cancel
Showing results for 
Search instead for 
Did you mean: 
Go to solution
Community Founder Accomplished
Community Founder Accomplished

SSL Certificates: Paid vs. Free

There are a couple of projects like letsencrypt.org (currently in public beta) advertising free SSL/TLS certificates for websites. Have you used a free SSL certificate on your website? Thoughts about the project? Are there any benefits to a paid SSL certificate over a free one?

26 REPLIES
Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free

If you are not paying for it, you're not the customer; you're the product being sold. - Andrew Lewis

It is nice to see someone tackling this. While that is a resource I would share in meetups (for those who are budget minded or just starting out) I would not dare advise that any of my clients utilize that service. I'm not just saying that because I sell SSL certificates. Okay, maybe I am partially saying that because I sell SSL certificates but still if something’s free, it’s worth exactly what you paid for it.

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate
Community Founder Accomplished
Community Founder Accomplished

Re: SSL Certificates: Paid vs. Free

@rd : your comment pretty much summarizes why I'm leery of free certificates. On the other hand, much in the web dev world is free: WordPress, this community, Google searches, the programming languages we build on, the Linux OS, etc. There was also a great post here about pro bono work, and the benefits of occasionally offering free work.

 

So beyond the initial distrust (and the fact that Let's Encrypt is in public beta so things could still go wrong), is there a technical reason to avoid free SSL/TLS certs? Are they less reliable, harder to maintain, more risky?

Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free

Yes, @valasaurus there are a lot of "free things" on the web. Many available free offerings are highly beneficial but being beneficial doesn't mean that you're not the product. Pro bono work is great and though I often offer my company's service free I will tell you for certain that we indeed receive a benefit from pro bono work. Keep in mind that not all benefits are monetary but make no mistake we do benefit. If you feel like taking a bit of time to read whatever was above the box you checked that said something like "I have read these terms" you will probably see that you are indeed the product.

Again please don't take me saying "I would not dare advise that any of my clients utilize that service." as condemnation of free internet offerings. I feel like the internet is a wonderful place and I am indeed a fan of and use tons of free and open source solutions. As mentioned in my initial post for those budget minded people that would be awesome. I don't even feel like free automatically means that the product is somehow inferior or less secure but that is not to say it is robust and comprehensive either. Though I may question the support of a lot of free offerings and ultimately the liability, I can think of people I know that would love letsencrypt.org

I can't begin to tell you how much money free CMS tools have made for me and my company. My only point was just like Facebook, Gmail, Instagram, letsencrypt.org, Hotmail, forum communities... you should see yourself as the product. As in life when understand what you are you can more clearly see the situation.

One other point when I see people with those business cards that are the "get 250 business cards free" I don't think "Wow, this is a reputable company!" I think "They aren't making an investment in their company. Is this the kind of person I want to deal with?" but full disclosure I also have a print business that designs and produces printed products.

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate
Community Founder Accomplished
Community Founder Accomplished

Re: SSL Certificates: Paid vs. Free

@rd - I totally understand a certain distrust of free things, and I understand your point that they make you the product. That's exactly why I've made this post - because again, beyond being wary of all free things, I'd like to know if there's a technical difference between the two.

 

While I'm replying directly to you, my comments are to foster a larger dialogue on the subject. If possible, I'm still keen to hear specifically from someone that's used letsencrypt or other free SSL services. 

 

Thanks for your input! Robot Happy

Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free

I was really bad at looking at things without my geek hat on, I suspect that is a difficult thing for a lot of people? Back when I was working a corporate job and had some crazy title on my business card like software engineer customer use model manager or whatever it was, one of the best things I did was just shoulder surf. I would go to a location and take in the environment and customer training. What I discovered was that users did not see or use the system as I did. I remember going to one user's desk who had written her password on the border of her monitor screen in silver permanent marker (the monitor was black) and when I asked why she replied "They told me that I shouldn't write my password on a piece of paper because it wasn't secure." Good thing the monitor had a Kensington cable on it?

What I now know is that the causal (probably the typical) internet user does not care much about what SSL certificate is used OR if a website has one. I had one user ask me if I had changed the address bar on my website to green for Saint Patrick's Day, it has actually always been green but thanks for noticing? I've seen users who have gotten viruses because they mistyped one letter in the domain and went to a clone website. I've seen users enter their information (including credit card numbers) on websites without SSL encryption, I've seen users enter information on websites with mock SSL encryption and just about anything else you can imagine. 

