Leading SSL Certificate Providers in 2020
Glance at the address bar of your browser, and you’ll see a padlock icon. You’ll also see that our website is loaded through the HTTPS protocol. This means that ScalaHosting.com has a valid SSL certificate.
Security experts maintain that SSL certificates are essential to any online project, and indeed, although not everyone is listening, the use of these certificates has grown quite a bit over the last few years. It’s the easiest way to tell your website’s visitors that you care about the security of their data, and you must ensure that your website has one.
With so many providers out there, choosing the certificate that best suits your need could be difficult, though. Before we get to that, let’s see what an SSL certificate is and how it works.
Table of contents:
What is SSL?
Straight away, you might run into some confusion. SSL stands for Secure Socket Layer – a cryptographic protocol that facilitates secure connections over a computer network. Although they are named after it, modern SSL certificates don’t use the Secure Socket Layer protocol.
Instead, they are now all based on Transport Layer Security (TLS) – SSL’s successor. While it’s difficult to say why the SSL name has stuck, it’s much easier to see why the importance of SSL certificates has grown so much over the years.
The job of an SSL certificate is to encrypt the data that flows between the client and the server with the idea of mitigating the risk of man-in-the-middle attacks.
As its name suggests, in a man-in-the-middle attack, a hacker captures the packets of information that travel between a user’s computer and a website that isn’t protected by an SSL certificate. These packets often contain sensitive information like login details, credit card numbers, etc., and
if it’s in plain text, it can easily be stolen and misused. In the absence of an SSL certificate, the criminals could also alter the content that is delivered back to the user and thus redirect them to malicious pages or kickstart a scam operation.
Man-in-the-middle attacks have existed for a very long time, but in the past, this wasn’t really that much of a problem. The number of people connected to the web was much smaller, and so was the amount of sensitive information they shared on the internet. SSL certificates were rather expensive and slow to deploy and install, which is why only large online stores used to have them.
With time, however, more people got access to the internet, and the nature of the tasks they perform changed. Protecting their information suddenly became a priority, and SSL certificates became vital. Their presence is so important that over the years, internet browsers have implemented a number of changes, just so that it can be clear which websites have SSL certificates and which don’t.
How does an SSL certificate work?
An SSL certificate is, in essence, a file installed on the server hosting the website. It contains a public cryptographic key, information on the owner of the website/server and on the Certificate Authority (CA) that issued the certificate. The first step in establishing a secure connection is called the TLS handshake.
The server responds to the initial message with a copy of the SSL certificate. The client’s browser checks the certificate to see if it trusts the CA that issued it, and if it does, it uses the included public key to encrypt and send the so-called “premaster secret” back to the server.
The premaster secret can only be decrypted by a private key that is stored on the server and is never shared with anybody. Both the client and the server use the decrypted premaster secret, along with other bits of data exchanged during the TLS handshake, to create the session keys – the cryptographic keys that will be used to encrypt the data from this point on. Every time a user accesses the website, the same process is launched, and a new, unique set of session keys is generated.
Why do we need SSL certificates?
An SSL certificate serves two main purposes. It uses a combination of asymmetric and symmetric cryptography to not only ensure that the data is protected in transit but also to guarantee that the client is communicating with the correct server.
During the TLS handshake, the user’s browser effectively authenticates the server and ensures that it’s not an impostor. Later, when the connection is established, it encrypts the data in order to guarantee that even if someone manages to intercept it, they can’t steal it or modify it in any way.
Although it involves some complex cryptography, in most cases, installing an SSL certificate is nowhere near as difficult as it used to be, and it’s widely considered to be the first and most important step towards securing your website.
Self-signed certificates, DV, OV, and EV
An SSL certificate doesn’t need to be expensive. Using free tools like OpenSSL, you can create your own SSL certificate and facilitate the secure connection between clients and your server without spending a penny. These certificates are called self-signed certificates, and they do have a number of legitimate applications. Securing a website in a production environment is not one of them, though.
They’re called self-signed because they are not issued by a Certificate Authority. While this may save you a whole lot of money, it somewhat defeats the purpose of having an SSL certificate in the first place.
One of the main goals of an SSL certificate is to assure the user that they’re communicating with the correct server. That’s why, when a CA issues a certificate, it performs certain checks to ensure that the person getting it really owns the domain and the underlying online business.
Browsers establish a secure connection only if they trust that the CA has done these checks. The absence of a CA means that visitors will see warnings when they try to connect to your website.
If you want to show that you take users’ security seriously, you need to have an SSL certificate issued by a trusted CA. You’ve got plenty of vendors to choose from, but before you get there, you need to decide what sort of SSL certificate you’re going to need.
