SSL (Secure Sockets Layer) is a security protocol that allows a protected connection between a web browser and a web server. SSL certificates help authenticate websites and encrypt data. They can be either paid or free.
In fact, either free or paid certificates of any validation type perform the exact same way. The majority of them are even about the same encryption level. Prices, however, may vary noticeably from vendor to vendor. What are the reasons? Below we will analyze in detail what the cost of an SSL certificate really affects.
Security of the certificate: encryption
An SSL certificate's primary goal is to secure a website and its operations. This becomes possible by protecting the data transmission channel between the server and the client with the SSL protocol. The major factor that defines the ability of an SSL Certificate to secure and reliable encryption of data is cryptographic algorithms and the length of the key.
To be considered secure, modern SSL certificates must take into account the requirements of browsers, namely the SHA 256 encryption standard and a key length of 2048 bits.
Certificates with a key length of 3072-bits and even 4096-bits do exist. However, this encryption level is currently considered as redundant: the switch to RSA 3072-bit keys is scheduled only in the 2030s.
Note that the key length has no direct effect on the certificate price. It is possible to install a free SSL certificate from Let's Encrypt with a 4096-bit key or purchase paid certificates with standard 2048 bits.
How else does the cost of a certificate vary except for encryption? Usually, the price is directly related to the level of authentication, type of certificate, availability of additional options, and credibility of the certificate authority. Below we will analyze these parameters in more detail.
Level of authentication: DV, OV, EV
When you purchase a paid certificate, the domain or company owner has to go through an authentication (validation) process. This process can be more or less thorough based on the type of certificate. The type of validation determines what information will appear in the certificate: what browsers and site visitors will be able to find out about the domain owner.
A certificate with the DV (Domain Validation) basic type of validation provides only a list of protected domains that it will cover. The certificate is validated and issued automatically. DV-validated sites normally display only a padlock in the browser address bar.
OV (Organization Validation) certificates verify not only the domain but also company information, such as the legal address and contact details. This ensures a higher level of trust compared to DV certificates. The name of the company is shown on the certificate and may be visible in some browsers.
EV (Extended Validation) certificates represent the highest level of authentication. The company is verified in more depth, covering legal status, physical address, etc. The requirements for verification are stricter and the validation process can be more time-consuming. A green line with the name of the company is displayed in the address bar of your browser.
Standard certificates with automatic validation are often lower in price than certificates with extended validation, which require more stringent verification and documentation. DV can even be available for free (e.g. Let's Encrypt certificate). At the same time, the key length of a DV certificate can be longer than the most expensive EV.
OV and EV certificates are applicable only to legal entities and self-employed persons, they are manually validated, the Certificate Authority requires and reviews the documents from the customer, so their price is higher.
Types of certificates: single-domain, Wildcard, and SA
There are different SSL certificate types:
Single-domain: the certificate is valid only for one domain, e.g. supersite.ru.
Wildcard: protects not only the main domain but also all its subdomains, that is, with Wildcard you may include a value with an asterisk (*) in front of the main domain value. In this way, it is possible to issue a certificate of the *.supersite.ru type to work with supersite.ru as well as with my.supersite.ru, your.supersite.ru, our.supersite.ru and so on. The certificate is valid only for the level with an asterisk (*), i.e. a domain name like 1.2.3.supersite.ru will not be protected because it is 2 levels lower than *.supersite.ru.
Multi-domain (SAN): certificates for multiple domains. The SAN (Subject Alternative Name) feature lets you add another domain or multiple domains to an existing domain. Thus, a single certificate will apply to several sites. For instance, one certificate will be applicable to both supersite.ru and dreamsite.com at the same time. This saves time and money and makes it clear that these domain names belong to the same company.
So, choose a certificate specifically based on your business needs. If you run multiple unrelated companies with different sites, for example, you might prefer to buy SAN certificates. For sites with a high number of subdomains at the same level, Wildcard will be fine. If you have just one domain with no subdomains and you don't intend to change it, a single domain certificate will be sufficient.
Additional options: guarantee of compensation
Sometimes SSL certificates offer additional features such as money-back guarantees, mobile device support, phishing protection, and other additional services that may increase the price of the certificate.
Here we will go into more detail on money-back guarantees. Each Certification Authority provides a financial guarantee for its certificates. You can get it in case a visitor or a site owner experiences losses because of the fault of the CA. It can be claimed, for instance, if the certificate encryption is hacked because of the CA's fault, or if the certificate was granted to scammers. Each vendor decides for itself what insurance payments it guarantees and what events it covers. The more complex the type of verification — DV, OV, or EV — the higher the guarantee and, therefore, the higher the price.
Confidence in the Certification Authority
Fee-based certificates are issued by well-known and trusted Certificate Authorities that have long existed and have a strong reputation. CAs such as Comodo (now Sectigo), DigiCert, GlobalSign, and others have a long history in the industry and are highly trusted. Browsers and operating systems come pre-installed with root certificate sets from trusted CAs, and if a trusted CA has issued an SSL certificate, the browser will treat it as secure.
The certificate's reliability is also correlated with the ability of the Certification Authority to update or revoke the certificate quickly and efficiently in case of a security risk or loss of credibility.
Free certificates, in turn, are often provided by new or less known Certificate Authorities or projects such as Let's Encrypt.
How to choose an SSL Certificate
The price of an SSL certificate practically does not correlate with the level of its encryption, but it is affected by the type of validation, the insurance coverage, the reputation of the Certificate Authority, and a lot of other less important factors.
You should consider the needs of your business specifically when choosing a certificate.
DV certificates, even free ones, will work for most websites. But if you're a big and famous brand or if you accept payments right on your site, you'll need OV and EV certificates to protect your site from phishing.
Wildcard is a good option if your site has many subdomains, and if you run a business with multiple sites, look into a multi-domain certificate with SAN option.
Besides, if it is essential for you that browsers trust SSL certificates, and in situations of losses due to the certificate you can expect monetary compensation, you need to pick a CA with a history and a high confidence level.
You will probably also want to consider the validity period: as a rule, paid certificates have a longer period of validity - 1 year, whereas free certificates are valid for a short period of time - a few months. This means that you will need to renew free certificates more often. Certificates with a longer validity period tend to be more expensive, but you can renew them less frequently.
Choosing between a paid and free SSL certificate will depend on your site's needs and budget. A free certificate, such as Let's Encrypt, can be a great choice if you're looking for a fast and free solution to provide basic security for your site. But if you need advanced features and a higher level of trust, a paid certificate may be more appropriate.
Take a look at the offer of SSL certificates from trusted and reputable Certificate Authorities on our website to find the best one for you.
Comments