The time has come to stop paying for SSL certificates! Except for a few edge or convenience cases, there are multiple great options for free SSL certificates. Not only do these options save money, but by understanding the requirements and capabilities of the modern SSL ecosystem, you can also improve your sites’ security and reduce (or eliminate) the annoying manual tasks of reviewing SSL certificates.
The origin of the SSL certificate dates all the way back to the dark ages of the web. Back in the heady days of 1995, with its dial-up and Netscape, the internet had a problem; it was a decentralized, trust-free network where everybody could get online and share information. Of course, it didn’t stay that way; it became a digital commerce powerhouse (on which we now rely).
There are still a small handful of use cases for paid certificates, such as difficult-to-update systems.
Cryptography tried to create trust on the web, except cryptography only secured connections between surfer and server. It made connections impervious to snooping, but it didn’t actually guarantee that a surfer connected to the website they intended to visit.
Enter the SSL: a pure digital signature proclaiming the identity of a site operator. By itself, all it provides is proof that the server that a user is connected to is under the same control as the owner of the SSL certificate.
In the beginning, authorizing an SSL certificate meant an audit by an independent SSL auditing firm, which would attest to the physical person behind a site, their city and country, their business incorporation, and so on. It was a good (great) time for auditors since they would charge thousands of dollars for a single certificate. There’s a reason big sites were the only ones using SSLs at the time.
Time went on until the domain validation SSL was born; it proves that the website you’re visiting is really in the domain owner’s control. This validation is easy, because when the SSL is issued, all the site owner needs to prove is ownership of the domain name. This process is fast and a computer can do the actual validation with little or no human interaction. As a result, the big SSL providers dropped their prices to near zero because of the savings from automating the process … haha, no they didn’t! In fact, they charged almost as much for DV SSL certificates as they had been, and pocketed the profits
Into the 2010s, SSL certificates remained annoyingly expensive. Some vendors tried to make more expensive “extended validation” SSLs that would turn the browser bar green. These were supported for a few years, but the browser vendors wised up, and EV SSLs are completely worthless now. Seriously, if you still have an extended validation SSL, it’s time to drop it.
Then, 2014 came along and a few things happened. First, Disney released “Frozen,” and the song “Let It Go.” Despite the common misconception, this song was not about a magical princess, but rather an instruction to site owners paying for SSL certificates: let it go. Also, after years of lobbying by the Electronic Frontier Foundation and Mozilla (the makers of Firefox), the board that sets the standard for SSLs finally approved “Let’s Encrypt,” a totally free certificate authority that would issue an SSL on demand ... for free!
Oh, and Google added SSL to its ranking algorithm, which probably had nothing to do with website operators adopting SSL en masse…
When Let’s Encrypt launched, not all modern browsers supported it (and no older browsers did). Also, to appease the existing SSL providers, they could not issue wildcard SSL certificates (where one certificate covers a.example.com and b.example.com). Even worse, their certificates were limited to 90 days of validity, so you had to renew the certificate periodically, which was not an easy process at the time. The big SSL vendors spread quite a bit of doubt and blog posts decrying the alleged security failings of Let’s Encrypt certificates.
Nonetheless, nothing beats free. Let’s Encrypt quickly became a roaring success, taking up a significant percentage of all SSL certificates issued and became the de-facto standard for issuing SSL certificates. Today, the free ecosystem has matured.
Several other entrants now provide SSLs for free, and the vast majority of websites no longer have to pay for an SSL. Browser support for these free certificates is excellent, meaning they work everywhere, and remember that 90-day duration? It turns out that’s been great for security, creating a whole ecosystem of software that updates security keys regularly (instead of letting them rot for years at a time). Best of all, wildcard certificates are now supported by many free SSL providers.
There are still a small handful of use cases for paid certificates, such as difficult-to-update systems (and where a longer SSL is beneficial), but these are very rare, and the prices for such paid certs are now no more than a few dollars.
Before, any certificate authority could issue certificates for your site. That included shady offshore organizations and even authorities owned by repressive governments. Any of these “authorities” could issue a certificate for your site and use it to intercept your users. To end this abuse, a new DNS record was added, called the Certification Authority Authorization.
The CAA DNS record allows a site operator to publish a list of authorities who may issue their site certificates. If some other provider tries to issue a fraudulent certificate, it is immediately apparent, and the major browsers should not accept the certificate. By deciding on what certificate issuers you’ll use and then publishing a CAA record, you can significantly reduce the possibility of a fraudulent SSL. Many SSL providers are moving towards making the CAA record a requirement in the future.
So if you’re still paying for SSL certificates or you haven’t set up CAA records to protect your site, what are you waiting for? The future is now. Protect your site and save some dollars by taking advantage of a true public good on the internet.
Brad Mitchell is the founder of XBIZ Award-winning adult web hosting company MojoHost, the trusted choice for tens of thousands of sites. Known for his dapper style and charismatic wit, Mitchell is a regular fixture at trade shows, where he frequently shares hard-won wisdom while striking profitable deals. He believes in earning his client’s loyalty because “That’s Good Mojo.” And if you need help with SSLs, he’s your man.