The different types of certificates don’t vary too much in the way they work. When it comes to protecting people’s data, they all do the same job. The difference is in the level of validation the certificate holder needs to go through in order to assure visitors that they’re doing business with a legitimate entity. Here’s how the different types of SSL certificate work:
- Domain Validation or DV certificates – this is the easiest, cheapest, and fastest way of obtaining an SSL certificate from a certificate authority. DV certificates are issued to the person that is listed as the owner of the website’s domain name. The CA does no further validation of the identity of the people or organizations standing behind it, which is why the creation of the certificate is pretty much instantaneous.
DV certificates are suitable for personal and small business websites that don’t deal with excessive amounts of sensitive information. In 2014, a CA by the name of Let’s Encrypt started issuing free DV certificates, and so far, it has helped protect a significant portion of the world’s websites. In light of this, you really have no excuse for running a website without an SSL certificate.
- Organization Validation or OV certificates – if you run a small or medium-sized business, you want all the credibility boost you can get, and an Organization Validation (OV) certificate could very well be what you need. This time, you don’t get a certificate but rather apply for it.
There’s a vetting process during which the CA does some background checks on the organization registered as the owner of the domain. Things like contact information and registered physical address are checked, and the certificate is issued only if the CA sees no problems.
When users click on the padlock icon in the address bar, they can see the name of your organization, and they know that you’ve passed the background checks. As a result, they are more likely to do business with you. Issuing an OV certificate could take up to a couple of days, and they are significantly more expensive than the DV alternatives.
- Extended Validation or EV certificates – the more popular your organization or e-commerce website, the more likely it is that someone is trying to impersonate you. That’s why large businesses go for the most expensive and hardest-to-obtain type of SSL certificate – the Extended Validation (EV) certificates.
Before it issues an EV certificate, the CA does some pretty extensive background checks on the organization and/or individuals applying for it. Quite a few strict rules are followed, and the process could take up to a week. EV certificates are pretty expensive as well, but the additional trust they instill in users could make the investment worthwhile.
2020’s leading SSL certificate providers
If you’re in the market for an SSL certificate, it’s fair to say that you’re spoiled for choice. The number of SSL certificate providers is enormous, and the solutions vary wildly both in terms of pricing and in the options they offer. Let’s go through some of the most prominent SSL certificate vendors.
DigiCert describes itself as one of the leading global providers of identity and encryption solutions, and it must be said that the company was certainly given a massive boost in 2017 after it acquired Symantec’s SSL certificate business.
As a result of the acquisition, all but the entry-level certificates issued by DigiCert come with a seal, denoting that the website is protected by Norton, Symantec’s flagship security product. Another advantage of DigiCert-issued certificates is the easy-to-use management platform that users get.
Although it has always existed as a separate brand, GeoTrust was owned by Symantec up until 2017, and it, too, is now under DigiCert’s wing. It’s the first Certificate Authority to use the Domain Validation method, and although the focus has shifted somewhat towards the EV business, owners of small and medium-sized websites can still find what they are looking for, though compared to the competition, the prices seem more attractive only for the more expensive certificates.
RapidSSL is GeoTrust’s consumer-oriented branch. The focus is entirely on DV certificates, and the prices are competitive. RapidSSL is praised for the technical support that is available through chat and email and for the installation tools that come as a part of the package. Because RapidSSL is a part of the GeoTrust/DigiCert family, the certificates issued by it can be managed from the CertCetral management platform.
Comodo Security Solutions, Inc. used to be the parent company of Comodo CA, Ltd, a Certificate Authority based in the UK. In 2018, Comodo CA was sold to an American private equity firm called Francisco Partners, which later announced plans to re-brand it as Sectigo.
The name Comodo is still used to this day, however, and under it, you can find some of the most affordable SSL certificates on the market. Not surprisingly, the biggest discounts are available only for the five-year plans, and you do need to bear in mind that sometimes, Comodo SSL certificates with higher levels of validation take a bit longer to be issued.
Entrust Datacard’s roots can be traced back to 1969 when Datacard Group was founded and entered the credit card printing industry. In 2013, Datacard acquired Entrust, an identity management enterprise that has been around since 1994 and offers a wide range of online security products and services. SSL certificates represent a significant part of Entrust’s business.
Entrust Datacard doesn’t offer DV certificates. Its OV and EV solutions are aimed at organizations willing to pay good money for an SSL certificate. In exchange, Entrust’s customers get expert support from people with a lot of experience in the industry.
GlobalSign is one of the oldest and most well-recognized certificate authorities out there. Its packages can cater to both small personal websites and large e-commerce platforms and financial institutions, and the certificates it issues are often bundled with a number of other features and functionalities that could be very useful for many website owners.
In addition to this, GlobalSign is famed for the quality of its technical support. The downside of all this is that the certificates are far from affordable.
As you may have guessed already, unlike other SSL certificate providers we’ve mentioned already, SSL.com’s main focus is on SSL certificates. It has a wide range of products that can fit the needs of your website, no matter how big or popular it is. The pricing is relatively competitive as well, though the really good bargains are only available if you commit to a longer-term plan.
