SSL is a type of security extension that can be applied to websites. Short for Secure Sockets Layer, SSL is distributed as a certificate. There are three levels of certification: Domain Validation (DV), Organizational Validation (OV), and Extended Validation (EV), each offering more security than the last. Typically, these certificates are distributed via subscription model, where a company can pay a certain fee as often as they need—i.e. annually—according to their desired level of security. A process which, of course, can only develop provided they make it through the initial review process. However, there is another option. Free SSL is becoming a popular choice for websites in order to evade the cost of traditional SSL certification. That being said, each option comes with a variety of risks that make them virtually unsuitable for a majority of websites, especially ones which facilitate business transactions.
Risks of Free SSL
Typically Only Provide DV Certification
DV, or Domain Validation, is an entry-level website validation. When applying for DV certification—which is typically all that is required—the website owner responds to an email sent from the certificate provider. Yes, it’s true: DV certification is technically a legitimate level of SSL security. However, DV certification is also about as trustworthy as presenting your old library card to a club bouncer. DV certification only “verifies” the identity of the person running a website, usually by sending an email to whichever address is linked to the site. No information about the company is required. The flaws with this level of certification should be self-evident, but for the sake of comparison, even registering a Minecraft account requires a valid email, and personal information including date of birth, photographic captcha verification, and an exchange of codes between your email and the site. And the game isn’t free.
No Warranty Cover
Free SSL certificates hardly ever come with a warranty. Although the level of security this type of certificate can offer is insignificant enough that issues—when and if they come up—will usually be on your end, it is still possible for the certificate authorizer to experience malfunctions on their end, which includes, but is not limited to, hardware failure. In this event, without a warranty, you’re simply out of luck. Unfortunately, you aren’t backed by a guarantee of quality, since there was no exchange of currency, and thus no contract—written or otherwise. Paid SSL certificates, on the other hand, should and do always come with a warranty, and usually with surprisingly high payouts. sslrenewals.com states that paid SSL warranties typically pay out between $10,000 and $1.75 million.
Wildcard SSL Not Always Available
Since free certificates only offer DV authentication, as a consequence, they do not offer Wildcard SSL. Wildcard SSL is an extension of an SSL certificate (only available for OV and EV, never DV). The certificate, then, applies to all subdomains beneath the primary domain applied to the original certificate. For example, if you certify my.domain.com, you would have to pay to certify, at sites like payment.domain.com, forums.domain.com, etc. However, with Wildcard certification, you can apply SSL to all of the domains under the primary, certificate-holding domain. On account of free SSL above DV not being an option, you’ll have to manually certify every single one of your subdomains.
Not Suitable for eCommerce
Since free SSL certificates typically only allow for DV certification at most, your site will not be suitably secure if you wish to do business with it. DV certification does not offer sufficient encryption to protect important entities that travel between your site and the user, meaning that credit card information, and other sensitive data, often remain unprotected. Because of this, you are perpetually running the risk of suffering a major site security breach, the consequences of which could be extremely detrimental to your users. Even if you manage to limit the damage, your site’s reputation would most likely end up in the gutter after such a potentially catastrophic event. In this case, it’s infinitely wiser to simply avoid the risk entirely. If you intend to do business over your website, pay for an appropriate level of SSL certification.
Short Lifespan
Free SSL certificates tend to have a lifespan of only a few months (90 days is standard) before they must be renewed. Paid SSL certificates, on the other hand, generally last approximately one to two years. While it is technically possible to use a free certificate and renew it every 90 days, that would mean that you would have to go through the process at least four times a year, and if you forget or neglect to do so, your website will be considered “unsecured” in the interim. While this might not seem like much of a big deal, having an unsecured site can negatively affect your SEO (Search Engine Optimization) ranking, and could be quite a hit to your site’s online visibility.
Is There Ever a Good Reason to Use Free SSL?
If you do some of your own independent research online, you may come across several articles claiming that although free SSL is not suitable for most people, it can occasionally be a good solution for small-scale, non-business operations. However, let’s review the facts:
- The level of authentication provided is less than what is required by even most social media platforms
- If the company authorizing your certificate has a catastrophic failure, YOU’LL be paying for it
- You’ll need to renew multiple times a year, and because you don’t have access to Wildcard SSL, you’ll be doing so for every single one of your domains individually
For some people, perhaps those that are building a website as more of a proof-of-concept for an idea rather than a permanent entity, saving a few dollars on SSL might be something to consider. On the other hand, many certificate providers offer DV SSL for under $10 per year, OV SSL for under $30, and EV SSL for under $75. You may also have the option to purchase an inexpensive SSL certificate, including Wildcard, through your domain registrar. 101domain, for instance, offers EV SSL for under $90 per year, which comes with a $1 million warranty. Opting to use SSL through your registrar also means that you will have the support of the company behind you, should you need help.
Ultimately, the choice is yours. That being said, nothing is ever truly free. If you opt for an SSL solution that doesn’t cost you any money, you may risk it costing you heaps more later on—whether in time, energy, or clients. Be safe out there!
