+ 33

Free vs Paid SSL Certificate for websites?

Hi there! :) which one would you recommend: a free SSL certificate or a purchased one for a website? Are free ones trusted certificates that actually improve the security of the site? Thanks in advance 😊

15th Mar 2018, 11:37 PM
Pao
Pao - avatar
27 Réponses
+ 32
Here's my 2¢ 😉 Both free and paid SSL are equivalent in terms of security and do the job well for securing user's data. The only reason I can think of using the paid SSL for business is the EV-variant if they want to go the extra mile with a secure green box. In fact, LetsEncrypt saves our money from the lucrative SSL industry as the money we paid are used for authorization process and insurance — I bet you'll be familiar with the promise from the major players which will compensate a large amount of 💰 if your site get hacked due to the SSL. But how often does it happen? In short, go for LetsEncrypt although it requires some knowledge to set it up with 90 days expiry. Renewal is kinda trivial and definitely worth it in a long run.
16th Mar 2018, 3:46 PM
Zephyr Koo
Zephyr Koo - avatar
+ 14
Popular and free https://letsencrypt.org
16th Mar 2018, 9:22 AM
Bill Zelenko
Bill Zelenko - avatar
+ 14
In fact I am using paid SSL certificate but I think free SSL is also quite good. Almost they are same and it depends upon the user that what he/she actually wants...
17th Mar 2018, 3:00 PM
Ram Bahadur Gurung
Ram Bahadur Gurung - avatar
+ 14
Hi! Thank you all for your opinions and suggestions 😊👍 I think this is a subject that matters, as Chrome's market share is above 70% and in Chromium's blog they've been announcing how they will show to users a warning for websites that are not secure. I think that this not only makes a website look less professional (which could damage a Brand) but also it might scare potential customers away from buying from a non-secure site. Not to mention that making our website secure is a good SEO practice, it will help us rank better on Google. If you'd like to read more about it visit: https://blog.chromium.org/2018/02/a-secure-web-is-here-to-stay.html?m=1
18th Mar 2018, 4:32 AM
Pao
Pao - avatar
+ 10
If i was a rich I'll definitely chosen the paid
16th Mar 2018, 3:27 PM
MeMe Boy
MeMe Boy - avatar
+ 9
Thank you @Rick, no worries, I was able to perfectly understand your first message, I appreciate it, very interesting 😊👍
19th Mar 2018, 7:30 PM
Pao
Pao - avatar
+ 6
Web and cybersecurity experts are recommending the paid SSL Certificate to encrypt website with HTTPS. There is the Difference between self-signed SSL vs CA-Signed SSL Certificate. There is no free equivalent of extended validation SSL certificates so I will keep that aspect out of my answer. Having a query related to the powerpoint go to the https://babasupport.org/microsoft/powerpoint-customer-service/471
16th Mar 2018, 8:54 AM
stefnie kayalle
+ 6
Ive been without SSL for 3 years and my traffic still grows weekly.
17th Mar 2018, 9:14 PM
Garrett
Garrett - avatar
+ 6
That doesn't matter you are using a paid or free SSL certificate. It's depends on It's work, performance,and response of company (Purchasing Company)... A free advise - If you have not a commercial (payment, purchase,sale....) website then SSL is not necessary....
18th Mar 2018, 2:09 AM
Bug Slayer
+ 6
Super awesome info and explanation, thank you @Denys Yeromenko, I appreciate it a lot 👍😊
19th Mar 2018, 3:02 AM
Pao
Pao - avatar
+ 6
(Late due to intermittent conflicts) I use unofficial certs so see at every reboot: >>> "Network may be monitored by an unknown third party ... a trusted credential installed on your device is making this possible." Question: "Wait, does this mean any CA can monitor...?" https://security.stackexchange.com/questions/58816/a-third-party-is-capable-of-monitoring-your-network-activity-with-imported-c Answer: "yes" but you trust them not to allow that. So what makes "official" ones a better "acceptable risk": * They deserve to be in OS "system" certificate stores and nobody would every misuse them, and not one of them would ever, ever be compromised, nope, neeeevvvver happens? * You just want your Internet to work, obviously it's somebody's job to check them all and who wants to see warnings? .... Be honest, for admins and visitors :) Moving-forward-either-way notes: * Due to (not just these) compromised CA's, Android 5.0+ allows you to disable authorities: https://android.stackexchange.com/questions/13183/how-can-i-remove-trusted-cas-on-android * Custom CA stores are publicly available to update OS-default bundles (if you trust them) * https://www.ssllabs.com/ can help you get to A++ with chocolate sprinkles ratings (+ some tutorials) on your own certificate deployments.
26th Mar 2018, 9:49 PM
Kirk Schafer
Kirk Schafer - avatar
+ 6
@Kirk :D ! Thank you for showing up 😊 as always awesome info 👌 your references are perfect for me, thanks 😊👏
28th Mar 2018, 4:14 PM
Pao
Pao - avatar
+ 5
@Garrett It's known that Google rank secure sites higher but it's not really a security theater. You'll know it better once you realize how data was transmitted over the Internet. 😉
17th Mar 2018, 2:49 PM
Zephyr Koo
Zephyr Koo - avatar
+ 5
obviously the paid one is ok
17th Mar 2018, 8:19 PM
Lesley Chitsika
Lesley Chitsika - avatar
+ 4
I use lets encrypt
16th Mar 2018, 12:22 PM
Mike Choy
Mike Choy - avatar
+ 4
You don't need either, its just another "Google Scare Tactic"
17th Mar 2018, 2:14 AM
Garrett
Garrett - avatar
+ 3
From the encryption point of view, there is no difference between free and paid SSL certs. However, keep in mind the difference between *domain validation* (DV) and *extended validation* (EV) certificates. The latter are considered a 'higher' class ones and cost way more than simple domain validation certs. There is almost a zero chance a malicious domain will be encrypted with an EV certificate, because in order to be issued, EV SSL requires for the applicant's paperwork to be checked by the certificate issuing authority. A domain name protected with *extended validation* (EV) certificate will display a green bar in most browsers' URL bar. When we are talking about *domain validation* certificates, the URL bar will look the same for both the resource encrypted with a free DV cert and the one protected with a paid SSL. Still, a paid domain validation SSL cert usually implies more credibility and trust, since... well, it costs to get one :) Thus, it is less possible a malicious resource will ever bother with purchasing a domain validation SSL cert when there's a possibility to get one for free.
18th Mar 2018, 10:34 PM
Denys Yeromenko
Denys Yeromenko - avatar
+ 3
The problem with RC4 is the key exchange. You must get the key securely to your recipient of the encrypted message without other people observing it. That is what the SSL certificate does for you. SSL uses asymmetrical public key encryption to transmit the message key to your recipient. Sorry about the typing errors in the first posting voice to text messed it up. At least I was able to edit this one without cursing at the post before finishing
19th Mar 2018, 6:54 AM
Rick Shiffman
Rick Shiffman - avatar
+ 3
can some one tell me how to begin
28th Mar 2018, 1:12 PM
Franklyn Omeben
Franklyn Omeben - avatar
+ 2
Cloudflare always
18th Mar 2018, 6:52 PM
Ab H
Ab H - avatar