opinion

Fast, Free and Easy SSL: Don't Pay Big Bucks for Certificates

Fast, Free and Easy SSL: Don't Pay Big Bucks for Certificates

The time has come to stop paying for SSL certificates! Except for a few edge or convenience cases, there are multiple great options for free SSL certificates. Not only do these options save money, but by understanding the requirements and capabilities of the modern SSL ecosystem, you can also improve your sites’ security and reduce (or eliminate) the annoying manual tasks of reviewing SSL certificates.

The origin of the SSL certificate dates all the way back to the dark ages of the web. Back in the heady days of 1995, with its dial-up and Netscape, the internet had a problem; it was a decentralized, trust-free network where everybody could get online and share information. Of course, it didn’t stay that way; it became a digital commerce powerhouse (on which we now rely).

There are still a small handful of use cases for paid certificates, such as difficult-to-update systems.

Cryptography tried to create trust on the web, except cryptography only secured connections between surfer and server. It made connections impervious to snooping, but it didn’t actually guarantee that a surfer connected to the website they intended to visit.

Enter the SSL: a pure digital signature proclaiming the identity of a site operator. By itself, all it provides is proof that the server that a user is connected to is under the same control as the owner of the SSL certificate.

In the beginning, authorizing an SSL certificate meant an audit by an independent SSL auditing firm, which would attest to the physical person behind a site, their city and country, their business incorporation, and so on. It was a good (great) time for auditors since they would charge thousands of dollars for a single certificate. There’s a reason big sites were the only ones using SSLs at the time.

Time went on until the domain validation SSL was born; it proves that the website you’re visiting is really in the domain owner’s control. This validation is easy, because when the SSL is issued, all the site owner needs to prove is ownership of the domain name. This process is fast and a computer can do the actual validation with little or no human interaction. As a result, the big SSL providers dropped their prices to near zero because of the savings from automating the process … haha, no they didn’t! In fact, they charged almost as much for DV SSL certificates as they had been, and pocketed the profits

Into the 2010s, SSL certificates remained annoyingly expensive. Some vendors tried to make more expensive “extended validation” SSLs that would turn the browser bar green. These were supported for a few years, but the browser vendors wised up, and EV SSLs are completely worthless now. Seriously, if you still have an extended validation SSL, it’s time to drop it.

Then, 2014 came along and a few things happened. First, Disney released “Frozen,” and the song “Let It Go.” Despite the common misconception, this song was not about a magical princess, but rather an instruction to site owners paying for SSL certificates: let it go. Also, after years of lobbying by the Electronic Frontier Foundation and Mozilla (the makers of Firefox), the board that sets the standard for SSLs finally approved “Let’s Encrypt,” a totally free certificate authority that would issue an SSL on demand ... for free!

Oh, and Google added SSL to its ranking algorithm, which probably had nothing to do with website operators adopting SSL en masse…

When Let’s Encrypt launched, not all modern browsers supported it (and no older browsers did). Also, to appease the existing SSL providers, they could not issue wildcard SSL certificates (where one certificate covers a.example.com and b.example.com). Even worse, their certificates were limited to 90 days of validity, so you had to renew the certificate periodically, which was not an easy process at the time. The big SSL vendors spread quite a bit of doubt and blog posts decrying the alleged security failings of Let’s Encrypt certificates.

Nonetheless, nothing beats free. Let’s Encrypt quickly became a roaring success, taking up a significant percentage of all SSL certificates issued and became the de-facto standard for issuing SSL certificates. Today, the free ecosystem has matured.

Several other entrants now provide SSLs for free, and the vast majority of websites no longer have to pay for an SSL. Browser support for these free certificates is excellent, meaning they work everywhere, and remember that 90-day duration? It turns out that’s been great for security, creating a whole ecosystem of software that updates security keys regularly (instead of letting them rot for years at a time). Best of all, wildcard certificates are now supported by many free SSL providers.

There are still a small handful of use cases for paid certificates, such as difficult-to-update systems (and where a longer SSL is beneficial), but these are very rare, and the prices for such paid certs are now no more than a few dollars.

Before, any certificate authority could issue certificates for your site. That included shady offshore organizations and even authorities owned by repressive governments. Any of these “authorities” could issue a certificate for your site and use it to intercept your users. To end this abuse, a new DNS record was added, called the Certification Authority Authorization.

The CAA DNS record allows a site operator to publish a list of authorities who may issue their site certificates. If some other provider tries to issue a fraudulent certificate, it is immediately apparent, and the major browsers should not accept the certificate. By deciding on what certificate issuers you’ll use and then publishing a CAA record, you can significantly reduce the possibility of a fraudulent SSL. Many SSL providers are moving towards making the CAA record a requirement in the future.

So if you’re still paying for SSL certificates or you haven’t set up CAA records to protect your site, what are you waiting for? The future is now. Protect your site and save some dollars by taking advantage of a true public good on the internet.

Brad Mitchell is the founder of XBIZ Award-winning adult web hosting company MojoHost, the trusted choice for tens of thousands of sites. Known for his dapper style and charismatic wit, Mitchell is a regular fixture at trade shows, where he frequently shares hard-won wisdom while striking profitable deals. He believes in earning his client’s loyalty because “That’s Good Mojo.” And if you need help with SSLs, he’s your man.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More