Where To Get A Free SSL Certificate

Secure Sockets Layer (SSL) and its more modern version Transport Layer Security (TLS) are forms of encrypting data sent over a network. Both are commonly referred to as SSL. An SSL certificate is a great way to improve the security of your users. In the past the only way to get a verified SSL certificate was to pay yearly fee, but these days verified SSL certificates can be obtained for free.

Encryption is a way of masking the data being sent from one place to another. It can be compared to sending a letter in an envelope. When users browse the Internet there are two types of connections they can make to a website, either HTTP or HTTPS. HTTP is non-encrypted traffic. This is the equivalent of sending a postcard. Everyone who sees the post card can read it. HTTPS uses SSL to encrypt data making it unreadable to those who see the data.

SSL is key for e-commerce websites. Without a form of encryption, no one would be willing to share their credit card information over the Internet. Not only credit card information, but many other types of sensitive information is encrypted using SSL. SSL makes the Internet a safer place, hiding the information sent between users so that hackers cannot get their hands on it.

If you run a website, especially a website where users upload any kind of data, you should highly consider using SSL. Google has recently stated that they will prefer HTTPS versions of a website in their search rankings.

In the past, a SSL certificate cost a yearly fee. More and more organizations are recognizing that using SSL makes for a safer and better user experience on the Internet. Because of this a number of organizations have begun to offer free SSL certificates. Here are the best free SSL certificate sources.

Self Signed SSL Certificate

SSL is simply an encryption method. SSL itself is free and open source. This means that anyone could issue a SSL certificate. A self signed SSL certificate is one where a website simply makes their own SSL certificate. In terms of encrypting traffic, this works in the exact same way as a paid SSL certificate. The difference is that there is no source verification for self signed SSL certificates.

Because there is no source verification in self signed SSL certificates, no third party is vouching for the author of the certificate. This creates a security risk: a hacker can create a malicious SSL certificate. Because of this all web browsers give users a warning when they cannot verify the author of a SSL certificate. You may have seen such a warning, it basically says that this SSL connection cannot be verified.

This browser warning is bad news for website owners. If a user goes to a website and gets a warning that they are likely not to understand (most people don't know what SSL is) they will simply leave that website. This is how you lose traffic.

Because of this, a self signed certificate is only a good option if the connection you are encrypting is internal and all the users will know to trust the self signed certificate. I have worked at companies which have used self signed certificates for internal websites that are only available to the company.

If a free self signed certificate is not an option, you must get an SSL certificate from a widely trusted and authorized source. These authorized sources are vetted to ensure that they offer valid SSL encyption. Web browsers work on adding lists of these certified authorities and any SSL certificate issues by a certified authority does not get the warning message that self signed certificates get.

Let's Encrypt

Let's Encrypt is an organization which offers free and verified SSL certificates. Again, the key here is that they offer verified certificates. Web browsers will not show users a warning when using these free SSL certificates.

Let's Encrypt is sponsored by a large number of Internet companies which all have a stake in seeing SSL encryption spreading to more of the Internet.

The biggest "downside" (this is a security feature) of Lets Encrypt is that you must re-deploy the free SSL certificate every three months. This can be automated using a shell script, but is something you need to be aware of. Let's Encrypt will also send you an email warning if your certificate is about to expire and you have not renewed it.

They also currently do not support wildcard certificates.

If you do not like using the command line or do not have root access, you can use gethttpsforfree.com as a web interface for creating Let's Encrypt's certificates.

Start SSL

Start SSL offers both paid and free SSL certification. The difference between their free SSL certificates and their paid certificates in that the paid ones are validated more thoroughly. The more thorough the validation the higher the cost. Something like Extended Validation is great if you are a healthcare provider or bank or someone who needs a high level of security because you are dealing with a lot of sensitive information. If you are instead a regular website owner, a free SSL certificate should be just fine.

The big issue with Start SSL is they charge a fee to revoke the certificate. This means if there is a new SSL vulnerability or you change providers you will have to pay a fee. For this reason I would recommend using Let's Encrypt over Start SSL.

CloudFlare

CloudFlare is mainly a content delivery network often used to prevent DDOS attacks. However, one feature they offer is SSL encryption of a sort. There are three ways in which CloudFlare SSL works. The first is you do not have any kind of SSL certificate on your webserver. This means that the connection between your website and CloudFlare is unencrypted, but then CloudFlare adds encryption between their servers and the end user. So part of the connection is encrypted, but not the whole connection.

A second method is if you use self signed SSL certificates. This method encrypts traffic between your webserver and CloudFlare and CloudFlare and the user. CloudFlare does not attempt to validate your certificate.

The final method is the same as above only CloudFlare does authenticate your certificate.

CloudFlare's SSL cert diagram

Note that in all of the above CloudFlare decrypts the traffic on their servers before sending in on to your webserver. This is because CloudFlare's main job is to block malicious traffic and they are unable to do so if the traffic is encrypted. They have no way of knowing if traffic is legitimate of malicious if all traffic is encrypted. This means that using CloudFlare you will never have a fully encrypted connection between your users and your servers.

NameCheap

NameCheap is a domain name registrar. Like many domain name registrars they offer paid SSL certificates. Though not free, their SSL certificates are on this list as they are among the cheapest in the industry, starting at $9/year, and NameCheap is a well respected registrar with good support. If you are worried about needing technical support for your SSL certificate you may consider using NameCheap's paid certification.

If your users ever send any kind of data to your webserver, I would recommend adding some kind of SSL encryption to the connection. With cheap and free SSL certificates now available there is little reason not to.