Score:-1

The Importance of Paying for SSL Certificate

de flag

Is It really compulsory to pay for ssl Certificate while setting up website? What are the advantages and disadvantages? Thank you.

Score:3
jo flag

The short answer is no.

Either you know who you're dealing with and, know if they are to be trusted already so you just want to communicate over a secure line, or you dont know them and you've really got no way to tell if they wouldn't try to rip you off anyway. Might as well get a secure line nonetheless.

Certificates in general are supposed to perform one main function; that the person who owns this certificate is who they say they are, such that you can establish a secure connection to that person.

Paid for providers and certificate authorities in general effectively are middlemen, its often in their interests to imply (and market as such) that the person who owns that certificate is also some trustworthy entity (wont rip you off basically), so as to convince a buyer that they are buying trust. Its not unusual for these waters between is who they say they are and is trustworthy to be very muddied by CAs.

The free certificates are what are technically known as "Domain Validated" certificates.

That is, the certificate issuer (in many cases Lets Encrypt) only vouch that the owner of the DNS domain name is the same person that owns the website. It makes no claims about the trustworthiness of the website, its owner or the organisation it works with.

There exist other types of certificates.

  • Organisation Validated (OV)*
  • Extended Validated (EV)*

Organisation validated has the same vouches as a domain validated certificate, along with proof that the organization being issued the certificate legally exists (perhaps it exists in some companies register somewhere and some third party lawyer vouches its existence).

Extended validated certificates in addition to performing any DV and OV validation also require some additional proof of the person wanting the certificate legally exists, such as a passport or birth certificate.

The problem here is that most people dont rely on CAs to define trust between two entities, only that the entity is the (trustworthy or not) person they say they are.

Add to this, there has been a number of incidents in the past in regards to certificate authorities being fooled into (or incompetently) issuing extended validation certificates to people who are not who they say they are.

Additionally, its not really been tested from a legal perspective whether a Certificate Authority can be made liable for harm caused by identity fraud due to a mis-issued certificate.

In my opinion, the world of SSL certificates has been a huge barrel of snake-oil for many years and Lets Encrypt have disruptively (and rightly) corrected what were effectively greedy middlemen holding secure connections between parties to ransom.

EV certificates held no benefit to the public -- you've got no idea what they mean or stand for, nor do you really have any way to get your money back from a CA if that entity swindled you. Many browsers are in the process (or have completely removed) the 'green bar' feature that used to be prominent with EV certificates that were supposed to offer some kind of tentative value.

For the customer, they seemed to offer you the power to 'buy' trust. Something I feel if you were of good repute you'd not ethically do anyway.

OV certificates fall into the same bracket -- its trivially simple to register a business and get one, but that says nothing about your trustworthiness as a business.

So, no - I personally dont see any good reason to buy an SSL certificate. I'd be interested to hear counter-arguments though as to why I'm very wrong.


  • Note each certificate authority has slightly different schemes and policies of what their requirements are and what they accept as valid proof of identity. This means its not as simplistic as I'm implying and in theory can be quite different between one provider and the next.
Score:0
cn flag

It really compulsory to pay for ssl Certificate while setting up website?

There are providers of free SSL Certificates such as Let's Encrypt.

So in that regard, no you don't necessarily need to pay for the certificate itself.

But, when somebody else is setting up your website, that provider may of course charge you extra when they consider setting up SSL Certificates for customers an premium service, rather than standard.

For various reason you or the provider may prefer a paid for SSL certificate over a free certificate.

What are the advantages and disadvantages?

Although slightly older this Q&A is IMHO not out of date and will give you some useful considerations: Is there a reason to use an SSL certificate other than Let's Encrypt's free SSL?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.