The hidden costs of free SSL

I've been invited to a webinar offered by OpenSRS/Tucows called "The hidden costs of free SSL." Their advertisement says, "[I]t’s important to understand and educate your customers on the benefits of paid SSL and the drawbacks of free certificates. And there are quite a few."

What in the world are they going to tell me?!


A marketing spiel intended to present greed as altruism I would imagine...


If I'd have to guess it'll probably be something like less revenue due to a decline in customers of your webshop or something like that. Not sure why that would be though.

I'm also guessing that for every argument they make, there's a counter-argument to be made.


I mean, I could certainly understand a good-sized organization wanting paid-for contractual support to help with issues rather than just "you can post on the community forums and hope some nice person helps you out". There are use cases and industries where having a number you can call when you have an issue and know that someone will pick up the phone is a good deal well worth what's being paid, and a part of corporate sourcing decisions for good reasons.

Much like a lot of corporately-used open source software, maybe you can find someone willing to just be the support contract to go along with a free CA. But if you're getting your support from the same place you get the certificates from that's just one less thing that can go wrong. (And well, with DV certificates from other providers basically you are just paying for the support I suppose.)

Not to mention that some industries could find an OV/EV certificate useful.

Of course, there are plenty of use cases where free SSL with community support works just fine to meet one's needs.


Probably something like that:


I've always wondered what that "Warranty" actually means.. I recon it's very, very hard to get any "warranty" for a TLS certificate and I wonder if there is a single soul in this world who succesfully has claimed warranty for it.



Just as I thought: it's all marketing bllcrp.


I've always interpreted it as, "When the time comes, there might be a benefit, but you'll play by our rules."


Well, I always imagined it to be the way Scott Helme describes it: "When the time comes, we will laugh and laugh about your claim and because you didn't read the fine print, you can kiss your money goodbye."


I take the whole webinar thing as their desperate plea to plug the revenue drain. All that "free" profit disappearing.


I wonder if there will be anything new, or if it will just be a re-hash of old FUD like





Hi @timmerbu

searched, found that:

With two parts:

Advantages of free DV SSL certificates

Free and fast.


Advantages of Commercial DV SSL certificates


Longer lifespan. Commercial DV certificates can be purchased for 1-year or 2-year periods, meaning you’ll spend less time ordering and deploying certificates. Who wants to generate a CSR and reinstall a free DV certificate every 90-days?

Earlier I've used a paid certificate. Creating a CSR and doing all these steps manual was required.

Now I run a program.


I've said elsewhere on the forum that it's possible that some users or search engines might see paying more than you have to for your hosting infrastructure as a sign of legitimacy. Paid certificates could be in that category. That is, it's showing that you have an infrastructure budget—something that perhaps certain scammers or simply less-established businesses don't have.

On the other hand, this signal is probably relatively weak and easy to fake.

It's interesting that the low barriers to entry for web hosting (which Let's Encrypt has help reduce further!) could be viewed as a problem by some businesses which are used to being able to create indicia of legitimacy and trustworthiness either by spending money or by showing that they have the capacity to be sued (or punished by regulators) if they engage in wrongdoing. Those signs are harder to replicate online.

In the present moment it seems like some people are regretting the ease of online publishing and interaction and wishing that it were easier to create barriers to entry, or identify who was behind a site or account, or punish people for online wrongdoing, or quickly shut down allegedly fraudulent sites, or otherwise have more friction or more "substantiality" in the online world. It's easy to sympathize with some of those concerns, but PKI is probably not going to help solve most of them—if anything is.

Let's Encrypt was mostly made by people who like that it's really easy and cheap for anyone in the world to make a web site with minimal resources and few preliminaries, and have that web site be on par, in some ways, with a professionally developed web site from an established institution. That also has its major upsides, and the Let's Encrypt community is likely to focus on them. :slight_smile:


I agree. For an individual to come up with his own secure website should be as easy, as make tomato growing in his own backyard.


To be honest, Tucows owns several Domain Registrars so they have a vested interest in keeping people from using "Free" SSL. Besides, unless you are a large corporation you do not need anything more than Let's Encrypt Certificates.


Letsencrypt was created to remove all barriers to encrypted communication and becuase identity verification has no connection to encryption, i read this when they made their case before they went live.


Amen to that, brother! :pray: That's what true equal opportunity looks like: removing that cost barrier! :money_with_wings:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.