Most websites these days use an SSL certificate. If you open a secure website, the traffic exchanged between your web browser and that site will be encrypted. Even if an unauthorized third party intercepts the traffic, they will not be able to read any actual information you send or receive. If the website is not secure, though, any requests and responses exchanged between your web browser and the website can be monitored at any of the multiple access points your traffic is routed through.
As the number of websites that use an SSL certificate rapidly increased in the past several years, most web browsers started displaying a “Not secure” message for any website that doesn’t use a certificate. Up until then, secure websites had a padlock in the URL bar, while non-secure ones simply didn’t have one. This is why, the question is not whether you should add an SSL certificate to your website or not, but what type. You will find two types of certificates on the market – free and paid ones. Below, we will look at some of their pros and cons to help you choose the best option for your website.
- What is an SSL certificate
- So, do you really need one?
- Free SSL certificates
- Paid SSL certificates
- Which type will protect your website better?
- Which type you can use with ICDSoft?
- In conclusion
What is an SSL certificate
This is a digital certificate that is used to authenticate a website and to encrypt the information exchanged between that website and its users. SSL stands for Secure Sockets Layer – a protocol that allows information to be encrypted. Although we use the more advanced TLS protocol these days, the term “SSL certificate” is still being used.
When you open a website, you can see whether it uses an SSL certificate if you check the browser address bar – the URL of a secure website includes https:// instead of http:// and there is a padlock next to the web address.
Data is encrypted using a private key, which is available only on the server, and decrypted with a public key that is obtained by web browsers when the site is loaded. We will not go into too many technical details now; what matters is that the SSL certificate creates an encrypted link between a website/server and its users.
So, do you really need one?
Yes, you do! There is no doubt that if you have a website, you should add an SSL certificate to it. Keeping any information submitted by the site visitors secure is the most obvious reason, but there are various other reasons to use a certificate as well. Here are a few of them:
- Gain people’s trust. Even if you don’t collect information on the site, people may hesitate to browse it if they keep seeing the “Not secure” label next to your web address.
- Give the site a ranking boost. Google gives preference to secure websites in search results.
- Affirm your identity with some types of certificates. Organization validation (OV) and Extended validation (EV) SSL certificates are issued after an extensive validation process.
Now that we have established that having an SSL certificate is a must-have for your website, let’s have a look at the pros and cons of free and paid certificates. Such a comparison can help you to decide which option is more suitable for you.
Free SSL certificates
Let’s Encrypt is the most popular certificate authority (CA) that offers free SSL certificates. They were the pioneers as they started issuing certificates recognized by all major web browsers back in 2015. In the following years, other certificate authorities started issuing free certificates as well – some of them offering them for a month, labeling that period as “trial”. Nonetheless, Let’s Encrypt has been the standard in the industry, so most of the pros and cons below apply mostly to the certificates they offer.
- Free. You can use such SSL certificates for free for as long as you need them. Leaving aside the 1-month trials some companies offer, free certificates are valid for 90 days and can be renewed an infinite number of times at no cost.
- Easy to obtain. More and more hosting providers offer free SSL certificates with their hosting plans. Since they integrate the certificates into their platform, enabling a free SSL certificate usually takes just a click, while renewals are automatic. If your provider does not offer such certificates, you will find lots of websites that facilitate the process with an easy point-and-click interface and detailed instructions.
- Automated renewals. If you run a virtual or a dedicated server, usually you cannot rely on the same level of integration you will find with shared hosting packages. Even in this case, however, you can install a free SSL certificate and set up automatic renewals by adding a cron job that executes software such as Certbot – a client that requests, validates and installs Let’s Encrypt certificates automatically.
- Validity. Although free certificates can be renewed every 90 days for as long as needed, your hosting company should offer them as a part of their hosting service. If not, you will have to renew the certificates manually, which can sometimes be a burden. 1-month trials from other certificate authorities don’t offer a free renewal option, but only a 1-year paid one.
- (Lack of) Trust. Free SSL certificates were introduced to make the Web safer, but anybody can get a certificate these days. This is valid for fake websites as well – unfortunately, they can appear as secure as any legitimate website. This is why some people simply won’t trust a website if they see it uses a free certificate.
- Only Domain validation is available. The above lack of trust is the result of the basic validation process Let’s Encrypt performs. The certificate authority offers only domain validation, i.e. you have to prove you can control a given domain name, but nothing more than that. They do not validate the contact details of the person or the organization that requests the certificate (the so-called Organization Validation other CAs perform).
- Lack of support. Let’s Encrypt do not provide any direct support as they are a non-profit organization with a small team that handles only the automation. You can rely on some support for a free certificate only if you use a 30-day trial from a different certificate authority, but this won’t help you much as you will have to pay after the first month.
- No warranty. If your website gets hacked due to a vulnerability in the certificate, or you make a payment on a fraudulent website that uses a certificate that has not been validated properly, the CA will not compensate you in any way. While this scenario is not probable, it is not impossible.
