8

What makes free ssl "Unsuitable for e-commerce websites", Please read to end to see my view point.

From Namecheap:
Free Certificates are domain validation only which means they don't certify the identity of the website owner, they simply ensure a secure connection. Customers can't be sure of the integrity and trustworthiness of the website owner. If you need to secure credit card and personal information on e-commerce websites, free certificates aren't the answer. It's important your customers trust your business is safe enough to hand over these details. To gain this trust, you need a certification of your authenticity, which you can only get with a (paid) Business Validation or Extended Validation SSL Certificates.

https://namecheap.com/security/...

* "To gain this trust, you need a certification of your authenticity"
~ But isn't that just Domain Verification and other Extras, What justifies somebody or business's authenticity? Tax Id, Valid Address, Nobody is going to study the ssl cert to make sure that amazon.com is a valid business and has a tax Id.

* "domain validation only which means they don't certify the identity of the website owner,"
~ Wouldn't this just be the domain validation test that is required when using services like LetsEncrypt using Certbot etc, or are we referencing back to this idea that they look for a Valid Tax Id sort of thing?

* "If you need to secure credit card and personal information on e-commerce websites, free certificates aren't the answer"
~ Why is the paid version going to do double encryption, is the CA going to run a monitoring tool to scan for intrusions like a IDS or IPS? (disregard the use of DNS Validation being in the picture)

Am I missing something, this just seems like well crafted text to get people to buy a cert, I could understand if the encryption was handled differently, Maybe if they checked the site for HSTS or HTTPs Redirect or even, They blocked wildcard SSL before and now with the paid its included, but overall it doesn't sound like anything special. Now I'm not just picking on namecheap because domain.com does the same.

Comments
  • 2
    Also the only other reason I can see paying for SSL is for "Warranty protection", you know the message "acts as an insurance covering any damage should it incur resulting from a flaw in the certificate"
  • 3
    Letsencrypt: personal use only and logins for small sites.

    Paid SSL: the moment you ask for credit cards or have identifiable customer data.

    Why?
    Free ssl is just as secure as a paid cert when it’s a DV (domain validated) certificate, but it does not reflect any trust with the customer, anyone with a tiny amount of knowledge in the matter can generate and secure a site with lets encrypt.

    A paid DV/EV will display that the company owns the certificate + for an EV, the company has proven it actually exists, giving the customer a level of trust that they are less prone to credit card theft.

    Mind you either certificate does not protect from the website from storing the data, but generally when a company has an EV, they would need to adhere to PCI audits, and larger DV sites do to.
  • 1
    For most people those certs are only meant to stop browser from complaining that it is insecure. They would most likely log into their bank account on HTTP address without second thought. This is obviously hurting profits for sellers of paid certs and so we are reading this bullshit about how paid is safer. I'm sure that browser vendors will eventually crack down on this and we will start seeing alerts of some kind.
  • 3
    Something namecheap misses:
    - The encryption of any certificate is absolutely the same.
    - Nobody looks if a site has an EV certificate. On the other hand, the verification process is mor advanced, as the business name and and street address is checked, too.
    - The visuals of organization- and domain validated certificates are the same.
    - "The free SSL Certificates provided by Amazon are only available to users located in North Virginia, Oregon, Northern California, and São Paulo. " As far I know, this is now outdated. Also, this does not apply for LE and Buypass.
    - This warranty is hilarious. How can "your site being hacked or data breach caused" from "a flaw in the certificate".
    - "Due to the manner the domain is validated, this certificate is open to man- in- the middle and phishing attacks. For this reason, major players in SSL don’t supply domain validation certificates. " Besides strangely written, "major players" like Amazon do 'only' have DV certs for there sites. If they did mean 'major players selling certificates' - well, CAs do sell domain validating ones and can get EVs for themselves at zero cost.
    - "May damage customers trust" - Seriously? Who clicks on the padlock and says 'I won't buy here, because they use Let's Encrypt'.
    - "Constant renewals [of free certificates]" - Unlike for many paid certificates, this can be automated.
    - "Organization Validation (OV): The website company details are mentioned on the certificate and verified via in-depth verification. Not only are users guaranteed that you are the actual owner of the domain name associated with your website, but they can also trust your company." - As said, nobody looks at those details, especially as those are hidden behind the padlock. And how does that guarantee trustworthiness? A company can be existent, own a website, be the owner of that website, verifies the owner ship, but still be a criminal organization! Less likely, but possible.
  • 1
    @C0D4 The verification for paid DV and free DV is the same.

    CAs charge extra for for embedding company details into a certificate. You may mean paid OV (organization verified) certificates.
  • 2
    @sbiewald
    Oh I see where I went wrong.

    I meant paid DV showing a known trusted issuer (Comodo, ect) vs LE showing up.
  • 1
    @C0D4 "A paid DV/EV will display..."
    Do users differ between paid / free DV certificates, as the (now grey) pad lock looks the same?
    It is even questionable if users look at EV certificates at all.

    This study (http://usablesecurity.org/papers/...) indicates, users are not.
  • 1
    @C0D4 But do users click on the padlock and think "oh no, this is Let's Encrypt"?
  • 2
    @sbiewald true, the grey padlock is horrible, and IMO takes away from the importance of an SSL cert vs just getting a red box if the site runs on http only.

    I guess it’s really a matter of trust when it comes to ssl. If you’re willing to hand over CC data on LE certs, so be it, it’s a hard argument really as they still offer full protection, just any man and his dog has access to it, vs going out of your way and actually providing some verification other then having access to DNS records and a server.

    I’m not against LE, I use it myself for sites that don’t run payments, but I would expect an ecommerce site to carry a cert from an issuer that makes you do more then run “ sudo certbot “
  • 2
    @sbiewald good question. The average, probably not.

    I’d say (no facts here) the average user just goes ooh shiny padlock and keeps on going.
  • 0
    @C0D4 Good point, but I think you overestimate the validation of commercial CAs.

    Many of those CAs have free trials where the verification is "upload this document to your server".
    While commercial do not run "sudo certbot" they click on "renew certificate", which is not much more or more secure.
    Correct me if I'm wrong - if I don't buy an OV/EV cert, the data I send to the CA about my organization is not verified.

    About the second comment: Absolutely.
  • 2
    There is absolutely NO reason to buy a DV certificate these days. The FUD against LE is because the sellers can't make money from it.

    Some shitty hosters try to force their customers into buying stuff by banning LE on their hosting - the appropriate answer is to terminate the contract and migrate to a better hosting company.
  • 2
    I feel like most users don't care, green is good and red is bad. Some might not even know what a certificate is or what makes one valid/safe.
  • 1
    @alexbrooklyn Yes, yes, yes!
    I'm even happy the padlock is grey now and unencrypted sites get a warning - maybe the big warning from Firefox "this site is insecure, do not enter passwords" is the only thing that gets noticed.
Add Comment