Looking at it with what I know, your SSL certificate ABSOLUTELY makes a difference and I would prefer the customer service and company liability of a paid service and advise my clients the same way. I even think that within the paid companies that offer SSL certificates there are superior offerings (though I won't mention names). From a user perspective I'm not so sure that it matters at all? Actually, on my company websites I have forced SSL security on all of the pages. What we found was that users often questioned the change from non secure to secure and thought "Hmmmmm, something is wrong with this website? What is this security thing?" rather than "Oh, now I have entered a secure area of the website." I'm more than sure that whatever advantages, disadvantages, security level of whatever SSL cert would most likely go unrecognized by a user @valasaurus and again free does not mean inferior in my view. A free SSL certificate is probably fine for 70% of whatever website you want to secure but free service is not premium service. I suppose it just depends on the type of service you would like. The bottom line is that you would have to most likely educate your client, they would come to you already educated or it wouldn't matter if their website was secured with a zip tie. 

I promise I'm not saying this to toot my own horn. About three years ago I went away from virtual independent contracted per job coders to full time employees and a building of my own. I'm paying all of the bills that comes with a brick and mortar business like commercial garbage, insurance, benefits, taxes... I'm not a huge business but you know what I am now? I'm sueable, as in liable to be sued in a court. Because I (in particular my business) is sueable there is some stuff we have to do. We have a company who makes sure our walks are shoveled in winter, we make sure the cleaning company we use has the proper insurance, cleaning instruments, personnel... and most of all we make sure that the websites we design and maintain are as secure as we can make them.

I could not imagine I would take on the liability of managing a website that used a free SSL certificate. I'm not claiming that we build bulletproof websites but we do secure our websites to the best of our ability. I would not like to open my company up to the potential liability that comes with a free service and that includes some CMS solutions. Be aware also that I'm the same guy who won't put free email addresses on business cards. I honestly feel like it is a waste of my time and talents to produce a business card and throw a hotmail.com, gmail.com, yahoo.com... on it or more specifically that's not the kind of person/company I would want as my client.

Many of coders I have met run as an LLC or Inc. and I advise those who are doing paid work as an individual to create a company because if you are accepting money you are sueable.

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate
Pro Community Founder Accomplished Pro Community Founder Accomplished
Pro Community Founder Accomplished
Solution

Re: SSL Certificates: Paid vs. Free

To answer the op's question: I have used both Let's Encrypt and StartSSL on my own (non-commercial) websites that don't collect personal information beyond a username and an email address. I believe these certificates provide just as much "security" as the highest-priced commercial SSL offering: they use the same encryption standards and protocols after all. For a site that isn't collecting any information at all I would definitely go with Let's Encrypt or StartSSL: I too believe all websites should be encrypted, but the price of the lock should fit what is being protected.

 

One benefit of using Let's Encrypt or StartSSL at least once? You get to see what really goes into creating an SSL certificate.

 

I also recognize the liability risks of collecting personal information from web visitors and site members and would not use a certificate without some liability protection on a site that collects more than the 2 pieces of information listed above. Just as I operate my web development work as an LLC (as recommended by roy darling), I protect my business assets and those of my clients from unnecessary risk. It isn't the protection, it's the insurance. Smiley Wink

Geeks rule!
Community Founder Accomplished
Community Founder Accomplished

Re: SSL Certificates: Paid vs. Free

Thanks, @SiteGeek! I also noticed recently that WordPress.com has made all of its sites HTTPS by partnering with Let's Encrypt (source). I trust WordPress, so having them back Let's Encrypt gives it a bit more credibility imo.

 

Thanks again for your insight!

mark8877
Novice

Re: SSL Certificates: Paid vs. Free

Wordpress.org uses let's encrypt for all its hosted wordpress sites and Facebook is a promotor, sponsor and user of it too. I doubt it would be crappy of these firms use Let's encrypt.

It's obvious that the SSL gravity train is ending and GoDaddy is trying as hard as possible to milk it. look at all the hosting firms that support Let's encrypt:

https://github.com/certbot/certbot/wiki/Web-Hosting-Supporting-LE

GoDaddy is now one of the most expensive hosting firms and never comes in the top 5 hosting firms for speed. They have let their guard down...

Re: SSL Certificates: Paid vs. Free

@rd... I selected you for correspondence because of all those amazing kudos that I found when logged into Plesk Desk support. And then I found you wrote related posts to something driving me crazy.

