SSLs.com is dedicated to security and privacy for all users. We believe the movement to encrypt nearly all web traffic is a positive development for the internet.
Preventing MITM attacks and other data-interception techniques possible when using HTTP-only is in everyone’s best interest, and that point is not up for debate. However, there’s a big difference between encryption and security, a point that may be trivial to advanced users/professionals, but is extremely relevant for consumers.
The Importance of Validation and Third Party Revocation
The protection currently available from free SSL providers consists of basic, encryption-only, Domain Validation certs. Domain Validation certificates are excellent products, but free DV certs differ from purchased DV certs in key areas.
Though all SSL provides encryption of data as it passes between websites, free certs provide encryption only. Free Certifying Authorities (or “CAs”) perform no validation checks on the applying business prior to issuance. Any time you use a credit card to pay for an online purchase, a validation check occurs before the purchase is authorized. As there’s no payment necessary with free certs, even this most basic form of validation does not take place. Unfortunately, as the issuing CA has no control over the site on the other side of the certificate, it’s possible that phishing sites and malware scammers will use free SSL to appear legitimate, due to the quick and automated way free certificates are issued.
We think that validation of a certificate’s owner is an important point that needs to be highlighted and discussed. Recent developments in SSL automation are fantastic from a technical point of view, however, consumers need to be educated on this new security paradigm and the appropriate signals to look for when making a security determination. Looking for ‘https’ and a lock in the browser bar, the traditional indicators that have been messaged as reliable, may not be so reliable anymore when it comes to the consumer definition of security.
Signal Consumer Trust with Paid SSL
SSL certificates from branded providers provide the security, flexibility, and support that business websites need. Traditional CA’s offer certificate lifetimes of up to three years. They support wildcards, offer warranties, and provide integration assistance. With a non-automated CA, you can choose from varying levels of validation – Organization Validation and Extended Validation, in addition to basic Domain Validation. With OV and EV protection, the CA conducts extensive verification of the business behind the website before issuing the cert, and takes quick corrective action when fraud or malicious activity is detected. Support is another significant factor; only paid providers can offer full-time customer service and assistance.
Free SSL certs are a great choice for personal blogs and other basic sites that do not conduct financial transactions or collect sensitive data. However, e-commerce organizations and any site that gathers customer data requiring protection and trust should, as a matter of course, use OV or EV SSL from known and trusted CAs. The levels of encryption, validation, and trust that business and commerce websites require to provide security in the consumer sense, not only encryption, are delivered via these validated products.
By Richard Kirkendall, Namecheap.com