Last week I wrote about how to create a self-signed SSL certificate for your website. It turned out to be one of my popular posts, and the process turned out to be remarkably easy: you run one single command, make a quick change to your webserver configuration and youâre done.
Our self-signed certificate worked great for encrypting the connection between our browser and the webserver, but as I mentioned thatâs only half the SSL story. Our certificate wasnât trusted by our operating system, which means it couldnât be used by our browser to confirm the identity of the server weâd connected to, which in turns means that visitors to our website are greeted with a big, bold âyour connection is not secureâ error message.
Our browser knows whether or not it can trust a given SSL certificate through a hierarchical structure. Iâm glossing over some details, but essentially our operating system comes with a listed of trusted ârootâ certificates. The owners of these root certificates can produce certificates for their customers much as I produced one for myself last week. The difference is that thereâs a mechanism for traceability here â the certificates they produce are trusted, because our browser can trace things back to the root certificate that it already knows to be good.
Iâm not suggesting thereâs some kind of conspiracy at play here, but it seems to me the owners of these root certificates have a metaphorical license to print money. They can create something out of nothing with, in essence, a single command, and sell it for a value they determine. I might be OK with that if they hadnât determined that the value is so insanely high.
Luckily for us there are market forces at play in this whole story, and we donât have to pony up the $1,500 Symantec are asking to secure our website traffic. Weâre going to do it for free. Read on!
SSL Certificates and Their Value
Unfortunately, budget-minded certificate providers are few and far between, and the trend appears to be that their either disappearing or eliminating their lowest-cost options in favour of âbetter,â higher-priced ones. NameCheap is a good option if youâre looking to minimize costs, with certificates starting at around $10 at the time of writing.
But hereâs the question: If you can get an SSL certificate from them for $10, why are Symantec charging $1,500. Is their option 150x better?
Hereâs my answer: No.
Symantec would likely argue that point though, as you might imagine. Theyâd mention that they put their customers through a more stringent identification process in order to provide an increased level of confidence in their product. They know their customers, and they know theyâre only issuing certificates to trustworthy sites. Theyâd argue they provide a warranty with their certificates that provides their customers with legal protection against a losses caused by a security breach.
This is all well and good, of course, but does the typical internet user care? Iâd propose that the average site visitor â at best â notices the green padlock icon in the address bar and proceeds with confidence upon seeing it. How much you, as a site owner, pay to get that padlock icon really makes no difference to the vast majority of your visitors.
That all being said, it of course depends on what your site does. If youâre a bank, this is not an area you should be trying to save money in. Take the expensive certificate with the warranty and the legal protection. If you run an e-commerce site and your livelihood depends on your website then maybe donât spend $1,500, but donât accept the reputational risk of using a product with no warranty and limited support. If youâre me, though? Whatever, just spend as little money as possible.
Getting a Free SSL Certificate
Enter our new best friends at StartSSL. They offer single-site SSL certificates for the extremely reasonable price of free. There are some caveats as you might expect, but none of them are a show-stopper for my purposes. Nevertheless the biggest thing you should consider is that although theyâll issue the certificate for free, you will have to pay if you ever need to revoke it. If you ever suffer a security breach and suspect that your certificate file has fallen into the wrong hands (Iâm talking about the equivalent of the server.pem file we created for ourselves last week), it should be revoked to prevent some nefarious person setting up a site that masquerades as yours. If thereâs ever another vulnerability similar to the heartbleed bug then the certificate should likewise be revoked.
In a nutshell, this is a risk tolerance question. By taking the free certificate youâre betting that nothing bad will happen during the 12-month life of your certificate or that if it does youâll be prepared to accept a whole host of new risks.
Since I was OK with the many drawbacks of using a self-signed certificate, I laugh in the face of risks like the ones mentioned above. If youâre different then do your homework and make sure youâre getting a product thatâs right for you, but if youâre like me then tune in next week when I walk through the steps of getting a free certificate issued to me and install it on my server.