Free vs. Paid SSL certificates – What is the difference?

Website owners have always been concerned about the security of their websites.

When Google announced its “HTTPS Everywhere” initiative in 2014 (by giving higher rankings to “HTTPS” websites in their search results), SSL Certificate became one of the top priorities for webmasters. A few years later, Chrome and Firefox began flagging all HTTP sites as not secure. This action alone has forever changed the SSL landscape.

With SSL certificates now all but mandatory for security and SEO (your site won’t appear in SERP if it’s not encrypted), everyone needs to install one. However, many developers and companies still cannot decide between installing one of the available free SSL Certificates, offered by Let’s Encrypt, Cloudflare or Amazon, or buying a commercial SSL Certificate from a trusted SSL provider, such as SSL Dragon.

What is the difference between free SSL Certificates offered by Let’s Encrypt, Cloudflare, Amazon, and paid SSL Certificates offered by SSL Dragon?

First, you should know that there is no difference between free and paid SSL Certificates when it comes to their level of encryption. Both of them use symmetric algorithms (commonly known as the “private key”, used for encryption and decryption), and asymmetric algorithms (known as the “public key” which use different keys for encryption and decryption).

Though some SSL Certificates are free, they offer the same level of encryption as the paid ones. Let’s Encrypt and Cloudflare use SHA-128 and SHA-256 for their free SSL certificates, while Amazon is offering only SHA-256 for their symmetric encryption level. SSL Certificates provided by Let’s Encrypt are RSA-signed using 2048-bit RSA keys, which can be easily upgraded to 4096-bit RSA keys. At the same time, the free SSL certificates offered by Cloudflare and Amazon come with the standard 2048-bit RSA keys for asymmetric encryption.

If the level of encryption is the same for both free and paid SSL Certificates, then let us find out what makes them different.

The Free SSL Certificates from Let’s Encrypt, Cloudflare and Amazon

Since encryption is the same for free SSL Certificates and paid SSL Certificates, the only thing that makes free SSL Certificates distinct from the paid ones is the limitations that free SSL Certificates have. Here are the limitations which you will encounter when dealing with free SSL Certificates:

• Domain Validation only. Free SSL Certificates will not certify the identity of the website owner. They only ensure a secure connection. Therefore, customers cannot be sure of the identity and trustworthiness of the website owner. DV certificates are suitable for basic websites, blogs, online portfolios, and informational sites.
• Designed to protect small and medium websites and not large websites. Large companies, financial institutions, banks, social networking websites, government, and other high-load systems are less likely to use free SSL Certificates. These entities will rather use a Business Validation SSL Certificate or an Extended Validation SSL Certificate.
• Limited or slow support. The companies which offer SSL Certificates for free, or include the free SSL Certificates among other services that they offer, are less likely to offer you good and fast responses to your support requests. Solving your problem in a timely manner is crucial for your website’s security because waiting for a solution for too long can significantly damage your website and business.
• Limited usage. The free SSL Certificates provided by Amazon may not be available for your region. This is a significant inconvenience for companies activating outside those areas. Also, these free SSL Certificates can be installed only by Amazon customers who use Elastic Load Balancers and Amazon CloudFront, which makes it impossible to install them if you are using another hosting company.
• The intermediary service. Cloudflare is a content delivery network service that also provides SSL certificates to its customers. Cloudflare’s free SSL Certificates are installed on their caching servers, not on the “origin” servers where the websites are hosted. Thus, Cloudflare acts as an intermediary platform, and not as a seller and provider of SSL Certificates. Also, in order to benefit from Cloudflare’s free SSL Certificates, you have to sign up and use their other services, which are convenient because they also come for free. However, what if you have a different CDN provider, or you are a local business that doesn’t need international visibility, and so doesn’t need a CDN?

The biggest main goal of free SSL Certificates is to democratize the access to HTTPS for all websites. Obviously, it is a very good cause and a very positive thing for the entire web community. However, unfortunately, human nature was able to misuse it and transform it into a negative practice.

A free, secure connection to a website doesn’t guarantee its trustworthiness

Cybercriminals have already abused free SSL Certificates by taking advantage of the SSL Certificates’ system of trust. Hackers abused the system by getting SSL Certificates for fake websites hosted on sub-domains apparently related to legitimate domain names. In most cases, the domain owner was unaware of the problem and wasn’t able to prevent it.

According to this article about free SSL Certificates vulnerabilities, cybercriminals were able to create a special campaign, called “malvertising campaign” which lead to a banking Trojan being downloaded and affecting the visitors’ computers. The action took place by using the “domain shadowing” technique – the attackers’ possibility to create malicious subdomains under a legitimate domain (in this case, the sub-domains were protected by a Let’s Encrypt SSL certificate). These sub-domains were pointing to a malicious server that was under the cybercriminals’ control.

The problem was that Let’s Encrypt only checked the main domain, and verified if it for malware or phishing when issuing its free SSL Certificates. When they received the SSL request for the shadow subdomains, they issued a valid SSL Certificate without checking their ownership and legitimacy. Moreover, Let’s Encrypt has a policy of not revoking its free SSL Certificates because the request for an SSL Certificate “doesn’t say anything about a website’s content or who runs the website”. This makes many legitimate domain names vulnerable to such incidents.

Update: Phishers use free certificates to scam customers

According to the Anti-Phishing Working Group (APWG), almost 60% of the phishing sites were using the padlock in Q1 of 2019. We’ve written an article on this alarming phishing trend, discussing the dangers of phishing and possible solutions. Unfortunately, the noble intentions of the likes of Let’s Encrypt to offer universal encryption, have been abused by cybercriminals.

Still, Let’s Encrypt is a viable option for a large number of websites. The open-source Certificate Authority has already issued over a billion SSL certificates, contributing greatly to a more secure Internet.

SSL Certificates offered by SSL Dragon

Besides offering the same level of encryption, the SSL Certificates offered by SSL Dragon, have several advantages:

• A wide range of SSL Certificates. You can choose between several types of SSL Certificates such as Domain Validation SSL Certificates, Business Validation SSL Certificates, Extended Validation SSL Certificates, Multi-Domain (SAN) SSL Certificates, Wildcard SSL Certificates, and Code Signing SSL Certificates. You have the possibility to choose the SSL Certificate that suits your website’s needs best.
• Perfect for large websites. Paid SSL Certificates secure and process large volumes of data, and millions of online payments. If your website has massive traffic, then a paid SSL Certificates is the right solution for your website and business.
• Personalized support. Since selling SSL Certificates is our main activity, we ensure you with our 24/7/365 available customer service, which is always ready to receive your requests and solve any SSL Certificate problems.
• Unlimited usage. You can use any type of paid SSL Certificates with any type of hosting service in any area without restrictions.
• The SSL Certificate is on your server. Your SSL Certificate will sit directly on your server. Therefore, no intermediary company will impose limits and restrictions similar to Cloudflare or Amazon certificates.
• Trust Seal. Paid SSL Certificates allow you to display a trust seal on all pages of your website, or on your secure checkout page. In this way, you can assure your customers that their personal information and credit card details are secure, and they can fully trust your website.
• Care about customers. An SSL Certificate, tells your customers indirectly that you care about them, and you invest in their information security and comfort. Fraudsters can easily use free certificates for malicious purposes, but being a website owner willing to pay for a Business or an Extended Validation SSL Certificate is a guarantee to the customers that you and the company are trustworthy.

Now that you know the differences between a free SSL Certificate and a paid SSL Certificate, you can easily decide which SSL Certificate is better for your website.