Disclosure: This post contains affiliate links. I may receive compensation when you click on links to products in this post. For an explanation of my Advertising Policy, visit this page. Thanks for reading!
Why pay for an SSL certificate when I can get one for free?
The main reason why you should pay for an SSL certificate is the liability protection. Paid SSL certificates provide for much better liability protection than any free version ever could. In fact, many payment processing companies won’t even approve an application to use their services unless you do have some form of liability protection.
This is because in the event of hacking or other intrusions where a data breach occurs and customers payment details are stolen, you will be insured based on the warranty level of your SSL certificate..
Free SSL certificates, since they are “free” as are usually issued by non-profit SSL certificate authorities (CAs). The most popular of these is of course, “Let’s Encrypt”, which provides SSL/TLS. Free SSL certificate do not offer any liability protection whatsoever and may cause payment processing companies to reject your application, if say, you want to open an eCommerce store for example.
However, there are other situations where third-party, paid SSL certificates are also normally necessary:
One such situation would be an Extended Verification or “EV” SSL certificate. That’s the SSL certificate that gives the little green bar in the browser that has a business is legal name. It’s a great way to establish trust with the user.
There are a few more reasons why you would pay for an SSL certificate. However, they mostly come down to Warranty and Extended Validation (EV).
This certificate provides certain levels of financial liability protection.
Whether or not you need this level of financial liability protection depends of course on what kinds of financial transactions will take place on your website, the values of those transactions and of course, the payment processing company you choose to do business with.
In fact, each of the paid SSL certificates below and the levels of liability protections they provide will also be dependent on the kinds of financial transactions will take place on your website, the values of those transactions and of course, the payment processing company you choose to do business with as well.
Extended Validation (EV).
Vendors such as Sectigo or Comodo, issue EV SSL certificates that verify your business as a real and genuine organization.
Extended Validation certificates will actually say the business name and that it was verified, instead of just saying “Secure” and/or just showing a lock.
If you want to see some examples of this in action just go to Paypal.com or Citi.com (Citibank). You’ll typically see this:
If you go to a site with a simple free SSL, the company’s name usually won’t be included in the certificate.
Also other providers will generally give insurance for issues that arise due to the SSL, or things like vulnerability testing. It all depends on who you get the SSL certificate from.
Then the other is just the life of the SSL. Let’s Encrypt is 90 days, then you have to renew, but that can now be automated, usually with a simple plugin. Other SSL certificate providers are paid for a year or more at a time.
For example, when you see a green padlock before a URL (and not just a simple padlock) and click it, you’ll see the SSL information for that website.
Warranty.
Certificates you buy also come with certain levels of warranty. These warranties are associated with transactions.
If for some reason there is a breach and your customer’s sensitive data has been compromised and caused financial loss or damages, the vendor who issued the EV certificate will compensate them up to a certain amount depending on the certificate purchased and its warranty.
Some people who run eCommerce stores will buy an EV for the warranty alone.
In fact, more businesses who conduct transactions where sensitive consumer data is passed through their websites servers should look at the warranty if they’re serious about conducting business online.
For example on Comodo, a one year EV SSL Certificate is $179.99/year and provides a $1,750,000 warranty should something go wrong.
Even when sites use Sagepay and Paypal to handle payments, they still may take enough customer details to make them liable for any losses due to a security breach.
How do paid SSL certificates offer better protection?
Paid SSL certificates don’t necessarily offer better encryption protection. However, they do offer some degree of liability protection depending on the SSL certificate you get.
Paid SSL certificates however, do provide the user who’s viewing your website through their browser that your website is secure and has been verified by a Certificate Authority.
This way your user can feel more confident in conducting transactions over your website since they know through the certificate that your website is legit and not some scam or phishing website.
As far as encryption is concerned, again, paid SSL certificates offer no stronger encryption than free SSL certificates like Let’s Encrypt. That’s not to say that all SSL’s offer the same encryption protection.
There are many SSL certificate vendors that offer additional encryption for things like email etc. That can also add an extra level of protection to your website.
Why do some paid SSL certificates cost more than others?
The price of an SSL certificate usually depends on the type of certificate, the reputation of the issuer, the verification process and more importantly its warranty.
When you buy an EV certificate, you also pay for a warranty which will cover some cases of fraud related to certificates. The higher the warranty, the higher the price.
You really have to read all the fine print of the contract to know exactly what you are buying. It is safe to say though that a $2500 certificate comes with a more comprehensive warranty than a $179.99 certificate.
These prices don’t reflect much of the operating costs, but depending on the EV certificates you have chosen, there will be much stricter verification of identity before the certificate is issued.
This verification involves more information requested from the customer and possibly at the actual people looking at the provided information.
