSL just used to provide the free certificate for the lifetime.

 

[easyhostmedia]

Paid SSL used yo provide the higher level of security. The have solid technique which encrypt your data on the website as well as it provides the green bar in the web browser.

Free SSL just used to provide the free certificate for the lifetime.

WRONG only an EV SSL cert will give you the green bar while a DV and OV SSL cert will give the padlock.

Free SSL certs are basic DV SSL certs which are fine for personal blogs etc, but a Paid SSL give more assurance and should be used for commercial websites

 

[24x7server]

1) The validity of Free SSL Certificate is varying from 30-90 days whereas Paid Certificate is valid for 1-2 years.

2) As compared with Paid SSL Certificate, there is no support, long time validity and warranty available with Free SSL Certificate.

3) Free SSL Certificate is the best option for blogs, personal websites etc. on the contrary, Paid Certificate should be installed on the heavy traffic e-commerce websites.

4) WildCard SSL is not yet available with the Fee SSL Certificate providers. It's still being implemented.

 

[bigredseo]

@webconfigure - please clarify "better security" since everyone uses a 2048 key.

@easyhostmedia - the part that trips me up is "give more assurance", mainly due to what a customer sees when they visit a site. It would be rare (very rare) for a user to view the type of certificate purchased, usually, they just check for a lock.

@24x7server -
1) as a user, do users care how long an SSL is valid (much like do they care if you buy 1 year domain or 10 years).
2) For SSL support - as anyone, in their lifetime, contacted GeoTrust or Comodo for support (other than an installation which a host should take care of)?
3) Why? Why not use a free one on an e-commerce site?

 

[easyhostmedia]

@easyhostmedia - the part that trips me up is "give more assurance", mainly due to what a customer sees when they visit a site. It would be rare (very rare) for a user to view the type of certificate purchased, usually, they just check for a lock.

Hi Conor
You are right to someone viewing your website they would not check and just look for padlock and could not care as long as padlock is displayed.

But each SSL Cert has different levels of assurance, Free SSL are fine if you have a personal website or blog, but for any commercial website you need a paid SSL.

To a website visitor they wont care and dont care as long as the site shows padlock, but with free SSL they could be purchasing from fake/scam sites as no checks are done before SSL are issued, but with a paid SSL the site owners have to give details to CA.

It used to be a case of 'If you dont see a green bar or padlock then dont buy from that website' but with the free SSL these fraudsters can get 1 for the fake sites.

 

[bigredseo]

It used to be a case of 'If you dont see a green bar or padlock then dont buy from that website' but with the free SSL these fraudsters can get 1 for the fake sites.

We were big believers in the Green Bar when we ran our eCommerce sites, and still recommend users to purchase them for that extra level of "implied" security that a user gets when they see the EV Green Bar.

But it's still only implied security. You could change the URL bar with CSS if you wanted

but for any commercial website you need a paid SSL

But why?

It used to be that CA was built into browsers etc, so that's why you bought from the big guys (verisign, comodo, geotrust etc), but with LetsEncrypt, that's built in now too, so there's no compatibility problem or trust issue as a result.

So why pay? The Insurance (10k, 100k Warranty etc) is only paid out if the encryption is be broken (which it never has been). It doesn't cover for fake transactions etc.

So why get is a Paid one NEEDED versus a free one?


===============================
And to clarify for everyone, I'm not picking apart anyone selling an SSL, I used to sell them when I ran hosting and we made a pretty penny doing so. I'm really wondering how (in the past 5 years that I've been out of hosting) has the SSL world changed with the free SSLs on the market and why users should not use them for commercial sites.

 

[easyhostmedia]

We were big believers in the Green Bar when we ran our eCommerce sites, and still recommend users to purchase them for that extra level of "implied" security that a user gets when they see the EV Green Bar.

But it's still only implied security. You could change the URL bar with CSS if you wanted



But why?

It used to be that CA was built into browsers etc, so that's why you bought from the big guys (verisign, comodo, geotrust etc), but with LetsEncrypt, that's built in now too, so there's no compatibility problem or trust issue as a result.

So why pay? The Insurance (10k, 100k Warranty etc) is only paid out if the encryption is be broken (which it never has been). It doesn't cover for fake transactions etc.

So why get is a Paid one NEEDED versus a free one?


===============================
And to clarify for everyone, I'm not picking apart anyone selling an SSL, I used to sell them when I ran hosting and we made a pretty penny doing so. I'm really wondering how (in the past 5 years that I've been out of hosting) has the SSL world changed with the free SSLs on the market and why users should not use them for commercial sites.

https://medium.com/ssl-dragon/free-vs-paid-ssl-certificates-2b0e8728bba1

Drawbacks of installing a Free SSL Certificate
Just like free web hosting services, free SSL certificates also come with certain limitations and risks:

Domain Validation only — since these certificates come with no cost and are issued within a few minutes, they are limited to one single validation option — Domain Validation. This may be perfect for a small website or blog, but it’s not the best option for larger websites which are collecting personal information about their users.

Unsuitable for e-commerce — free certificates are not recommended for securing credit card and personal information on e-commerce websites. To make customers trust your business, you need a certification of your authenticity, which is provided only by paid Business Validation or Extended Validation SSL Certificates.

May hurt your customers’ trust — as a consequence of the above, your customers may not trust you simply because you aren’t willing to invest in an SSL Certificate issued by a reputable Certificate Authority. This lack of trust may significantly affect your reputation, especially in case of questionable CAs.

Limited lifetime — free certificates are issued for a limited period of time, usually 90 days. On the other hand, paid SSL Certificates are offered for 1 or 2 years, so you don’t have to get them reissued and installed so frequently.