Paid SSL certificates
Paid SSL certificates are issued by a number of certificate authorities (CA). They are all members of the Certification Authority Browser Forum – a voluntary consortium of CAs and application software suppliers, primarily vendors of web browsers and operating systems. Certificate authorities usually do not sell SSL certificates directly, but work with different tiers of resellers that handle the orders of end customers.
- Valid for a full year. If you buy an SSL certificate, you won’t have to worry about renewing it until the following year. Some providers even issue certificates for the maximum allowed period of 398 days. You will also come across multi-year deals that can save you money and you will only have to reactivate the certificate each year.
- Trust. There are several different types of paid certificates based on their validation process. Organization validation (OV) and Extended validation (EV) certificates are issued after an extensive background check of the company requesting the certificate. If you come across a website that uses such a certificate, you can trust it.
- Support. Whenever you need assistance for an SSL certificate, you can contact the certificate authority or the vendor where you have ordered the certificate from, and they will assist you. Whether you need assistance with the validation process, the installation, or something else, you can usually get technical help within no more than a few hours. Some SSL vendors offer live chat assistance as well.
- Warranty. Paid SSL certificates come with a warranty between $10,000 and $1,500,000+, depending on the type of certificate you use and the certificate authority that has issued it. This is an assurance that if something unforeseen happens due to some weakness in the certificate, you will be compensated. This is also valid for any transactions you make on a website that uses an SSL certificate, which has not been validated properly by the CA.
- Trust site seal. If you use a paid SSL certificate, you can add a trust seal on your website. This is a small image, which certifies that your website is secure. Some seals are static images, while others are dynamic. The latter display real-time information about the URL being protected, the issuing company and the warranty amount. Adding a trust seal on your website will make your site visitors confident that the site is secure and legitimate.
- Multi-domain support. Some certificate authorities offer multi-domain certificates. Along with your main domain, you can add more domains as so-called Subject Alternative Names (SANs). This way, you can buy and configure a single certificate for multiple websites.
- Can be quite expensive. If you look for a paid SSL certificate, you will come across different prices. On one website you will have to pay $30, on another – even $150 for the exact same certificate. Organization Validation and Extended Validation certificates can be even more expensive.
- The validation process can be frustrating. The basic paid SSL certificates use the same domain validation as free certificates. The Organization Validation and Extended Validation certificates, however, usually take at least a few days to be issued. During the process, you have to provide a company phone number and submit company registration documents. Public government records are also checked to validate the company requesting the certificate. Sometimes people get frustrated by the whole process and end up using a basic SSL certificate.
- Multi-domain support. You may wonder why this feature is listed as a con, when it is listed as a pro as well. The reason is that certificate authorities consider www and non-www as two separate domains. Technically, they are different SANs, but all certificate authorities call them domains, which can be misleading. If you buy a certificate for 5 domains, for example, it will cover your main domain (www and non-www) for the first slot, but only two more domains (www and non-www) for the other four slots.
Which type will protect your website better?
If you only want to encrypt the information that visitors submit on your site, you can use either type. Both free and paid SSL certificates offer the same level of encryption. Both types will allow your website to open with https:// and with a padlock in the browser address bar. When it comes to security, it doesn’t really matter which one you will choose.
If you consider other factors, though, the type you will choose does matter. Paid SSL certificates come with a warranty; OV and EV certificates are issued only after an extensive check by the certificate authority to make sure the organization that is requesting the certificate is legitimate. This information will be available to the public if they check the certificate information in their web browser or if you add a trust site seal. All these things will make the visitors on your website confident that their information will be protected. This is why paid SSL certificates are suitable for any website where visitors should submit any information, or for any professional project you have. Online shops, social websites, news portals or collaboration platforms like a Nextcloud website are just a few examples when a paid SSL certificate will be more suitable than a free one.
Free SSL certificates are easy to obtain - often it takes just a couple of clicks to do that if your web hosting provider offers them. And, of course, they are free. The lack of support and warranty, along with the fact that anybody can obtain such an SSL certificate, make this type of certificate more suitable for personal websites or staging copies of your site.
Which type can you use with ICDSoft?
For your convenience, we allow you to choose which option to use. All our hosting plans come with free Let’s Encrypt SSL certificates already integrated in our platform, and activating one for a domain or a subdomain takes literally just a click. If you prefer a more professional solution, however, you can use a commercial SSL certificate.
We offer certificates from DigiCert and Sectigo at competitive prices, which we will install for you. For your convenience, we can also help you with switching your website to https and making sure it opens with a padlock in the browser address bar. With our Managed VPS plans and the Business Plus shared hosting plan we provide a commercial SSL certificate for free. Of course, you can use any other third-party certificate, but it will be more convenient to manage your hosting accounts and your certificates all in one place.
If you wonder whether to use a free SSL certificate or a paid one, you have to weigh the pros and cons of either option. There is no doubt that you should add a certificate to your website, but what type you will choose depends on different factors. If you don’t accept personal details or card payments on your site, and you don’t need a warranty or a seal, you can go for a free SSL certificate. If you ask your customers to enter any information on the site, however, and you want to assure them your site is secure by displaying a site seal and a warranty note, you should go for a paid SSL certificate. Spending a small amount every year on a certificate will pay off in the long run, as the trust you will build in your customers will have no price.