We are all fascinated recently by the magic of the green padlock in the browser bar. It is pointed out by Google, but also web browsers often warn us against unencrypted data.
An SSL certificate is available for purchase. But you can also get it for free. Is free certificate worth the same as “paid”? About this will be below.
Differences between paid and free SSL certificates
Because SSL certificates became more and more popular, and the condition for the green padlock was the issuance of a certificate by the “Trusted Certification Center”, it has become a matter of time for independent centers to issue SSL certificates for free.
The first large-scale center to issue an SSL certificate for free was a public organization called Let’s Encrypt, created by the Internet Security Research Group and supported by such well-known entities as: Mozilla Foundation, Cisco Systems and Akamai Technologies. Other companies offering free SSL certificates include: Comodo, Cloudflare, Startcom and WoSign. Some of the companies offering free certificates have issued certificates for a fee so far, and are currently changing their approach by issuing certificates free of charge. Sometimes it may happen that companies simultaneously sell certificates and give away their counterparts for free.
We compared two popular certificates: free Let’s encrypt and commercial RapidSSL.
|Paid certificates (on the example of RapidSSL)||Free certificates (on the example of Let’s Encrypt)|
|Issued for a year (or many years)||Issued for 3 months|
|Auto-renewal: no||Auto-renewal: yes|
|Certificate of type DV (domain validation)||Certificate of type DV (domain validation)|
|Recognition in browsers: 99+%||Recognition in browsers: 99+%|
|Symmetric key size: 256-bit||Symmetric key size: 256-bit|
|Warranty: $ 10,000||Warranty: none|
|If the SSL certificate cipher is broken, the issuing organization is required to pay compensation||If the SSL certificate cipher is broken, the issuing organization is required to pay compensation|
|Price: $ 59||Price: Free|
Based on this table, it can be concluded that, in principle, the only important difference between paid and free certificates is the “guarantee”. The warranty sounds good, you feel more confident right away. However, you should read what exactly the warranty covers.
Guarantee – the only real difference between free and paid certificates
The guarantee in promotional materials of certificates is advertised very attractively. However, it is not so easy to find the details of the guarantee – to do this, you usually have to read the regulations, or rather an addition to the regulations, something like: Relying Party Warranty.
Officially, for marketing: Paid certificates offer a guarantee to cover the total or partial cost of the consequences of breaking the cipher and leaking confidential data.
So much for the theory. Now what does that mean? It just means that the certificate cipher must be broken. There is the same type of key in the free certificate, in the DV, OV and EV certificate. And the same for all companies that issue certificates. Breaking the cipher basically makes all certificates worthless. But then I will get compensation? For example, I want to get 10,000$? Well, none of this….
Exclusions and limitations in the provisions of “guarantees”
To find out that the compensation is not necessarily certain, you need to read the regulations. Below are a few sentences of the analysis of the regulations of a well-known company Comodo, based on its regulations: https://www.comodo.com/repository/docs/SSL_relying_party_warranty.php
Of course, this is only an example, because each of the certificate suppliers has similar provisions in their regulations.
The amount of 10,000$ in the regulations is… limited to: 1,000$ per incident, but still “up to the amount of losses”. So even if the cipher was broken by some miracle, we can recover a maximum of 1000$ under the guarantee, provided that we prove that we actually lost so much in this one incident. So the problem is HOW to prove that we lost something and exactly how much it was worth. How much is it worth to listening to your transmission to the bank? However, even if you do suffer specific financial losses, they will be limited to the actual amount of the losses… but not more than 1000$ . As they colloquially say: no madness.
Of course, apart from the sum restrictions, there are also others, e.g. no compensation is due as the client is involved in any fraud procedure (it is not known whether it is consciously or not). So the value of e.g. 10,000$ is the maximum amount of compensation, but in the case of most DV certificates it is the amount of “real loss” suffered by the user, but still limited to a single transaction, which cannot exceed 1000$! So you have suffered a loss of, for example, 10,000 $, and you will get a maximum of 1,000 $ anyway – provided that you can prove that you were not at fault there.
It is also good to read the “exclusions”, that is, section 5 of the above-mentioned regulations. There are entries in it such as:
This Warranty does not apply to losses or damages of a Covered Person, caused wholly or partially by:
5. acts by any unauthorized individuals which impairs, damages, or misuses the services of any Internet Service Provider or telecommunications, cable, or satellite carrier, other common carrier or value-added services, including but not limited to, denials of service attacks and the use of malicious software such as computer viruses;
7. failure of any services or equipment not under the exclusive control or ownership of Comodo or its partners, affiliates, and agents; or
So … theoretically there is a guarantee, but in practice you have to go to court if the cipher is broken, and you can get what you lost from a single loss, but not more than $ 1000 ….
So is it worth using paid SSL certificates?
The summary will be extremely subjective. Technically, paid and free DV (domain validated) certificates are basically the same. It is probably not worth relying on the guarantee, because first of all, the cipher will not be broken in real time, but even if it did, the court battle for 1000$ is not worth wasting your time on.
As there are no free wildcards or extended validation (EV) certificates, you may want to consider purchasing these certificates for them. It is true that the wildcard certificate: *.client-domain.eu can be easily replaced with any number of free certificates for subdomains. However, the EV type certificate gives us, next to the green padlock, an inscription with the institution for which the certificate is issued. But is everyone a bank?
More and more hosting, including our company: www.smarthost.eu offers any number of free SSL certificates for domains that the client adds in the hosting panel. In this case, a free certificate will suffice for most applications.