Is there any real difference between a free SSL and a paid one?

[rafalp]

For those wondering where green padlock went to:

Starting with Chrome 69 (released September 2018) Chrome no longer makes padlock green when page is secure. This is to desensitize users about this UI item. Next on menu is that Chrome will warn users away from sites that aren't https.

 

[HWS]

For those wondering where green padlock went to:

Starting with Chrome 69 (released September 2018) Chrome no longer makes padlock green when page is secure. This is to desensitize users about this UI item. Next on menu is that Chrome will warn users away from sites that aren't https.

Looks like Google governs the web now.

 

[Xon]

Lets Encrypt do not have the insurance that paid ones do

Question; this "insurance" what does it cover and how. Spoilers; this is something of a rabbit hole and the answer ends up being the "insurance" is completely worthless.

 

[Daniel]

I think that the free ones are best use for those that don't want the browsers indicating to users that the website is "insecure" and therefore worrying visitor's that their data will be stolen. If I had an online store I would consider more paying for one to gain even more trust from my visitors and potential buyers...plus I believe it to actually be more secure overall. If I am not mistaken there is some sort of assurance from the SSL provider...though I could be entirely wrong here.

 

[rafalp]

If I had an online store I would consider more paying for one to gain even more trust from my visitors and potential buyers...plus I believe it to actually be more secure overall.

"believe" is correct word to be used here. There is no difference between free and paid HTTPS certificate as far as security is concerned.

What actually happens when you enable HTTPS on your site is you ask certificate provider for public key that your domain should use to encrypt connections. When user connects site on HTTPS, their browser uses your public key to encrypt message. Browser has data required to see if your public key is valid or invalid, because certificate vendors make deals with browser vendors. Your key expired? Connection is interrupted. Private key expired? Connection is interrupted. Master key expired? Connection is interrupted. Either of keys is known to be compromised? Connection is interrupted.

Technology involved is the same no matter if its Lets Encrypt of paid certificate seller, despite what the latter will try to tell you on their website.

Question; this "insurance" what does it cover and how. Spoilers; this is something of a rabbit hole and the answer ends up being the "insurance" is completely worthless.

LMAO

This is same as bank selling insurance to your mortage. The game is rigged to make sure you'll never meet conditions for bail out.

 

[Daniel]

"believe" is correct word to be used here. There is no difference between free and paid HTTPS certificate as far as security is concerned.

What actually happens when you enable HTTPS on your site is you ask certificate provider for public key that your domain should use to encrypt connections. When user connects site on HTTPS, their browser uses your public key to encrypt message. Browser has data required to see if your public key is valid or invalid, because certificate vendors make deals with browser vendors. Your key expired? Connection is interrupted. Private key expired? Connection is interrupted. Master key expired? Connection is interrupted. Either of keys is known to be compromised? Connection is interrupted.

Technology involved is the same no matter if its Lets Encrypt of paid certificate seller, despite what the latter will try to tell you on their website.



LMAO

This is same as bank selling insurance to your mortage. The game is rigged to make sure you'll never meet conditions for bail out.

Interesting, to some extent I thought there was some benefit to spending the $30 a year or whatever the other SSL's you can get that give you the great big green bar etc.

 

[rafalp]

great big green bar

Great big green bar is UI artifact from times when you had no free certificate vendors, and HTTP was default. Today browsers are changing their approach to display red bar when no HTTPS is enabled on the site - because HTTPS should be default for all sites now that it can be set for free.

 

[User37935]

Looking at this from a different angle, as a consumer when I have shopped online I have never even clicked the HTTPS icon for further info or to see if it's a free one or a $$$ one - I wonder how many do? Not many I would think.

 

[mysiteguy]

Interesting, to some extent I thought there was some benefit to spending the $30 a year or whatever the other SSL's you can get that give you the great big green bar etc.

The way the warranty's work is actually not to protect your site directly but to protect consumers who are defrauded on a fraudulent site. If for instance, someone manages to make a fake site and presents your certificate. If the certificate provider validates your certificate from a site that isn't yours, and the consumer gets ripped off, the warranty covers them. The odds of the cert provider validating to the browser a forged site is incredibly small because only you, not the SSL provider, should have your private key.

Yes, it can happen, but it's so exceedingly rare that for non-e-commerce sites there's really no point in buying one. For ecommerce sites, or other types of sites dealing in very private data, it makes sense to use a paid certificate but not because it actually provides more security, but the perception it does. Depending on a business's liability insurance policy, their insurer may require a certain level of paid certificate, but that's because insurers tend to be ignorant about the technology as well.

 

[Alpha1]

I use SSL by CloudFlare which is free and without renewal.
https://www.cloudflare.com/ssl/

 

[Daniel]

I use SSL by CloudFlare which is free and without renewal.
https://www.cloudflare.com/ssl/

I just started using CloudFlare's as well and didn't renew my SSL with namecheap.