SSL is a very common feature for almost every website nowadays. It’s not mandatory in most cases, but it would be hard to imagine a website without it. Usually, a free certificate is an advantage for any shared hosting provider and it does its job – protects the data transmission between a visitor and a website or application. So why are there paid certificates as well? What is the difference between free and paid SSL?
The meaning of SSL
Secure Sockets Layer (SSL) is a security technology used to establish an encrypted connection between the client and the server. The main purpose of SSL is to secure the sensitive data transmission between the client and the server. This could be anything from login credentials to your personal information that you enter on a website, as an example.
Anyone can create their own certificate and use it for their internal purposes. This type of certificate is called a self-signed certificate. They are sometimes created by a hosting provider’s server but they are not signed by any Certificate Authority (CA), so if you have this kind of certificate, you will see your website on the browser as not safe. Browsers only accept the certificates that are signed by the CA, official certificates issuers.
Let’s Encrypt – the most popular decision
Free certificates provided by a shared hosting provider like Hostens are issued by a CA – Let’s Encrypt. It is the most common free certificate CA. It is issued easily. As Let’s Encrypt says: “you have to demonstrate control over the domain” and that is done automatically on shared hosting servers, once you have added and pointed the domain to a server via regular A record on DNS.
This is a very convenient and easy method to get your visitor – website connection secured quickly. It is a good starting certificate for most regular websites or blogs that are not engaged in any e-commerce activities, as the main purpose of it is just to ensure safe data transmission.
So, why not a free certificate?
Unfortunately, free certificates are not the best choice for any e-commerce website or any other website that involves interaction with visitors, such as entering the login information or any other personal details, making orders, purchase, or providing personal information in any other way on a website. Even fake or malicious website owners can get free certificates issued and installed for their website. This can easily mislead visitors. That is why paid certificates are used.
Paid certificates are provided by the Certificate Authority (CA), which takes a whole different approach to issue a certificate. There are a few different ways to validate the certificate owner: Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV). Below you will find a quick explanation about each of these validations:
- DV: CA checks your domain ownership, i.e. the right to use the domain
- OV: CA checks your domain ownership, the existence of an organization and does verification via phone.
- EV: CA checks the legal and physical existence of an organization, official records and the organization’s rights to use a certain domain name.
More control over the security of issuing
Each of the validation methods generally takes longer and provides a more in-depth check, so only when all the steps are completed the certificate is issued for the verified person or organization. This means that the CA can basically vouch for the certificate owner to some degree. Paid certificates even have a warranty – this is generally a sum of money that the CA guarantees if there is some failure on their side regarding SSL encryption. Each time the paid SSL is renewed the validation is done again, which generally happens every year.
Paid certificates should be used for all e-commerce websites or by organizations that hold sensitive personal information, like government websites. Some finance-related websites can’t even use any other certificates but EV, as you might notice it on various bank websites.
Both free and paid certificates have their place in hosting, but paid certificates should always be there on the website, if not now, then sometime in the near future. It is a little price to pay to make your visitors feel safer and gain more of their trust.