 

the Devil in Daddy...

 

Summary: I found two sources for creating SSL code. One was on a site called Getacert.com and the other Digicert.com

 

Digicert allows you to download a tool to create a CSR.... and Getacert goes a step further and let's you divide that up in four segments for download. These are: Private Key,  CSR,  Public Key and then the whole ball of wax converted into a single .p12 file

 

 I don't need an SSL on my site, but I want one because it improves Google search. (did you know that?  I'm sure you did because you sell SSL service!) So after buying my yearly hosting, I asked tech support if I can buy a cert... or... install my own. They said yest to both. But when they offered to do this FOR me for $ 65 a year, I was annoyed. That's almost as much as I paid for my entire hosting.

 

In the current world.. when you know the proper sources and apply your own research.. most of this is FREE. And you probably know or use the same tools I found, for that matter. ::grin::

 

Mind you, if Devil Daddy (or someone) else charged me a one time fee of $10 to convert this silly text file so that GoDaddy could read it... or even charged 'said reasonable price' once a year, I would NOT be whining. I would just do it and be done.

 

My next phase was to spent hours on the web learning and researching. And then I learned about the can of worms that has ensued because NO ONE follows a uniform file format.

 

See here: https://www.sslshopper.com/ssl-converter.html

 

Back I went to the self-insertion area in the PLESK menus.

 

And though I have a perfectly fine Private key... Devil Daddy is having none of it.

 

 

Furthermore, they do NOT hint to the required file format for upload after the rejection. And no matter how many formats I have tried after that, my file will NOT be accepted.

 

So  I called GoDaddy and no one is willing to tell me what that format is supposed to be.. which is wrong on part of GoDaddy, as they document EVERY SINGLE ASPECT of their service as a rule.

 

Can you assist on this matter? 

Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free

@MiniBoxGenius I have great news for you and I read something on your post that I disagree with.

 

The good news is your issue is easy to fix. All you need is a good SSL certificate. If you read my views in this thread you would know that I don't call those free solutions good. Not that they aren't good, I just don't feel like they are good for you.

 

I disagree with you when you say "I don't need an SSL on my site" and you disagree with yourself in the same sentence when you say "I want one because it improves Google search." Everyone needs a SSL certificate and 18 cents a day is a great price for security.

 

I'm sure that there is some round about method that you could Frankenstein together but that's probably not worth it in the long run? How much is your time worth? Buy a SSL certificate from a reliable company and rest easy. In my mind no reliable hosting company is going to instruct you on how to get a free SSL to work with their hosting?

 

I don't know what "the Devil in Daddy" is but GoDaddy has ALWAYS been good to me, I wouldn't recommend them if I didn't both use and trust their services. If you don't trust GoDaddy my suggestion is that you don't use their services regardless of how good I feel GoDaddy is. My opinions are my own and though I make money from GoDaddy products and services the money doesn't buy my positive review. Is GoDaddy a corporate juggernaut that seeks to crush the competition at all costs? Of course but the shareholders I'm sure wouldn't have it any other way? Me included. Best of luck with your internetting! 

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate
Highlighted
indig0F10w
Novice

Re: SSL Certificates: Paid vs. Free


rd wrote:

@MiniBoxGenius I have great news for you and I read something on your post that I disagree with.

 

The good news is your issue is easy to fix. All you need is a good SSL certificate...



@rd

What is a good certificate and who is issuing them? If I buy GoDaddy hosting and get a free certificate will I be able to use it or will GoDaddy consider it bad?

Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free

I love and use the GoDaddy offered SSL Certificates. If you get a free one and want to use it I say go ahead, you can feel comfortable doing so @indig0F10w. The "free" certificates I was referring to are the ones offered by third party companies not associated with your hosting provider. GoDaddy is concerned about the security of your website (that is one of the reasons they offer you a free SSL Certificate) please take advantage of the offering.

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate
oslinux
Mentor

Re: SSL Certificates: Paid vs. Free

When it comes to SSL certs the main thing that matters is...
1 SHA-2 algorithm
2 cert signed by a trusted company
3 company trusted to keep your cert secure and not given to others.

