Do I need to pay for an SSL certificate, or is a free one good enough?
Hosting providers, web developers, and many of our other resellers get this question a lot. And if you’re a website owner, you might be asking it yourself. It’s obviously tempting to opt for the free version — and in some cases, that’s really all a website owner needs — however, there are some objective benefits to paid SSL certificates.
This post will explore in detail all factors worth considering, but we’ll start with the short, honest summary:
Free SSL certificates can definitely do the job in cases where trust is important but not critical, for example, on blogs and other small information sites. Why? They offer the same level of encryption as their paid equivalents and display the padlock symbol in all major browsers. However, they don’t offer some key features that many sites need, including features that build consumer trust.
Paid SSL certificates are a better fit for businesses and brands for whom consumer trust is key, and who are willing to pay for peace of mind and easy management. For starters, not only do paid SSL certificates provide encryption, but they further validate or authenticate that the website owner is who they claim to be, assuring users that the site is, in fact, legitimate. And only paid certificates offer a warranty, long validity periods, technical support, and certificate management. So what type of SSL certificate is right for you or your customers? Let’s take a closer look at these points of comparison.
Authentication and validation
As mentioned above, all TLS/SSL certificates (including the free ones) provide a secure connection between the browser and the website, prevent the browser from displaying a “Not Secure” warning, and display a padlock symbol in the user’s browser to signal that the connection is encrypted.
This sounds great, but the problem is that encryption is only half of the equation. The other half is authentication. All free certificates are Domain Validated. They prove that whoever installed the certificate has admin access to the domain name, but they do nothing to validate the legitimacy of the organization that owns the domain name. Anonymous entities can obtain a free certificate and create a “secure” connection to an untrustworthy site.
Only paid certificates, more specifically, Organization Validation (OV) and Extended Validation (EV) certificates, authenticate the owner of the website. OV and EV involve more stringent methods of validation, requiring the company that owns the website to supply detailed information about their organization. This information is then validated by the Certificate Authority issuing the certificate, ensuring that the company behind the website is legit and trustworthy. This is why you’ll often see EV certificates used on the websites of global banks, financial service providers, Fortune 500 companies, Global 2000 companies, e-commerce sites, and enterprises.
Historically, most people visiting a website see the padlock symbol and assign it the same level of trust as a high-assurance certificate. Enter the cybercriminal. Research shows that more than half of all fake sites used for phishing are protected by Domain Validated SSL certificates, and these “secure” phishing sites are increasing in number each year as fraudsters use free certificates to get the padlock symbol while staying completely anonymous.
Users who take the time to check a website’s certificate will find that an EV certificate inspires more trust than a DV.
Live 24/7 support
For any online business, a problem with your TLS/SSL certificate can cost you sales. Many companies opt for a paid SSL certificate because if something goes wrong, they know they’ll be able to reach out for help, day or night. Free certificates simply can’t afford to offer live 24/7/365 support.
Longer certificate lifetimes
Free SSL certificates are valid for 30-90 days, at which point they have to be renewed. Paid certificates can be issued for an entire year, reducing the time spent managing certificate lifecycles.
Most paid certificates offer warranties, from anywhere between $10,000 to $2 million. This covers you in the event that a certificate-related failure causes damage or financial loss. Free certificates, by nature of their being free, offer no warranty.
Simplified cybersecurity management
When companies weigh the initial certificate cost against the total cost of website security, they often find that paid certificates offer a wealth of features that make the job easier. Many premium certificates, like DigiCert’s Secure Site Pro, include website security tools such as vulnerability assessment, CT log scanning, block list checking, malware scanning, and PCI compliance scanning.
Additional security signifiers
Paid certificates come with site seals that can build trust and increase e-commerce conversion rates. Conversion rates improve with site seals, such as the DigiCert seal and the Norton seal, which, in a study from Baymard Institute, was proven to be the most well-recognized symbol for online security. The same study revealed that 17% of customers said they’ve abandoned a purchase because they didn’t trust the website they were on.
Conclusion: like most things, great website security isn’t really free
“Free” is always an attractive price tag, and in the case of TLS/SSL certificates, a free version can do the job. But here’s a reason many companies choose to protect themselves, their brands, and their customers by purchasing high-assurance TLS/SSL certificates from a reputable CA. The heightened consumer trust, peace of mind provided by a warranty and 24/7 support often far outweigh the cost of the certificate.
This is especially true when you consider the affordable OV and EV options that are out there. Here are a few offered by Digicert and their affiliated brands.
This post was sponsored by Digicert, one of our trusted SSL vendors. View all Digicert products