Thawte may not be the most recognized name on our list, but it’s still a pretty big player in the business. It’s been around since 1995, and it started off as a project for the creation of a new web server based on Apache. Later, the focus shifted towards the certification business, and in 1999, the company was acquired by Verisign.
In 2010, Symantec bought Verisign, and when DigiCert acquired Symantec’s business seven years later, the Thawte brand was transferred too. Thawte has apparently issued more than a billion certificates, and part of its commercial success is due to its competitive pricing and the easy-to-use certificate management tools.
What makes a good SSL purchase?
There should be no doubt in anyone’s mind that you need an SSL certificate for your website. As you can see, however, there are more than a few options and many different vendors to choose from. So, what are the things that you need to bear in mind before you reach for your wallet?
First and foremost, you need to be aware of the requirements of your project. If you’re creating a personal blog where you’ll share your thoughts every now and again, for example, there’s no point in shelling out hundreds (or even thousands) of dollars per year for an EV certificate. In fact, for these kinds of projects, a free Let’s Encrypt certificate could be everything you need.
Moving further up, however, things get a bit more complicated. If you’re going to do any sort of business through your website, you might want to consider going for one of the paid options. The certificates themselves won’t add extra security from a technical point of view, but they could lend you some extra credibility, especially if you go for an OV certificate.
Picking an Extended Validation SSL for a new project might not be the best call. The certificates are quite expensive, and recent changes implemented by browser vendors mean that it’s now much harder for the end user to differentiate between an EV and an OV certificate. EV solutions should be reserved for popular websites that deal with tons of sensitive data.
Once you have decided what sort of certificate is right for you, you need to pick the certificate vendor. You could do worse than shop around for a bit. Prices vary a lot, and you need to be sure that if you go for the more expensive options, you will get something in return for your money.
Why we offer GeoTrust and Symantec certificates
You don’t need to purchase your SSL certificate from the Certificate Authority. Scala Hosting customers can get one straight from us. They can choose from five different offerings from GeoTrust and just as many from Symantec.
GeoTrust’s solutions are more budget-friendly, with the regular RapidSSL DV certificate coming in at just $30 per year and the more expensive solutions costing between $225 and $450 per year. In absolute terms, Symantec’s certificates you can get from us are much more expensive. The cheapest DV certificate, for example, costs $149 per year, though it is a wildcard certificate, which means that you can protect additional subdomains with it at no extra cost.
Both GeoTrust’s and Symantec’s certificates have their own set of advantages. GeoTrust’s offerings are significantly cheaper and could be the only solution for website owners on a tighter budget. Symantec, meanwhile, could give your project a massive credibility boost because before the acquisition from DigiCert, 90% of Fortune 500 companies used Symantec certificates. In addition to this, although they are quite a bit more expensive, under some circumstances, they could prove to be a more cost-effective solution.
Once again, which of the certificates we offer suits your needs the best is for you to decide.
Some people continue to maintain that if your website doesn’t have a login form or a checkout page, you don’t need an SSL certificate. This couldn’t be further from the truth.
An SSL certificate doesn’t just encrypt the communication between a server and a client. It also acts as a guarantee that you are communicating with a legitimate website. Installing and configuring an SSL certificate used to be expensive and tiresome, but things have fortunately changed now. If your website isn’t protected by an SSL certificate, you must fix this mistake as quickly as possible.
What is the purpose of an SSL certificate?
An SSL certificate serves two main purposes. It first assures the user’s browser that it has established a connection with the correct server, and it then encrypts all the information that is exchanged between the website and the user in order to protect it from Man-in-the-middle attacks.
What are the differences between all the SSL certificates on the market?
Although there are quite a few different types of SSL certificates offered by many different vendors, they all tend to use similar encryption mechanisms, and from a purely technical perspective, they all do pretty much the same job.
The main difference comes in the mechanisms that verify your identity before the issuance of the certificate, and in the visual indicators users get when they visit your website. The more expensive the certificate, the more thorough the vetting process, and the higher the chance of people trusting you with their sensitive information.
I don’t have an e-commerce website. Do I need an SSL certificate?
Yes, you do. An SSL certificate’s main task is to encrypt the information flow between a server and a user, but it also confirms the authenticity of the server. More and more people know all about the importance of having an SSL certificate, and they are likely to avoid your website if you don’t have one, regardless of whether or not you are trying to do business through it.
Is it worth paying for an SSL certificate?
In the past, it was impossible to have an SSL certificate without paying good money for it. In 2016, however, the Electronic Frontier Foundation, the Mozilla Foundation, and the University of Michigan founded Let’s Encrypt with the support of a number of security companies and web hosting providers.
Let’s Encrypt is a Certificate Authority that can issue a domain validation SSL certificate completely free of charge. For many bloggers and small business owners, a free Let’s Encrypt certificate is enough to guarantee the secure interaction between users and websites.
That being said, paid certificates, especially the ones with a higher level of validation, offer more visual indicators that can assure visitors that it’s safe to continue using the website. For online businesses, this could make the investment worthwhile.