Nowadays, internet security and SSL go hand in hand.
We have already established why SSL is the future in our HTTP vs HTTPS article. A quick reminder, SSL stands for Secure Socket Layer. In very simple terms it confirms your website’s identity to your visitors. With that out of the way, we want to dive into everything you need to know when choosing your SSL certificate. There is plenty to consider, but nothing is more important than picking between free and paid certificates. Paid certificates come with a multitude of different benefits like warranty and additional layers of authentication.
SSL landscape
The SSL certificate landscape might seem daunting at first, as there are so many different products to choose from. To distinguish between them, one has to know the fundamentals. Otherwise, it would be easy to fall for the classic marketing ploy, instead of getting value for your money. To figure out what is good and what’s not. Let us take a closer look at the whole process.
Certificates play a small, yet crucial role. As mentioned above, they help to confirm your identity to whoever visits your website. In other words, certificates make sure you are not impersonated by bad actors. They do so with the help of the Certificate Authority.
Certificate Authority (CA)
As you might have guessed, the Certificate Authority provides you with the SSL certificate, which you then install on your website. Afterward, your browser confirms that cert is the real deal and was issued by a reliable CA. This is how the browser sets up a secure connection. Therefore, if the check fails, no further action is allowed to happen and a security message pops up. What is important here is that once the authentication is complete, there is no further need for Certificate.
Now, you might ask why the Certificate Authorities distinguish between paid and free certificates? You see, all the certificates CA issue without exception have to adhere to industry-standard Baseline Requirements. This official document mentions all the requirements CAs must follow to be legitimate. Notice how there is nothing about the difference between paid or free. That is not a coincidence, because in function there is no difference between the two. All certificates absolutely must adhere to these requirements. Thus, it is safe to conclude that money doesn’t make a certificate perform its main function better. So what does money buy you? To answer this question, we need to know different Certificate Types.
Certificate Types
There is a wealth of different certificate types, some free and some paid.
Domain Validation certificates (DV)
This is the basic functionality certificate we described above. It’s automated to verify that the domain is properly registered and that admin accepts your request. To complete the authentication process, webmasters must either set up a DNS record or approve over email. Since the process is automated it doesn’t take long to process the request. The average wait time is between a few moments and an hour. These certificates are usually free of charge even from commercial CAs, though on a trial basis.
Examples of CAs providing DV certificates:
- Free: Let’s Encrypt, CloudFlare, sslforfree
- Commercial: Comodo, GeoTrust
Organization Validation certificate (OV)
This is DV’s main competitor. Provided exclusively by commercial CAs. You pay extra for a more thorough authentication process. Here, actual agents confirm the domain ownership. Additionally, as the name suggests Organization Validation certificate verifies the company’s name and where it comes from – country/city. Similarly to DV, OV certificate needs extra information in the form of documentation to corroborate the company’s identity. Considering, that the check is more thorough, the process takes longer. Somewhere between a few hours to a few days.
Examples of CAs providing OV certificates: Symantec, DigiCert, GlobalSign
Extended Validation Certificates (EV)
Extended validation is the most expensive option. On top of checking your organization’s name and country of origin it also confirms that your business is a legal entity. Therefore, it requires you to provide your business information as evidence to confirm your domain ownership. Moreover, EV changes standard grey HTTPs padlock to green and displays your firm’s name next to it. In the case of Apple’s Safari browser, it completely replaces the URL in the address bar with your company’s name. Needless to say, it is great for branding purposes. As this is the most exhaustive option, the verification process might take days, sometimes weeks.
It should be said that even the most diligent authentication process is not bulletproof. As was proven by researcher Ian Carroll. Who managed to fool EV certificate. Factor that in when making your choice. Another disclaimer concerns handy branding, indicator feature we mentioned. It seems that it is either already removed in case of Safari or soon going to be by Chrome and Firefox browsers respectively. To wrap things up, let us take the time to read a few statements from the largest tech companies:
“Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading in the Chromium document). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome’s product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.”
“In desktop Firefox 70, we intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security / privacy information). We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible.”
“Org name is not tied to users intended destination the same way that the domain name is”
This is critical information as some of the vendors still promote this feature in their marketing materials. Even though it is being removed soon. Talking about shady promotion. We should discuss Encryption.
Encryption
Encryption is managed by the server configuration your system administrator handles. SSL certificates have no bearing on data transferred via a connection. Therefore, if you come across a commercial CA that promises superior encryption avoid them like the plague.
Warranty
Free CA’s do not provide insurance of any kind. Many commercial vendors, on the other hand, offer substantial sums in warranty ranging from $10,000 to $1,500,000. There are three main scenarios they all cover: Incorrect information in the Certificate, divulgence of a private key by CA, Certificate fraud that leads to a financial loss on the part of your website visitors.
We know from before that all Certificate Authorities must follow Baseline Requirements, which makes the likelihood of the first scenario occurring really small. Scenario number two is outright impossible, at no point should you share your private key with your CA. That leaves us with the most common scenario that does occur often enough. Attacker tricking CA and getting hold of customer’s information.
Since it is standard nowadays to have a non-disclosure agreement attached to the settlement of any kind, it is almost impossible to get any statistical data that shows how often businesses are being reimbursed per this claim. The only things we can point out are commercial CA’s terms and conditions. If you go carefully through them, you quickly realize that their language is designed to minimize damage from any potential claims. Which means it would be difficult to prove CA’s negligence.
Longevity
Certificate longevity is crucial when choosing between free and paid certificates. Free certificates have a lifetime of 90 days. There is a statement from Let’s Encrypt regarding the thought process behind it. You don’t have to renew your certificates every 90 days with commercial CAs. Money talks basically when it comes to SSL certificates, especially if you manage multiple subdomains.
Conclusion
We hope that armed with this information you will be able to make the right choice when it comes to picking an SSL certificate. If you need more information on SSL certificates, feel free to contact us or start a chat. We would be delighted to hear from you.