Also the vendor’s servers need to be operating around the clock, even at higher loads because all current browsers will check for revocation before connecting to EV protected sites. The costs of server administration alone can be quite heavy.
They will also refuse if the revocation status can’t be determined. In addition, there will probably be staff available 24/7 in case an emergency revocation (which may involve issuing a new certificate) is necessary.
The two main functions of paid EV SSL certificates are basically:
- Securing online transactions and private information which is transmitted between a web browser and a web server.
- Trust, an EV SSL is used for increased customer confidence. An EV SSL proves a secure session of your website, it means your customer can trust your website.
Each certificate has its own validation procedures. By following these procedures, the Certificate Authority validates a business’s reliability and sends a certificate for the website.
Pricing therefore can also reflect the authentication process and levels of trust.
For example, an EV SSL validates many components of identifying a domain and business information.
The main difference is the trust factor and brand reputation. If your customers see the green address bar in their browser, then they may feel more secure and encourage them to make transactions.
A cheap or free SSL certificate only validates a domain’s authority and authenticates it using the approver email verification system. An Approver can easily get this certificate in just minutes with a generic email address like Gmail.
Otherwise, in most cases, a certificate’s warranty explains differences. Certificate Authorities can provide an extended warranty from $1K to $2M or even more against mis-issuance of an SSL certificate.
Expensive EV SSL Certificates also sometimes offer a dynamic seal. This is a dynamic image which is displayed on a website that shows the current time and date of when the web page was loaded.
This indicates that the seal is valid for the domain it is installed on and is current and not expired.
When the image is clicked, it will display information from the Certificate Authority about the website’s profile which validates the website’s legitimacy.
This again will give visitors of the website increased confidence in the website’s security.
Types of paid SSL Certificates.
There are 3 main types of paid SSL Certificates. These vary in cost, with a Single Domain EV SSL Certificate normally being the cheapest.
Single Domain
Secures both www and non-www versions of your domain
Wildcard
Secures all subdomains for a single domain including www and non-www versions.
Multi Domain
Most of Certificate Authorities give 3-5 domains with their basic price plan
You need to pay per additional domain.
Are Free SSL Certificates Safe?
Free SSL certificates are just as safe as Paid SSL certificates. If you look at Let’s Encrypt’s free SSL certificate, it gives you an SSL certificate as safe as any other paid SSL certificate.
However, the most common free SSL Certificate “Let’s Encrypt” only issues certificates that are valid for 90 days. In the past when the free Let’s Encrypt SSL Certificate came out, this was the number one complaint users had.
I mean, who wants to have to renew an SSL every 90 days or else face lapses in coverage right?
Well, nowadays renewal frequency isn’t an issue as this process can be automated. Anyways, Let’s Encrypt is now automated. So setup is now much easier.
Some even argue that Let’s Encrypt is more secure. At least in one major way. Your private key is generated on your server and never leaves it.
Is a paid SSL certificate more secure than a free SSL certificate?
Free SSL certificates like Let’s Encrypt are no more secure than paid SSL certificates.
At first I believed that a paid SSL certificate would be more secure than the free “Let’s Encrypt” certificate, but the more I looked into it, I found that this wasn’t the case at all.
They actually provide the same level of encryption.
In fact, the “level of encryption” is more a function of your own Web Hosting Provider’s servers, than anything else. You can spend thousands of dollars on an EV certificate and still score an “F” on the Qualys SSL Labs test.
How do I get a trusted SSL certificate?
There are many trusted SSL Certificate providers out there. So always go with those who have been around the longest and are the most reputable. My top three SSL Certificate Providers are:
Why pay for an SSL certificate? Paid SSL conclusions.
Unless you need an Extended Validation or a Wildcard for liability or trust issues, there’s no real benefit to a paid SSL option. If you have a simple content related site then a free SSL is good.
However, at the very least, if you have an eCommerce site, a paid EV SSL Certificate will showcase your company’s name in the browser’s address bar and as a result your customer will trust that your website is an authorized domain.
This will hopefully not cause them to hesitate when conducting a transaction where their sensitive financial information needs to be passed along for purchases for example.
So, let’s summarize why and when you should and should not pay for an SSL certificate:
- If you just have an ordinary non-commercial website, just go with the free, “Let’s Encrypt” SSL certificate.
- If you have a business ecommerce site with any automated financial transactions like commercial carts, a billing system, just go ahead and pay for an EV SSL certificate.
It depends on the level of SSL.
In the end, an SSL doesn’t make your site secure. It makes the data sent to and from your site secure. This will protect data from being taken.
However, it won’t have any impact on Brute Force attacks or any other website hacking attempts.
SSL certificates will also not protect you against security holes in WordPress themes or plugins, so make sure they are always updated.
