Free vs. paid | Does it pay off to invest in a TLS/SSL certificate?
Encrypted communication on the internet is an important theme, although it is still not a given. Anyone operating a website knows that SSL certificates not only have a positive effect on the Google ranking, but are now also encouraged by all browser providers. But one SSL certificate is certainly not like the other – there are many different versions that each differ with regard to security and performance.
Published by
Simone Catania
Date
Website visitors have come to accept the padlock symbol in the address bar as an important symbol of trust, regardless of whether the website in question is a shop, blog or company page. HTTPS specifically means that the communication between the web server and client is encrypted. The “S” stands for “secure”. If a website is protected with an SSL certificate, third parties cannot access the data being transmitted. This data encryption does not slow things down – on the contrary: the loading speed of web pages can actually be improved with HTTP/2. As a comparison: HTTP/1.1 uses several TCP connections to load various individual page elements like JS, CSS and image files, while HTTP/2 transmits packets of data simultaneously via only one connection. The information is compressed and transmitted in binary code. Data packets are also sorted and transmitted in a specific sequence. The data required for building the site are transmitted first.
In general: SSL certificates not only increase security, but also benefit rankings
Secure Socket Layer (SSL) is a protocol that was developed to enable the secure transmission of data via the internet. Paid SSL certificates are used, for example, for home banking or for online shops. All browsers, like Internet Explorer, Netscape, Mozilla Firefox, Safari etc. support this standard.
Both free and paid: SSL encryption offers encrypted connections between the server and client with certificates according to the X.509 standard and enables message integrity using the public key process. This entails the coding of data using a publicly accessible key which can then only be decoded with a private key.
The specifics: how does SSL encryption work?
The certification authority (CA) is responsible for issuing and signing SSL certificates. It also confirms the authenticity of the page and, depending on the type of certificate, also of the company. Once the website has been validated, a certificate is deposited on the web server. Regardless of whether it is a free or paid SSL certificate, the basic encryption process is the same.
First, the server authenticates itself as a certificate owner to the client. Then an asymmetric encryption is generated and the corresponding keys are exchanged. These keys make the asymmetric coding possible in the first place, as the entire communication between client and server is encrypted. The keys are regularly renewed throughout the communication process, so that even in the unlikely event of a successful one-off attack, the hacker’s joy would be short-lived.
The difference: free and paid SSL certificates
With free SSL certificates, DV certificates (domain validation), only ownership of the domain is verified. The validation process is carried out automatically with free SSL certificates i.e. not by a real person. The automatic implementation of SSL certificates largely sounds like less effort for website operators, but it doesn’t only entail advantages.
Even if a DV certificate is issued faster than the paid SSL certificates, utilizing them on public pages is not recommended. The effort spared may well soon be regretted when the first phishing attack comes along, as many hackers now use SSL/TLS certifications and appear to be official websites using phishing login pages with HTTPS.
Those managing publicly-available websites are therefore well-advised to not skimp on costs and rather invest in a paid SSL certificate. For OV as well as EV certificates, the validation process is not automatic, but carried out manually. Employees of the respective CA, e.g. of DigiCert, verify whether a real company or organization is behind the website, either with a telephone call or by checking the commercial register, or both.
What makes the difference with paid SSL certificates?
The paid certificate versions include extended validation (EV) and organization validation (OV) certificates.
1# Organization validation (OV)
With this type of SSL certificate, validated company details are listed that not only show visitors that the website is secure, but also that the associated company is legitimate. This means that the CA has checked the ownership of the domain as well as additional information, like the registered or legal name of the company, its location and other details. This type of certificate is generally used for publicly accessible websites on which less sensitive data is processed, like information websites.
BILD
2# Extended Validation (EV)
The EV certificate provides the strongest level of verification of identity, confirming the authenticity of the organization behind the website. It is a signal to users that sensitive and confidential data can be disclosed on the website and offers the highest level of encryption. Apart from ownership of the domain and additional details that are also checked with an OV certificate, the CA also verifies in-depth identifying details like legal status, physical and company existence, the authorization to sign agreements etc. This type of certificate is usually used for websites that require user registration, personal details and other sensitive information or accept payments, for example online shops or banking websites.
BILD
Finding the most suitable SSL certificate for a project is not always easy. In general, it’s important to remember that using an SSL certificate only holds advantages. Anyone operating a company website or one that processes sensitive information should certainly take a close look at using OV or EV certificates.
The InterNetX SSL Wizard checks different factors and can help you find the most suitable certificate for your project.