Is there any real difference between a free SSL and a paid one?

Discussion in 'Domains and SSL Certificates' started by /ben, Oct 10, 2018.

  1. Necabo

    Necabo Neophyte

    8
    8
    +3
    Lets Encrypt do not have the insurance that paid ones do, but are much faster and easier to setup. I love Lets Encrypt, a fantastic service to the web hosting industy :)
     
  2. rafalp

    rafalp Desu Ex

    1,170
    707
    +352
    For those wondering where green padlock went to:

    Starting with Chrome 69 (released September 2018) Chrome no longer makes padlock green when page is secure. This is to desensitize users about this UI item. Next on menu is that Chrome will warn users away from sites that aren't https.
     
  3. HWS

    HWS TAZ Member

    207
    108
    +142
    Looks like Google governs the web now. :mad:
     
  4. Xon

    Xon Adherent

    289
    177
    +412
    Question; this "insurance" what does it cover and how. Spoilers; this is something of a rabbit hole and the answer ends up being the "insurance" is completely worthless.
     
  5. Daniel

    Daniel Aspirant

    11
    8
    +9
    I think that the free ones are best use for those that don't want the browsers indicating to users that the website is "insecure" and therefore worrying visitor's that their data will be stolen. If I had an online store I would consider more paying for one to gain even more trust from my visitors and potential buyers...plus I believe it to actually be more secure overall. If I am not mistaken there is some sort of assurance from the SSL provider...though I could be entirely wrong here.
     
  6. rafalp

    rafalp Desu Ex

    1,170
    707
    +352
    "believe" is correct word to be used here. There is no difference between free and paid HTTPS certificate as far as security is concerned.

    What actually happens when you enable HTTPS on your site is you ask certificate provider for public key that your domain should use to encrypt connections. When user connects site on HTTPS, their browser uses your public key to encrypt message. Browser has data required to see if your public key is valid or invalid, because certificate vendors make deals with browser vendors. Your key expired? Connection is interrupted. Private key expired? Connection is interrupted. Master key expired? Connection is interrupted. Either of keys is known to be compromised? Connection is interrupted.

    Technology involved is the same no matter if its Lets Encrypt of paid certificate seller, despite what the latter will try to tell you on their website.

    LMAO

    This is same as bank selling insurance to your mortage. The game is rigged to make sure you'll never meet conditions for bail out.
     
  7. Daniel

    Daniel Aspirant

    11
    8
    +9
    Interesting, to some extent I thought there was some benefit to spending the $30 a year or whatever the other SSL's you can get that give you the great big green bar etc.
     
  8. rafalp

    rafalp Desu Ex

    1,170
    707
    +352
    Great big green bar is UI artifact from times when you had no free certificate vendors, and HTTP was default. Today browsers are changing their approach to display red bar when no HTTPS is enabled on the site - because HTTPS should be default for all sites now that it can be set for free.
     
    • Informative! Informative! x 1
    • List
  9. Ingenious

    Ingenious Fan

    624
    347
    +193
    Looking at this from a different angle, as a consumer when I have shopped online I have never even clicked the HTTPS icon for further info or to see if it's a free one or a $$$ one - I wonder how many do? Not many I would think.
     
  10. mysiteguy

    mysiteguy Devotee

    2,800
    887
    +2,135
    The way the warranty's work is actually not to protect your site directly but to protect consumers who are defrauded on a fraudulent site. If for instance, someone manages to make a fake site and presents your certificate. If the certificate provider validates your certificate from a site that isn't yours, and the consumer gets ripped off, the warranty covers them. The odds of the cert provider validating to the browser a forged site is incredibly small because only you, not the SSL provider, should have your private key.

    Yes, it can happen, but it's so exceedingly rare that for non-e-commerce sites there's really no point in buying one. For ecommerce sites, or other types of sites dealing in very private data, it makes sense to use a paid certificate but not because it actually provides more security, but the perception it does. Depending on a business's liability insurance policy, their insurer may require a certain level of paid certificate, but that's because insurers tend to be ignorant about the technology as well.
     
  11. Alfa1

    Alfa1 Administrator

    3,708
    1,702
    +2,578
  12. Daniel

    Daniel Aspirant

    11
    8
    +9
    I just started using CloudFlare's as well and didn't renew my SSL with namecheap.
     
Verification:
Draft saved Draft deleted
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.