Skip to main content

Truly free SSL certificates are here!

I and many other people have been waiting for a decade for this, but truly free SSL certificates with a root certificate installed in every browser is finally available. It used to be that to get a signed cert, you had to shell out tons of money. That was and is a ripoff. SSL certs cost ISPs nothing to produce and are pure profit. Even the EV validated certs (green bar) are a huge ripoff - sure the setup fee might make some sense where they do real checking, but, after that, the renewal process is entirely automated. Some places want $400 per certificate per year. This is one of the hosting/reseller industry's best-kept secrets.

I've been keeping a very close eye on the free SSL certificate market for a while now. Every couple of months for the past decade, I've run a search query like "free SSL cert" and looked carefully at the results.

The first organization that popped up on my radar was CACert.org. It was exciting when I first saw this because it merely confirmed what I knew all along was that SSL certificates cost nothing to produce. The only problem facing CACert was web browser and OS integration. After a few years of waiting for them to do something - anything - it became apparent that they were collapsing in on themselves. They seem to have a strong following in Europe, but that's it. They don't seem to be interested any more in getting included in the root certificate store of every major browser and OS. Which is sad, because they seemed like they could potentially have pulled off something fantastic - a non-profit organization with the potential to even produce EV validated certs for free. They could have crushed the myth that SSL certs cost hundreds of dollars to produce.

SSL certificates are chains of certificates that trace to a root certificate. Every browser and OS has a list of root certificates that it can validate against. This is called the root certificate store.

The biggest hurdle is being included in the root certificate store of every major browser and OS. This allows the most popular SSL-enabled applications to trace the certificate back to a valid root. A SSL certificate also determines what the certificate was authorized for. Not all SSL certs are created equally. Some can be used for e-mail, some for web servers, some for code signing, etc.

Anyway, most people are usually just interested in setting up a web host with SSL support. A couple years ago, a new startup called StartSSL appeared on the scene claiming free SSL certificates. What they were doing was interesting but they lacked the usual browser and OS support. Then something happened. They started getting into the root certificate stores of browsers and OSes. About two years ago, they were in every major browser and OS except Opera. The list was impressive, but, without Opera support, it didn't matter for web developers.

Sometime in the past couple of months, it looks like Opera finally got up off their butts and approved them. Check out the list:

http://www.startssl.com/?app=40

As an interesting consequence of this, every domain/reseller provider out there has had to lower their SSL certificate prices to more reasonable levels to compete with this new threat. Which, again, only confirms that those high-priced SSL cert products are nothing but pure profit.

So there you have it. Free SSL certificates finally exist. Over the next couple of years, we will likely see other vendors doing the same thing to remain competitive. Some products will likely continue to cost money but people are going to learn to shop for the best deal. This will drive prices down everywhere to reasonable levels.

Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Thank you for sharing this!

    ReplyDelete
  3. It looks to me like all these places that offer free ssl certs are only offering certs that are valid for a certain period like 30, 90 days or a year, then you need to pay to renew them.

    ReplyDelete
    Replies
    1. I use StartSSL free certs extensively and, while being a bit obtuse to set up, they truly are free SSL certificates that last a full year. There is no pay-to-renew model either. My only recommendation is to go try them out and then come back and share your experience.

      The only downside I've ever found with StartSSL is that some older browsers won't accept certificates signed by them. But those browsers are running under ancient, vulnerable operating systems that need to be upgraded.

      Delete
  4. Replies
    1. This is true. StartCom made some mistakes that cost them dearly. The Israeli-based company sold out to China under WoSign and did not disclose that relationship. Even though it is old news, I recommend reading about it.

      For the record, I've never trusted SSL certificates signed by public CAs and I've never trusted a single bit of data encrypted using public CA certs. So I use Let's Encrypt certs with the same level of trust that I viewed StartSSL certs.

      The real solution to all of this is DNSSEC DANE TLSA. Within that is a very cool option: Public trust of a private CA root cert (mode 3) on a per-domain basis. That is, the ability for everyone to run their own private CA and have it be automatically trusted globally by all software. Truly secure data transfer. The downside? No browser or OS support even after 8+ years and, at this point, there is only one valid conclusion: This is intentional to allow government entities to watch all traffic unencrypted. We might as well not even have SSL/TLS as it only provides a false sense of security.

      Delete

Post a Comment