Featured Is there any real difference between a free SSL and a paid one?

Discussion in 'Domains and SSL Certificates' started by /ben, Oct 10, 2018.

  1. /ben

    /ben Adherent

    412
    135
    +24
    With services like LetsEncrypt allowing users to gain a free SSL certificate, is there a real difference between the free and paid versions?

    Also, a question - if I were to develop an eCommerce store, would the free LetsEncrypt be enough?
     
  2. we_are_borg

    we_are_borg Moderator

    4,552
    807
    +1,758
    The free SSL's do not have all options that a paid one has but LetsEncrypt is adding more and more options. But for a store i would say its enough but better is an EV.
     
  3. Ingenious

    Ingenious Fan

    523
    287
    +119
    Web hosts obviously like to push you towards the paid-for ones, and some hosts won't help you set up Let's Encrypt. But if you have a control panel where you can click to install it (or the host will do this) then Let's Encrypt does everything you need to satisfy the requirements of HTTPS:

    I use it on mine, Google is happy, Pay Pal is happy, it displays the green padlock in browsers OK.

    Paid for services can look a little more professional - more details shown when you visit a site and click the padlock in the browser - you might want to consider that a paid-for solution then gives more peace of mind to visitors.
     
  4. /ben

    /ben Adherent

    412
    135
    +24
    What other options do you get when purchasing the paid? I've personally never used an SSL until really recently you see.

    To get the green bar and tick, that's a premium SSL, right? - Also, could you provide me with a screenshot of your green bar? I use Chrome and can't see green bars.. even Paypal's website doesn't show me the green!
     
  5. Craigles700

    Craigles700 Participant

    97
    23
    +49
    Think risk management. Who will back you in the event of an issue?

    You get what you pay for?
     
  6. ripptech

    ripptech Professional Lurker

    50
    88
    +34
    There are different "levels" of SSL certificates. I'm sure you've seen just the green lock, the green lock with company name, etc. The difference is in the amount of validation required to purchase them. The more $$ and more detailed the more stuff they require to verify you and your organization.

    I just use the plain old $5/yr PositiveSSL version, just so its encrypted and it gets the https on it. I mean, its $5, big whoop.
     
  7. Ingenious

    Ingenious Fan

    523
    287
    +119
    Now you mention it, I can't see any difference in Chrome (MacOS) between my site, this site, PayPal and major UK banks, it all looks the same:

    Screen Shot 2018-10-12 at 16.42.18.png

    It's Firefox that shows just a padlock for the lesser SSLs like mine and here:

    Screen Shot 2018-10-12 at 16.46.13.png

    And more descriptive for the better SSLs for online banking and so on:

    Screen Shot 2018-10-12 at 16.46.52.png
    Screen Shot 2018-10-12 at 16.47.12.png
     
  8. we_are_borg

    we_are_borg Moderator

    4,552
    807
    +1,758
    Read this https://www.globalsign.com/en/ssl-information-center/what-is-an-extended-validation-certificate/ it should become clear. The biggest issue with LetsEncrypt is that you need to renew every 3 months its automated but still. Also incase of something happening your'e not ensured with normal SSL Certificate you are to a high amount. With a full store i would not run LetsEncrypt a small store with i would think about it, but LetsEncrypt is not meant for large projects.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  9. zappaDPJ

    zappaDPJ Administrator

    6,348
    1,342
    +4,736
    I'd suggest one of the most important considerations is to ensure that you have direct control over renewals.

    Last weekend the certificates for the vBulletin 5 Cloud service expired leaving the entire network reporting insecure pages until a 'third party connection issue was resolved'. As far as I'm aware vBulletin use free Let’s Encrypt service to generate certificates so as previously suggested it does seem you get what you pay for.
     
  10. /ben

    /ben Adherent

    412
    135
    +24
    Here is what I see.. I'm using Chrome for MacOS?

    ai.imgur.com_OjVQzFD.png
     
  11. Tracy Perry

    Tracy Perry Opinionated asshat

    5,144
    492
    +3,539
    I use LE on about 12 different domains (website related and my webmail for same 12 domains for a total of 24). I started using them shortly after they came out live on my then active domains and dumped my Comodo ones. Since I do no monetary transactions I don't need the Comodo money guarantee. I've never had an issue with renewal not happening.
    Odds are they screwed the pooch on their cloud implementation of requesting them. Almost sounds like (with their 3rd party connection issue) they hit the request limit due to lack of planning.
     
    Last edited: Oct 13, 2018
    • Informative! Informative! x 1
    • List
  12. HWS

    HWS TAZ Member

    200
    108
    +137
    Let's Encrypt is as reliable as your own processes for automatic renewal are.
    But this is the same for paid certificates, except they last longer before there is a chance for a renewal error.

    Today you only need paid certificates if you need EV (extended validation).
     
  13. Ingenious

    Ingenious Fan

    523
    287
    +119
    Mine could be an older version then. It’s an older Macbook,
     
  14. /ben

    /ben Adherent

    412
    135
    +24
    Regardless of the older Macbook, I'm pretty sure you'll have an up to date version of Chrome?
     
  15. Ingenious

    Ingenious Fan

    523
    287
    +119
    No. Newer versions are not supported on my version of MacOS.
     
  16. feldon30

    feldon30 Adherent

    381
    132
    +401
    Myth: SSL certificate proves that you "are who you say you are" or are somehow a "reputable" site.
    Fact: SSL ensures that traffic between site visitors and your site are encrypted. Nothing more nothing less.

    Bonus: Google is making a HUGE deal about this in their browsers, to the point of blocking access to sites with improperly configured SSL. This to me borders on violation of Net Neutrality. Telling me that a site is not encrypted is fine. Blocking my access to an informational (not commerce) website because all the I's and T's aren't dotted and crossed means that Google is the final arbiter of what websites I am allowed to visit and which ones I am not. It won't stop here kids.
     
  17. BassX

    BassX Neophyte

    2
    3
    +1
  18. mysiteguy

    mysiteguy Devotee

    2,538
    887
    +1,785
    Free and domain level certificates don't prove you are who you say you are, but business level validation and higher do, with a warranty covering it, anywhere from $10,000 to $1,000,000 or more. The more you pay (in general), the more stringent the business validation and higher the warranty.

    Whether people care or not, that's another matter. I think most are oblivious concerning the level of validation.
     
  19. Paul M

    Paul M Dr Pepper Addict

    3,730
    1,127
    +2,057
    vB Cloud does indeed use Let’s Encrypt.

    It wasnt LE's fault that IB's IT Dept obviously screwed up (again).
    LE with automatic renewal running is perfectly reliable, Ive been using it for over 2 years just fine.
     
    • Agree Agree x 1
    • Informative! Informative! x 1
    • List
Verification:
Draft saved Draft deleted
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.