A few weeks ago, we got a call from a client who was getting the "shakedown treatment" from their SSL provider, demanding big bucks (several thousand dollars) for renewal. Needless to say, they were very happy that we offered free SSL certificates through Google Cloud Platform.
While we won't go into details regarding which SSL provider (or Certificate Authority/CA) was doing this, suffice it to say that if you get a letter or email stating that your SSL Certificate renewal is going to cost a ton of money, run, don't walk, to another provider—and if you're able, look at free alternatives.
If you're not aware, here's a primer on the "Always on SSL" initiative explaining what SSL is and why it's so important not only to website visitors but also to marketers.
Free vs. Paid SSL Certificates
In general, free certificates are only Domain Validated (DV) because the process of verification can be 100% automated, whereas paid certificates that also offer Organization Validation (OV) and Extended Validation (EV) certificates, require human intervention to process the extra levels of validation.
Most free certificates (including ours at this point) are issued through Let's Encrypt, the first major initiative by the Internet Security Research Group, a nonprofit organization sponsored/supported by major internet players including Google, Mozilla, Akamai, Cisco, and many others. These certificates are automatically provisioned and renewed every 90 days and, once set up, do not need further attention. They provide the same level of encryption that paid certificates offer, but the only "proof" they use that you are who you say you are is your ability to authenticate your domain, which is usually enough.
Certificates for websites we host are provisioned and managed by Google on a per-domain basis after we have performed proper domain verification. Google operates as a Root Certificate Authority and has also purchased existing Root Authorities to start independently issuing certificates. To that end, they also operate a trust service, which is independently audited by Web Trust. We expect that our current Let's Encrypt issued certificates will be automatically migrated to native Google issued certificates at some point in the future.
The least expensive PAID certificates we've found are through GoDaddy. They also offer paid DV certificates and also offer OV and EV certificates, as well as liability coverage.
Why Would You Pay for an SSL Certificate?
There are a whole host of reasons to pay for an SSL Certificate:
- Your company requires their certificate be issued by specific vendors or at an OV/EV level
- You need a certificate for secure email or other things that a DV will not cover
- You need to support legacy hardware/software that is not compatible with free certificates
- You are a large retailer who finds an "edge" by having your organization name displayed in the URL (how EV certificates display in some browsers)
- You are storing extremely sensitive information and want the liability insurance
- You want a well known Certificate Authority (once more of a thing, now not so much)
The vast majority of our clients do not need OV or EV certificates. They simply need free DV certificates, which provide the same level of security, are compatible with all major browsers and devices, and are truly free.
When we migrated our clients' websites to Google Cloud Platform, we kept existing paid certificates and issued free certificates to any client who did not have a certificate. As client certificates are coming due, we are asking in advance if they'd like to convert to the free alternative, but this latest stunt our client told us about surprised us and prompted this post.
Please feel free to ping us if you'd like to switch over prior to your certificate expiring or if you get a nasty-gram from your SSL provider trying to lighten your wallet.
Have additional questions? Contact us.
Thanks and be well,
~Your Friendly Animus Rex Team