Martin Spreer
Operations Manager

Why You Should Rethink a Free SSL Certificate

Security on the Internet is important and is becoming ever more important in the face of increasing cybercrime! SSL certificates are a central component of a security concept for websites and domains. SSL stands for Secure Sockets Layer. SSL certificates guarantee the authenticity of a website through a special validation and issuing process carried out by the Certificate Authority. In this article, we would like to compare and contrast free certificates with fee-based products.

Why SSL Certificates Are Important

There’s a lot of good reason for websites to provide a secure and encrypted connection. Security is on people’s minds as soon as any digital data is transmitted and having as many as possible websites providing encryption is adding to global web security.

Public facing websites as well as any other services should use SSL Certificates to provide encryption and to guarantee smooth and seamless operation without being challenged by nasty browser error messages complaining that the connecting is not secure.

There Are SSL Certificates for Free! With Automation!

In terms of pure encryption, a free SSL Certificate is doing precisely what it’s supposed to do: it provides an encrypted connection between your browser and the domain or hostname. And They also do add a lot to encrypting our web on a large scale. Automation is reducing administrative tasks to a pure minimum: once configured it is automatically replaced with a fresh certificate as soon as the lifetime ends. Encrypted forever, until the website is taken down.

Technically there’s no real difference between free and commercial SSL Certificates which only rely on Domain Validation (DV). For both only the Domain Control Validation (DCV) is performed, via a file on the web host, or a resource record in DNS, or via an approval mail.

We can only confirm that the website owner has control of the connected domain – but we don’t know who. Free SSL Certificates can be ordered and issued anonymously. You don’t know the identity of the person, organisation or entity that is controlling the domain itself, making it impossible to determine if it’s trustworthy or not. In most appliances this is fully sufficient, in particular where trust comes out of context: You wouldn’t expect your provider to show a bad link pointing at a phishing site. As long as you’re moving within the services of a trusted provider and as long as there’s encryption, there’s no real need to worry about the certificates in use.

Free SSL Certificates Used for Abuse

The real downside is that today such automated free SSL Certificates are widely used for phishing. Fake web sites with HTTPS asking for login or payment information often fool us into believing they are legitimate, also because our browser doesn’t show a warning. Unfortunately, there are countless phishing websites out there, all nicely secured by a free SSL Certificate, however none of them are legit.

If we try to track down scammers, we’re going to have a hard time finding out who is behind the fraud. The website? Hosted anonymously. The owner of the Certificate? Anonymous as well.

Increased Trust through Commercial SSL Certificates

An SSL Certificate is provided by a so called Certificate Authority (CA), and we can differentiate between commercial CAs like DigiCert and Sectigo, selling commercial SSL Certificates, and free CAs like Let’s Encrypt, providing SSL Certificates free of charge.

The real difference is that for commercial SSL Certificates the buyer is known. Not publicly, but the provider where the certificate has been ordered knows their customer. On top, commercial CAs also check on abuse reports for websites using their products – they have a legitimate interest making sure their products are used legitimately and within their Terms and Conditions.

Thus, a website secured by a SSL Certificate issued by a commercial CA is a strong indicator for a legitimate service.

Extensive Trust through Organisation and Extended Validation

We learned that commercial SSL Certificates are typically not chosen for abuse, thus adding to trust. Still, an anonymous SSL Certificate won’t easily tell us who’s owning the website. But what about providing information about the identity of the owner of the website to the public?

This is where Organisation Validation (OV) and Extended Validation (EV) SSL Certificates come into play.

Upon ordering an OV SSL Certificate, the CA is performing a manual check on the organisation itself. On top, orders for EV SSL Certificates also require to manually authenticate the person owning or being a legitimate representative of the organisation. Only if these checks are passed successfully, the Domain Control Validation will be performed – which can be automated, these are same technical methods used for DV SSL Certificates: File, DNS or email.

The clear benefit is confirmability: A visitor of a website secured by an OV or EV SSL Certificate can check for the owning organisation, which is greatly increasing trust. A big win for both, visitor and website owner. The higher the security, the greater the trust and certainty that a website is a legitimate and serious service. An increase in customer trust in your services, can lead to many benefits for your business.

Reselling Commercial SSL Certificates

Now that we underlined the importance of encryption and dived into the differences between free and commercial SSL Certificates, we’d like to touch the business side.

Today, offering web hosting packages with encryption is a must-have. But free SSL Certificates don’t add to your revenue, at least not directly. They are a good point to start with to upsell into commercial SSL Certificates, directly adding to your revenue. But where to start with?

Let’s imagine a web hosting package, which per default comes with a free SSL Certificate – perfect for private websites and projects and for professional websites, add the option to order a commercial SSL Certificate. There’s is a good amount of different products out there, provide a small number of alternatives that fit your client base: A free SSL Certificate as default. An OV SSL Certificate for commercial websites which handle personal information. An EV SSL Certificate for websites where payment data is processed.

Offering such products to professionals increases the value of your hosting products. Take the step and extend your offering, covering all purposes requiring a proper and fitting SSL Certificate: small private websites, services that handle personal data, up to web shops with payment gateways.

There’s Money in It!

Commercial SSL Certificates, especially OV and EV SSL Certificates come at a higher price point, making it easy for you to add a healthy margin. Expand your business by offering high-value products, grading up your services and extending your offering.

Being a direct partner of the largest CAs we’re able to offer to you favourable and competitive conditions, backed by providing all required actions via our API and Control Panel. Our experienced and skilled team gladly assists you in all questions, from the first ideas and concepts, through integration and testing, to day-to-day business in successfully selling.

Take the next step and become a Reseller for SSL Certificates. Reach out to us for a personal quote and all questions that you have.

You may also like