The main diffrents between the free and paid certs is the company that issues them and the support they provide as well as there trustworthyness.
The free certs from Letsencrypt are valid for 90 days and a 5 cert a day limit(you can't request more than 5 certs a day). And from a security point they are the same as a paid cert.
Pro Community Founder Artisan Pro Community Founder Artisan
Pro Community Founder Artisan

Re: SSL Certificates: Paid vs. Free

Here is some background and research I did. Free certificates are much harder technically to generate if you don't have access to a shell (ssh) on your host. The fact that letsencrypt certificates expire in 90 days and need renewal maintenance is reason enough not to use them. Many hosts are now giving free certificates to existing plan holders. 1and1.com offered us one and we installed is with a few clicks on www.newpathnetwork.org. Adding .htaccess though was a different story! Read the blog for more details.



Alex Sirota, PMP - NewPath Consulting - Schedule some time with Alex
"At the moment of commitment, the universe conspires to assist you." -Johann Wolfgang von Goethe
Pro Community Founder Artisan Pro Community Founder Artisan
Pro Community Founder Artisan

Re: SSL Certificates: Paid vs. Free

Just found this useful tool for checking your SSL installation and various other potential things to look out for (for example SSL vulnerabilities at your host):

 

https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

 

Also don't let your SSL certificate expire. The result is not pretty - you will lose credibility in a big BIG way.



Alex Sirota, PMP - NewPath Consulting - Schedule some time with Alex
"At the moment of commitment, the universe conspires to assist you." -Johann Wolfgang von Goethe
PachiGalia
Novice

Re: SSL Certificates: Paid vs. Free

https://www.godaddy.com/community/forums/replypage/board-id/Websites/message-id/84#

Despite all the comments and views I was under the understanding that the "Trusted Issuer" was some dealing with Microsoft, and other web browser developers, where they "trust" certain certificate issuers so that the green padlock appears automatically when you reach a given secured website.

When you install any free certificate you have to manually add it to your trusted issuers list, etc. and in some cases even that won't work. We cannot ask website visitors to trust our website (meaning "take our word for it, we are good people") if the padlock is red and that is not just a GoDaddy thing.

 

Pro Community Founder Artisan Pro Community Founder Artisan
Pro Community Founder Artisan

Re: SSL Certificates: Paid vs. Free

Certificates are generated by certificate authorities. Companies like Symantec create certificates. Comapnies like RapidSSL resell certificates generated by certificate authorities.

 

The idea of having to add a "trusted authority" to a web browser is new to me. We used a free certificate from 1and1.com and installed it on www.newpathnetwork.org -- the padlock is green without any changes to the web browser.

 

Free certificates from LetsEncrypt have to be renewed every 90 days but many hosts do this automatically for you.

 

One thing you DO want to watch out for is expiration dates on certificates. If an SSL certificate expires your website will throw huge errors for Chrome and other browsers. MAKE SURE YOU NEVER LET SSL EXPIRE, it's not pretty.



Alex Sirota, PMP - NewPath Consulting - Schedule some time with Alex
"At the moment of commitment, the universe conspires to assist you." -Johann Wolfgang von Goethe
BabarZahoor
Novice

Re: SSL Certificates: Paid vs. Free

 I am using free certificate on https://OSFP.org.pk and its rating is  A+

 

https://casecurity.ssllabs.com/analyze.html?d=osfp.org.pk

 

and my paid certificate from godaddy.com has rating F 

 

 

https://casecurity.ssllabs.com/analyze.html?d=owb.com.pk

 

Please suggest what do?

 

 


rd wrote:
If you are not paying for it, you're not the customer; you're the product being sold. - Andrew Lewis

It is nice to see someone tackling this. While that is a resource I would share in meetups (for those who are budget minded or just starting out) I would not dare advise that any of my clients utilize that service. I'm not just saying that because I sell SSL certificates. Okay, maybe I am partially saying that because I sell SSL certificates but still if something’s free, it’s worth exactly what you paid for it.




 

Please suggest what do?

 

Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free

Hey @BabarZahoor, yours is a big question. Perhaps you want to start a new thread to get that discussion going. I don't know much about the website you had check your SSL certificate but it rates itself a C... https://casecurity.ssllabs.com/analyze.html?d=casecurity.org Not sure how much trust I'd put into that analysis?

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate

Re: SSL Certificates: Paid vs. Free

Well I have about 30 clients that I put on Godaddy, and it will cost each one $69 per year.

Then I have 2 clients on Siteground who get free Let's Encrypt SSL certificates.

Then I have one client on 1&1 who gets a free SSL certificate also.

So the difference seems to be 30 x 69 = $2,000

Can you see any reason to stay with Godaddy when it costs me or my clients $2,000 a year?

Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free

There is a lot to unpack here @ficcionesmedia and I'm probably in the minority on my feeling of free SSL certificates. What I would say is that you as the expert determines what is best for you and your clients. I know why I would choose GoDaddy for my clients over other hosts, I also have reasons I would choose other hosts over GoDaddy.

 

From the sole view of SSL certificates it is my view that time also has to be a factor in my choice. In my experience you have to be a bit of a MacGyver for some of the free solutions. I tend to expend more time with configuration, monitoring... with free solutions. The money my customer "saves" quickly goes to deficit as I (or someone else) spends time configuring a free SSL certificate. The GoDaddy SSL certificate and some other paid SSL certificates are really easy to configure (some processes more that others) and I find that having SSLs and hosting on the same host is usually the best method regardless of who you choose.

 

I'm not saying that there aren't robust free solutions for SSLs. While certainly cost savings associated with free SSL is tempting they aren't always good value. Please understand the differences between cost and value. As a professional your job is to deliver the best value to your customers and that doesn't always come at the cheapest price. Happy selling!

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate

Re: SSL Certificates: Paid vs. Free

Thank you for taking the time to reply.

The free Let's Encrypt certificate offered by Siteground is a 1-click installation, so all your comments about time wasted vs. money spent, while true, don't really apply here. I agree that the manual installation would not be worth my time.

Also, I should mention, the websites I manage that really do need SSL (I mean e-commerce sites essentially, and those that accept sensitive information) already have (paid) SSL certificates.

So the reason I am going to install SSL on 30+ sites that really *don't* need it is purely for the Google green "secure" icon.

With that sole purpose in mind, it's hard to justify spending money when a free alternative exists. Maybe more important, I have found Siteground to be very good in other ways, even rivaling the superb customer service that Godaddy gives me.

 

Pro Community Founder Trusted Advisor Pro Community Founder Trusted Advisor
Pro Community Founder Trusted Advisor

Re: SSL Certificates: Paid vs. Free


@ficcionesmedia wrote:

Thank you for taking the time to reply.

The free Let's Encrypt certificate offered by Siteground is a 1-click installation, so all your comments about time wasted vs. money spent, while true, don't really apply here. I agree that the manual installation would not be worth my time.

Also, I should mention, the websites I manage that really do need SSL (I mean e-commerce sites essentially, and those that accept sensitive information) already have (paid) SSL certificates.

So the reason I am going to install SSL on 30+ sites that really *don't* need it is purely for the Google green "secure" icon.

With that sole purpose in mind, it's hard to justify spending money when a free alternative exists. Maybe more important, I have found Siteground to be very good in other ways, even rivaling the superb customer service that Godaddy gives me.

 


Those informational websites seem like a great fit for free SSL certificates. Seems like you have done the work and found the proper value for your customers. Great proof that the answer isn't to just throw money at a issue. I have never used Siteground for any of my customers but good to know. Thanks!

roy darling *my posts seem a lot shorter in my head
...turns out that my two cents is worth less or more depending on the current exchange rate
Pro Community Founder Artisan Pro Community Founder Artisan
Pro Community Founder Artisan

Re: SSL Certificates: Paid vs. Free

Here's a good reason to check your SSL/TLS certificate for the cryptographic function it is using.

 

If it is SHA1 you're in trouble, because SHA1 was just proven that you can generate a hash collision, by Google and partners. Most CAs do not use SHA1 anymore but they used to.

 

Let's Encrypt uses SHA2 which includes the recommended SHA256 hash function. The recommendation from here is that SHA3 or SHA256 be used. Maybe a good reason why Let's Encrypt certs expire in 90 days, so they will need to be updated.

 

 



Alex Sirota, PMP - NewPath Consulting - Schedule some time with Alex
"At the moment of commitment, the universe conspires to assist you." -Johann Wolfgang von Goethe
PraveenS
Novice

Auto Renew Let's Encrypt SSL Certificate using Cron Job

How to setup Cron Job for Auto Renewing Let's Encrypt SSL Certificate using Cron Job?  

 

I use GoDaddy shared hosting and Let's Encrypt SSL Certificate for my website. Please help me setup something which can auto renew the Let's Encrypt SSL Certificate before expiring. Any suggestion/help will be deeply appreciated.

 

TIA

Praveen

tripleaa
Novice

Re: SSL Certificates: Paid vs. Free

TI no longer use godaddy's SSL but this post was very useful . Via the link the missig second part of my SSL was generated.