Can services charge for encrypting a website?


#1

I use a service called Surge (https://surge.sh). They have a ‘Plus’ plan that allows you to use some cool features and other stuff to make your website a little better in one way or another. They are a fantastic service and are soon going to make their own ACME client for automated LetsEncrypt certificate installation that they are going to integrate into their ‘Plus’ plan. Sounds cool right? I have a question though. Since they are not charging for the actual LE certs, but they are charging for encrypting the data that goes through using those certs. Is that allowed?


#2

Based on their site, it looks like they’re primarily charging you for use of a custom domain, not the SSL certificate itself. Their basic plan also offers SSL, but under their domain.


#3

well I think why charge for the custom cert I mean putting aside the other features, the LE cert is free and I dont see a reason why anyone should charge just for using your own cert, especially if they are giving out SSL for free even if it’s under their domain, so the cryptographic overhead cannot be counted and cert making appears once every 60 days and I dont think that requires that many ressources…


#4

Based on what NurdTurd said though, it’ll only be available with the “plus” plan which includes custom domain support, too. If the price is staying the same, the cost would be the same for the service, but you won’t have to purchase a certificate too.

Basically, it seems like they’re charging for the custom domain and other features, not for the LE certificate.


#5

They do not charge for a custom domain. They charge if you would like HTTPS with your domain. Meaning with the ‘Plus’ plan you can either add your own certificate or use a LE one.


#6

servicing HTTPS requests still consume server resources etc so while the SSL certificate is free, the HTTPS related resource consumption isn’t usually


#7

Right. That’s what I’m trying to get at.


#8

@eva2000 but they are already doing HTTPS for free even if it involves their own cert so the only thing that changes (aside from the other features) would be the cert, so that excuse doesnt count.


#9

So what’s the final verdict ? Is this legal?


#10

If they are offering something which is only available with their paid service, they’re effectively charging for it since it adds value to their service. There might be some exceptions to this general rule.


#11

yeah i guess but you’d have to ask them why as we don’t know their business model

afterall folks need to put food on their table and there is no such thing as a free lunch, someone has to pay


#12

Right. I get that they do need to support themselves in some way.


#13

yeah but just the feature of adding own certs isnt any cost or burden so it shouldnt cost anymore than the cost of using SSL in the first place.


#14

Well… LE certs are not licensed under CC-BY-NC.* :wink:
So de jure this is completely correct to do, but de facto it is of course (morally) questionable and users may not be very happy if they sell these certs. But legally nobody prohibits them from doing so.

* this would not even be a good idea, because I don’t like my private key to be shared - no matter whether it’s non-commercially and I am attributed with a huge banner. :laughing:


#15

Awesome. Thanks. I wanted to get the case clear.