Choosing the right SSL certificate can be a tricky process mostly because the industry uses confusing language and provides many similar sounding options. By the end of this article, you’ll be able to better understand the often cryptic meaning (no pun intended) behind the specifications for an SSL certificate and clearly differentiate between your options.
Before we get into the key differentiators between each type of SSL Certificate, the first question everyone asks is: what’s the difference between free certificates and paid ones? Why should I pay for an SSL certificate when I can get a FREE Let’s Encrypt certificate with Plesk? And those are great questions! Let’s do a quick comparison.
Advantages of The Free Let’s Encrypt certificate
- It’s free
- It can be installed super easily (just a couple clicks). Commercial certs have a lengthy installation process.
- It automatically renews every 90 days without your intervention (though if you do have any trouble, we’ve got a great guide to help you troubleshoot renewal of your Let’s Encrypt certificate). Commercial certs require manual renewal each year.
Disadvantages of The Free Let’s Encrypt certificate
- You do not get a site seal that indicates “this site is secured by Let’s Encrypt”
- It supplies no warranty to protect your site’s visitors/customers.
Because of the lack of site seal and warranty, you may wish to consider a commercial certificate over a free one if you operate an eCommerce site or you’re storing sensitive data within your website. That said, we strongly recommend reading the info below to learn more about how Site Seals and Warranties affect your site.
Below you’ll find what we consider the 6 most important comparison points for SSL certificates. The core information in this article, which we’ve expanded upon, comes from Sectigo (previously known as Comodo CA), our primary commercial SSL provider.
IN THIS ARTICLE
1. SSL Validation Methods
Validation is typically of 3 types: Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV).
Cheaper, or Free SSL certificates, like Let’s Encrypt, use domain validation. With domain validation, the SSL issuer only checks that you own the domain and nothing more. This is done by sending an approval email to an email address that’s already associated with the domain either by being listed on the domain registration WHOIS record, or by being a ‘standard’ email address for the domain. For example, for the domain websavers.ca, most SSL certificate providers will provide you with the option of sending the approval email to firstname.lastname@example.org, email@example.com or other similar ‘standard’ email addresses.
These certs are cheap or free and most are issued within minutes. Check out the link above for the simplest and cheapest (free!) Domain Validated certificate option, Let’s Encrypt.
With organization validation the issuer verifies that you both own the domain and that you are actually a representative of your company. They’ll place the company contact information directly in the certificate so that savvy users who are curious about the certificate can look at it to confirm that the site they’re visiting really does belong to you.
The problem with organization validation is that the additional info within is only visible to tech savvy visitors who actually want to look at the certificate. Most visitors aren’t going to notice a difference between Organizational Validated SSL Certificates and Domain Validated SSL Certificates.
This is similar to organizational validation, however it doesn’t only show the organization information in the certificate for tech savvy visitors. It also shows your company name in the address bar. You’ve probably seen this on PayPal’s website and other larger companies. Look in the address bar and notice that it doesn’t just show that the website is secured, it also shows the name of the corporation that owns the site.
If you wish to have your organization show up in the address bar to put your visitors at ease when making purchases on your site, then an EV-SSL certificate is for you.
Please note: EV certificates have fairly in-depth requirements compared to other certificates. The issuer must validate that your company exists and has a physical location with manual verification. If you’re not prepared to undergo this extensive verification process, pick a different type of certificate.
2. SSL Certificate Warranty
This one confused me for quite some time. Most people think that the warranty refers to the amount of money that the SSL Issuer will pay you in lost sales if the certificate fails to function as it should. In actual fact the warranty refers only to the max that the SSL issuer will pay your website visitors if they are defrauded through a forged SSL certificate while making purchases on your website.
Due to the rigorous security of the SSL certificate issuance process, there are only a couple instances of fraudulent certificates every few years (it’s quite rare) and attackers generally target larger brands. However I suppose it could happen to anyone.
Unless you’re processing a massive amount of sales dollars through your website, I see little reason to pay attention to this particular stat.
Free Let’s Encrypt certificates have no warranty. Generally speaking, the more costly the cert, the greater the warranty coverage.
3. Wildcard SSL Certificates
Most SSL certificates will only secure a single subdomain at a time. For example, an SSL cert for websavers.ca will only secure www.websavers.ca and websavers.ca (they are treated as the same). If I want to secure clients.websavers.ca or ssl.websavers.ca then I need to buy a separate certificate for each… unless of course I buy a wildcard certificate.