Tardy customer support — free SSL issuers usually provide limited customer service, so issues aren’t resolved in a timely manner.

Benefits of choosing a Paid SSL Certificate:
There are many reasons why you should opt for a premium SSL Certificate. However, the most important benefits are:

Recognition — a certificate issued by a reputable Certificate Authority makes a website seem more reliable to any customer. With paid certificates, clients have the right to report any issue to the CA, which is obliged to immediately investigate them. As a result, clients feel safer having their backs ensured by trusted CAs.

Different options — paid SSL Certificates are issued in all three validation options — Domain, Business, and Extended Validation. There are also different certificate types based on the complexity of the website, One-Domain, Wildcard, and Multi-Domain SSL Certificates, along with Code Signing SSL Certificates for securing downloadable software and digital goods.

Extended lifetime — currently, paid certificates are issued for one or two years. This means that your business will run smoothly and your website will stay secured for a long time without you worrying about the renewal of your certificate.

Server compatibility — premium certificates can be used on any hosting services as well as self-managed or dedicated servers, making the setting up process free of any limits.

Liability protection — when purchasing an SSL certificate, you typically get a warranty which is an insurance that covers any damage incurred as a result of a hack or data breach caused by a flaw in the certificate. The warranty amounts range from $5,000 to $1,500,000 which means that the higher value — the more extensive the warranty is.

 

[SenseiSteve]

The biggest thing I see in all of this is perceived value to the client. I've never had anyone question whether a SSL is certified and signed. Once they see the lock icon, they generally don't care. Personally, I still recommend a payed certificate for eCommerce sites.

 

[easyhostmedia]

The biggest thing I see in all of this is perceived value to the client. I've never had anyone question whether a SSL is certified and signed. Once they see the lock icon, they generally don't care. Personally, I still recommend a payed certificate for eCommerce sites.

Yes consumers dont care as long as they see padlock and as its drummed in to only trust sites with a padlock then fraudsters are using the free SSL to deceive consumers into thinking they are purchasing from a genuine and trusted site

 

[bigredseo]

https://medium.com/ssl-dragon/free-vs-paid-ssl-certificates-2b0e8728bba1

Nice site. They go into a lot of details throughout their site, but there's still the nagging question;

Unsuitable for e-commerce — free certificates are not recommended for securing credit card and personal information on e-commerce websites.

Why?

They talk about trust of the visitor, but at that point aren't they talking about the badge someone might put on their site (this site uses Comodo SSL)? They're not really talking about the security of the certificate at that point, they're talking about the brand name of the SSL.

As far as the limited terms and re-issuing every 90 days - most places have this automated, so it's not really a big deal.

 

[easyhostmedia]

Nice site. They go into a lot of details throughout their site, but there's still the nagging question;



Why?

They talk about trust of the visitor, but at that point aren't they talking about the badge someone might put on their site (this site uses Comodo SSL)? They're not really talking about the security of the certificate at that point, they're talking about the brand name of the SSL.

As far as the limited terms and re-issuing every 90 days - most places have this automated, so it's not really a big deal.

Free SSL do not provide the SSL badge and assurance details, but like the free AV they are basic and limited and not recommended for commercial websites

 

[bigredseo]

So I agree about the badge, although I'll still argue that it's more about the promotion of the SSL Provider than it is anything to do with security.

"free AV are basic and limited" I guess is my real digging point. I can't find anything that says they're limited or untrusted in any specific way.

So avoiding the following, SSLs (free or paid) use the same security/encryption;

• SSL Badge from SSL Provider
• Extended Validation (EV SSL - Green Bar)
• Guarantee Insurance ($10k-$1.5M
• Registration Length (1-2 years)
• Installation Support (web hosts provide this too)
• Wildcard SSL Ability

So did I miss anything?

 

[easyhostmedia]

So I agree about the badge, although I'll still argue that it's more about the promotion of the SSL Provider than it is anything to do with security.

"free AV are basic and limited" I guess is my real digging point. I can't find anything that says they're limited or untrusted in any specific way.

So avoiding the following, SSLs (free or paid) use the same security/encryption;

• SSL Badge from SSL Provider
• Extended Validation (EV SSL - Green Bar)
• Guarantee Insurance ($10k-$1.5M
• Registration Length (1-2 years)
• Installation Support (web hosts provide this too)
• Wildcard SSL Ability

So did I miss anything?

No validity checks with free SSL certs

Free SSLs gives a way for fraudsters to deceive consumers as fraudsters wont pay for an SSL

 

[bigredseo]

Well, we can remove Wildcards as being an advantage only to the paid certificates.

Let's Encrypt announced Wildcard Support is now Live

Here's the full article/announcement if you want to read it: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

 

[dts-net.com]

it all comes down to what the customer wants or is willing to pay for

 

[bigredseo]

it all comes down to what the customer wants or is willing to pay for

That's not the purpose of this thread. The purpose is "what is the advantage" and providing links to back up the claim.

 

[webconfigure]

1. Free SSL certificate has 90 days expiration so you will need to reinstall it after the 90 days while paid SSL certificate has the expiration time as per the plan. You don't have to renew them every 90 or 60 days.

2. If you have e-commerce site then go with the paid SSL as payment gateways needs the valid SSL for proper working.

3. If you have personal site, small blogs then free SSL is fine.

 

[bigredseo]

2. If you have e-commerce site then go with the paid SSL as payment gateways needs the valid SSL for proper working.

3. If you have personal site, small blogs then free SSL is fine.

Explain your reasoning, and provide links to back up your thoughts.