Should You Purchase an SSL Certificate? Usually No

With the number of options available to website owners these days, I don’t blame them if they suffer from a bit of choice paralysis:). Along with all the features available on different hosting products, they also need to figure out the details of an important part of their security – namely SSL.

Since last year, a huge change has occurred in the web hosting industry. SSL certificates used to cost money. Even though companies like NameHero had been providing free Let’s Encrypt certificates for at least a year before, it was still a paid inclusion for the major names. Then Google intervened and said that all non-HTTPS traffic would get a slight decrease in the SERPS, and the industry changed in a dime.

Personally, I don’t see any huge differences in ranking due to HTTPS traffic. There are so many sites that still rank incredibly well, despite being nominally “insecure”. Whether these are exceptions or the rule, I have no idea. What’s certain is that there is now a massive push towards SSL certification.

But should you pay for it? Probably not.

Let’s Encrypt and Free SSL

On August 2016, Let’s Encrypt released their cPanel plugin which allowed users to easily generate free SSL certificates on their site. These certificates are valid for a period of three months and need to be renewed regularly. Luckily, all this should happen automatically if everything is set up as it should.

Many hosting companies immediately implemented Let’s Encrypt certificates, including NameHero. The other big brands tried to get away from this as long as they could, before Google finally forced their hand. Now every major web hosting provider (with the notable exception of GoDaddy) offers free SSL certificates for their clients.

And so with one stroke, Let’s Encrypt almost single-handedly ended the need to purchase SSL certificates. With all major industry players adopting Let’s Encrypt, there was no need anymore for an ordinary website to buy expensive SSL certificates.

But What About Credit Cards and PCI Compliance?

If you run an e-commerce store and are thinking of accepting credit card information on your site to make payments, you need to be aware of something called “PCI Compliance”. This is a set of standards that credit card payment processors use to ensure that your site is safe and doesn’t jeopardize the security of users who trust your site.

One of the requirements for PCI compliance is having an SSL certificate. There’s a misconception that the standard certificates issued by Let’s Encrypt are not good enough for this. This conception is wrong. The SSL certs that you get from a cPanel interface like NameHero, are every bit as secure as anything provided by the other certificate issuers who charge a hefty amount.

So is There EVER a Reason to Pay for SSL?

In my opinion, the biggest reason to pay for an “Organization Validation” or “Extended Validation” (EV) certificate is to further increase the trust a user has in your site. Normal Let’s Encrypt certs merely encrypt the traffic between your user and your server. They do no verify that you are who you say you are. They don’t check your business listings to make sure that you’re a legit company. A Let’s Encrypt certificate is purely technical in nature and doesn’t involve any human beings.

And Extended Validation certificate on the other hand actually verifies your business. And as a result, your site can then display a green address bar with a lock on it to demonstrate to your users that you are a legitimate business entity.

But all this is just icing on the cake. By itself, Let’s Encrypt certificates are every bit as technically secure as any other paid SSL solution. And so don’t get caught by the marketing hype if someone tries to sell you an expensive SSL certificate. As long as you have Let’s Encrypt, it’s good enough!