These are typically more expensive, but they allow you to specify a domain like *.websavers.ca when requesting the certificate, which allows you to secure any number of subdomains across multiple servers (most of the time — there are some providers that will not work on multiple servers).
If you wish to secure more than one subdomain, be sure to order a wildcard SSL Certificate.
This is also an option for free Let’s Encrypt certificates available in Plesk (see link above), however renewal of wildcard Let’s Encrypt certificates may require frequent manual intervention, so we don’t recommend using them if you’re using Let’s Encrypt unless you are prepared to manually renew every 3 months. It’s far simpler to generate a certificate for each subdomain.
4. Dynamic Date Site Seal
The idea behind a a dynamic date/time seal is that you can place a piece of code on your website that says your site is secure. When a visitor hits your website, the code checks in with the SSL certificate issuer and confirms that your SSL certificate is valid, displaying this status to your visitors.
This might sound great, but here’s why I think it’s a gimmick:
- Anyone could easily throw up any old image of a lock that looks like one of these site seals on their website and claim their site is secure. Because this undermines those using actual dynamic site seals, it basically makes the whole site-seal system meaningless.
- Your browser already indicates when the site is secure and likely does a much better job of it. It’s also comparatively difficult to fool a browser into thinking a site is secure when it’s not.
If you really want one of these things badly, then be sure you choose an SSL certificate that supports it, but if you have to pay more for a certificate just to get this functionality, I wouldn’t recommend it.
5. UC/SAN multi-domain support
UC/SAN certificates are usually quite expensive, but they do provide some interesting functionality. If you wish to secure multiple domains (not subdomains, but actually different domains like websavers.ca and myserver.ws) but you don’t wish to purchase an SSL certificate for each one, then a UC/SAN cert might be for you. As I understand it, companies like GeoTrust provide these certs wherein you can login to their panel and generate a certificate for a new domain (typically up to about 25 domains) at any time within the cert’s validity period.
This is also an option for free Let’s Encrypt certificates available in Plesk (see link above). Plesk will automatically create a multi-domain Let’s Encrypt certificate when you have domain aliases.
6. Key Strength / Encryption Strength
You’ve seen things like 128-bit encryption, 256-bit encryption, 2048-bit keys, 4096-bit keys, and it’s all very confusing. How can something be 256-bit and 2048-bit? What is a bit? Who is a bit? A bit what? A bit confused yet?
The world’s most powerful computer as of writing this can do 93,000 trillion calculations per second. So, to lean on an answer someone gave on how long it would have taken the most-powerful-computer-on-earth to crack 256-bit encryption, it would still take over three years. At which point your certificate would be expired (since they expire after either 1 or 2 years) and a whole new one would need to be generated, and those trying to crack it would need to start all over again.
And, lets face it, if China, Russia, or the CIA have more powerful computers (did ya put on your tinfoil hat yet?) and they’re trying to crack your web browsing sessions, you’ve probably got bigger things to worry about than the level of encryption you’re using on your eCommerce site.
Long story short, since SSL certificate providers are in business to provide security services, its in their best interest to provide you with SSL certificates that are sufficiently secure. As computing power increases, so too does the encryption strength of certificates over time. Any certificate that’s still available for purchase from a legitimate source (like Comodo) is going to be strong enough to protect your website visitors.
Which do I choose then?
Here’s how we usually pick ’em:
- If you wish to simply secure registration or login to your site, use a DV SSL certificate (such as the free Let’s Encrypt certificate). They’re cheap or free, easy and quick to obtain.
- If you require a site seal to show customers who has protected your website, purchase a commercial DV or OV certificate.
- If you want to ensure your customers are protected by a warranty in the event there’s a failure with your SSL certificate, purchase a commercial certificate.
- If you wish to instill the utmost of confidence in your visitors that your site is reliable and secure and you have a registered corporation, then purchase an EVSSL certificate so they can clearly see your organization name in the address bar.
- If you’ve got more than a few subdomains to secure, pick up a wildcard SSL certificate so as to avoid paying for a certificate for each individual subdomain.
Do you have additional information on SSL certificates that could help our visitors in making a decision? I’d love to hear about it! Use the comment form below to tell me all about it.