Website owners have always been concerned about the security of their websites.
When Google announced their “HTTPS Everywhere” initiative in 2014 (by giving higher rankings to “HTTPS” websites in their search results), owning a reliable SSL Certificate became one of the top priorities for webmasters. However, many developers and companies still cannot decide between installing one of the available free SSL Certificates, offered by Let’s Encrypt, CloudFlare or Amazon, or buying paid SSL Certificates from a trusted SSL provider, such as SSL Dragon.
What is the difference between free SSL Certificates offered by Let’s Encrypt, CloudFlare, Amazon and paid SSL Certificates offered by SSL Dragon?
First, you should know that there is no difference between free and paid SSL Certificates when it comes to their level of encryption. Both of them use symmetric algorithms (commonly known as the “private key”, used for encryption and decryption), and asymmetric algorithms (known as the “public key” which use different keys for encryption and decryption).
Though some SSL Certificates are free, they offer the same level of encryption as the paid SSL Certificates. Let’s Encrypt and CloudFlare use SHA-128 and SHA-256 for their free SSL certificates, while Amazon is offering only SHA-256 for their symmetric encryption level. SSL Certificates provided by Let’s Encrypt are RSA-signed using 2048-bit RSA keys, which can be easily upgraded to 4096-bit RSA keys. At the same time, the free SSL certificates offered by CloudFlare and Amazon come with the standard 2048-bit RSA keys for the asymmetric encryption.
If the level of encryption is the same for both, free SSL Certificates and paid SSL Certificates, then let us find out what makes them different.
The Free SSL Certificates from Let’s Encrypt, CloudFlare and Amazon
Since encryption is the same for free SSL Certificates and paid SSL Certificates, the only thing that makes free SSL Certificates distinct from the paid ones is the limitations that free SSL Certificates have. Here are the limitations which you will encounter when dealing with free SSL Certificates:
- Domain Validation only. Free SSL Certificates will not certify the identity of the website owner. They only ensure a secure connection. Therefore, customers cannot be sure of the identity and trustworthiness of the website owner.
- Designed to protect small and medium websites and not large websites. Large companies, financial institutions, banks, social networking websites, government, and other high-load systems are less likely to use free SSL Certificates. These entities will rather use a Business Validation SSL Certificate or an Extended Validation SSL Certificate.
- Limited or slow support. The companies which offer SSL Certificates for free, or include the free SSL Certificates among other services that they offer, are less likely to offer you good and fast responses to your support requests. Solving your problem in a timely manner is crucial for your website’s security because waiting for a solution for too long can significantly damage your website and business.
- Constantly renewed. Most of the free SSL Certificates are issued for a period of 90 to 360 days and, therefore need to be renewed each time this period expires. If you get a paid SSL Certificate, then you can get it for 1, 2 or 3 years, and you only have to renew it when it expires.
- Limited usage. The free SSL Certificates provided by Amazon are offered only to the users located in a few US states (North Virginia, Oregon, Northern California), and São Paulo. This is a significant inconvenience for companies activating outside those areas. Also, these free SSL Certificates can be installed only by Amazon customers who use Elastic Load Balancers and Amazon CloudFront, which makes it impossible to install them if you are using another hosting company.
- The intermediary service. CloudFlare is a content delivery network service which also provides SSL Certificates to its customers. CloudFlare’s free SSL Certificates are installed on their caching servers, not on the “origin” servers where the websites are hosted. Thus, CloudFlare acts as an intermediary platform, and not as a seller and provider of SSL Certificates. Also, in order to benefit from CloudFlare’s free SSL Certificates, you have to sign up and use their other services, which are convenient because they also come for free. However, what if you have a different CDN provider, or you are a local business who doesn’t need international visibility, and so doesn’t need a CDN?
The biggest main goal of free SSL Certificates is to democratize the access to HTTPS for all websites. Obviously, it is a very good cause and a very positive thing for the entire web community. However, unfortunately, human nature was able to misuse it and transform it into a negative practice.
A free, secure connection to a website doesn’t guarantee its trustworthiness
Cybercriminals have already abused free SSL Certificates by taking advantage of the SSL Certificates’ system of trust. Hackers abused the system by getting SSL Certificates fake websites hosted on sub-domains apparently related to legitimate domain names. In most cases, the domain owner was unaware of the problem and wasn’t able to prevent it.
According to this article, cybercriminals were able to create a special campaign, called “malvertising campaign” which lead to a banking Trojan being downloaded and affecting the visitors’ computers. The action took place by using the “domain shadowing” technique – the attackers’ possibility to create malicious subdomains under a legitimate domain (in this case, the sub-domains were protected by a Let’s Encrypt SSL certificate). These sub-domains were pointing to a malicious server that was under the cybercriminals’ control.
The problem was that Let’s Encrypt only checked the main domain, and verified if it for malware or phishing when issuing its free SSL Certificates. When they received the SSL request for the shadow subdomains, they issued a valid SSL Certificate without checking their ownership and legitimacy. Moreover, Let’s Encrypt has a policy of not revoking its free SSL Certificates because the request for an SSL Certificate “doesn’t say anything about a website’s content or who runs the website”. This makes many legitimate domain names vulnerable such incidents.
SSL Certificates offered by SSL Dragon
Besides offering the same level of encryption, the SSL Certificates offered by SSL Dragon, have several advantages:
- A wide range of SSL Certificates. You can choose between several types of SSL Certificates such as: Domain Validation SSL Certificates, Business Validation SSL Certificates, Extended Validation SSL Certificates, Multi-Domain (SAN) SSL Certificates, Wildcard SSL Certificates and Code Signing SSL Certificates. You have the possibility to choose the SSL Certificate that suits your website’s needs best.
- Perfect for large websites. Paid SSL Certificates secure and process large volumes of data, and millions of online payments. If your website has massive traffic, then a paid SSL Certificates is the right solution for your website and business.
- Personalized support. Since selling SSL Certificates is our main activity, we ensure you with our 24/7/365 available customer service, which is always ready to receive your requests and solve any SSL Certificate problems.
- Exact expiry period. Paid SSL Certificates can last up to 3 years, ensuring the protection of your website for a longer period of time than the free SSL Certificates.
- Unlimited usage. You can use any type of paid SSL Certificates with any type of hosting services in any area without restrictions.
- The SSL Certificate is on your server. Your SSL Certificate will sit directly on your server. Therefore, no intermediary company will impose limits and restrictions similar to CloudFlare or Amazon certificates.
- Trust Seal. Paid SSL Certificates allow you to display a trust seal on all pages of your website, or on your secure checkout page. In this way, you can assure your customers that their personal information and credit card details are secure, and they can fully trust your website.
- Vulnerability and malware scan. Some paid SSL Certificates offer you regular vulnerability and malware scans which help you keep your website secure.
- Paid means valuable. A paid SSL Certificate means that the ones who built it put much thought, time and effort in creating that SSL Certificate and they consider it valuable and worth paying money for. In the real world, you cannot find good, reliable and lasting goods for no money.
- Care about customers. An SSL Certificate, tells your customers indirectly that you care about them, and you invest in their information security and comfort. Fraudsters can easily use free certificates for malicious purposes, but being a website owner willing to pay for an SSL Certificate is a guarantee to the customers that you and your business are trustworthy.
Now that you know the differences between a free SSL Certificate and a paid SSL Certificate, you can easily decide which SSL Certificate is better for your website. However, remember that paid SSL Certificates are the ones that give you maximum flexibility in choosing the SSL Certificate that suits your website best, and also provide you additional services that increase your trustworthiness.