What is the difference between a free SSL and a paid SSL?
We offer two types of SSLs - free and paid. Both are available for use on our hosting. We're often asked what the difference is and why you would want one over the other. This article goes into full details.
All shared & reseller accounts come with free SSL certificates. Paid SSL certificates purchased through NodeSpace can be used on our hosting (with free installation) and VPS and dedicated servers (with free installation as well). You can also use these certificates at other hosting providers or servers within your own organization (but you will be responsible for installation).
SSL Certificates Logic
The logic behind SSL certificates is to encrypt traffic between a client (commonly a web browser) and the server. This prevents interception of the traffic. The client encrypts data using the server's public key and the server decrypts the data using it's private key. This is known as Public Key Infrastructure or PKI.
In a nutshell, this is basically how it works (note: this is simplified):
Once the secure connection is established, traffic is encrypted and cannot be decoded by anyone without the private key.
Free vs Paid SSL Certificates
With an increasing push for security, Let's Encrypt was started to provide free SSL certificates to the masses. The "catch" is that these certs have a low lifetime of 90 days compared to the traditional 12 months. We don't have a source, but the logic to us is what we're about to explain.
Note: There are some paid SSLs that offer up to 3 years. How this works is that you're really getting a 12 month certificate. Prior to expiration, you will generate a new certificate however you have already pre-paid for the year and will not be required to make another payment. The same thing will happen in the following year. So in reality, you've just pre-paid for 3 years at a reduced cost versus buying 3x 1 year certificates at the 1 year cost.
Reasoning for short validity periods
The reasoning behind SSLs having a short validity period is because our security posture has changed over the last several years. While you used to be able to buy a 5-year SSL, many of these SSLs needed to be reissued when the key size increased from 1024-bits to 2048-bits. This took many website owners by surprise and caused a lot of work for web hosts. Another reason is it greatly reduces the attack period an attacker has to try to break the private key especially with quantum computing and large scale compute available "affordably". By affordably, we mean that an attacker can spend $5,000 to $10,000 to probably crack a private key using a public cloud service with lots of CPU power where in the past, they would need to have purchased hardware closer to several million dollars to be able to crack a private key. By reducing the time frame, chances of the cert being expired and changed to a new private key by the time an attacker cracks the private key are reduced. Same with should a server misconfiguration occur and the private key be made available. With a short validity period, the amount of damage that could be done is minimized.
Let's Encrypt is a free SSL Certificate Authority (CA) that provides certs on a 90-day validity period. This is to minimize impact of key compromise and mis-issuance. While it's not stated, this could also be due to the lack of insurance that we are going to talk about.
Free SSL certificates do not include any amount of insurance in the event of a SSL compromise. Paid SSLs do include some amount of insurance for SSL compromise.
Note: "SSL compromise" means if the CA was hacked or a flaw was discovered in their issuance process and you faced some amount of damage caused by the compromise. Like most insurance, it's not paid out if you're at fault. If you mis-configure the web server or improperly store the private key, then that is not "SSL compromise" and the insurance would not be paid out.
Another difference between free SSL certificates and paid certificates are the validation types. Free certs only have Domain Validated (DV) certificates. This means that a certificate is issued only when the domain is validated to be under your control (e.g. setting a DNS record on your authoritative name servers, uploading a file to your web accessible directory, or sometimes by sending an email to the WHOIS contact though this is not as common due to WHOIS privacy). Paid SSLs also offer DV certs and these are issued very quickly - once the domain is validated. The difference between free SSL certificates and paid DV SSL certificates is the warranty and extra features such as dynamic site seals (graphics that validate the certificate automatically and show and image on your website).
Example site seals:
Paid SSL certificates only offer the following validation types.
- Organization Validation (OV) - These SSL certificates are only issued once the CA can validate 1) your domain, and 2) your organization. These take longer to issue (roughly 3-4 business days, sometimes longer) as the CA authenticates the organization that operates the domain. These SSL certs usually carry at least $1.25 million in insurance.
- Extended Validation (EV) - You might remember on some websites, the address bar would turn green and show the company name. While EV certificates no longer turn the address bar green. Modern browsers continue to show a normal padlock icon as this feature wasn't really used by users. However, EV certificates still have the strictest validation requirements and carry the highest insurance of $1.5 million. EV certificates can take up to two weeks to be issued. Besides verifying the domain, the organization will be more scrutinized, including verifying the person placing the SSL order is employed by the organization and is an active employee.
Which certificate do I need?
This is going to entirely be up to you and your needs. If you run an e-commerce store, you may want to use at least a DV paid SSL or OV SSL if you wish to have the higher insurance. You can also use a free SSL. Many organizations have switched to just using Let's Encrypt certificates without impact.
By default, NodeSpace will always issue a free SSL in certain situations:
- Your account is brand new. Once your domain is associated with your account, we will install a free wildcard certificate.
- Your free SSL will be expiring in 30 days. We will replace the cert with a new cert.
- Your paid SSL has expired. We will replace the expired cert with a free cert to ensure your visitors don't see SSL errors and your SEO is not impacted. Note: We only replace paid certs that have expired. We will not replace a paid SSL until it has expired. If you do not want us to issue a free SSL automatically, contact support to exclude your account or replace the paid SSL with an updated SSL prior to expiration.
If you're still unsure or have additional questions, our sales team can answer them for you. Send an email to [email protected].