(At least not if you are a financial organisation or need some form of extended validation/identity confirmation)
The SSL certificate marketplace is undergoing an extraordinary transformation. Once upon a time you could expect to pay a princely sum to obtain what is called an “SSL certificate”. This is effectively a piece of code that you install on a server (whether it be web, email, or similar) that allows you to encrypt data between two end points (a client such as a web browser and a web server, for example). The SSL certificate allows the client (browser) to identify the server it’s connecting to.
But as the Internet has grown, the need to protect data in transit (such as usernames and passwords, credit card details, or other personal information) has also increased. To that end there has been many attempts to provide free or cheap SSL certificates to all and sundry. Self-signed certificates are no longer good enough. Unless you explicitly trust a self certificate within your browser, you’ll see all manner of warning messages. No, a trusted third party must now be present to ensure that your communications in a web browser are secure.
SSL certificate prices have been gradually becoming cheaper and cheaper over past few years. I’ve picked up regular domain validated SSL certificates as little as 99 cents (US) or at the most around £2-3 per year. The drake.org.uk wildcard certificate (which protects an unlimited number of us domains with a single certificate) only cost me 40 quid for two years.
But now things are getting even cheaper – cheap enough to be FREE!
Let’s Encrypt has been one such effort to bring SSL certificates to the masses, for free. Completely free. Having left beta, we are going to see a lot of companies and organisations offer Let’s Encrypt as part of their product or service. cPanel, for example, will be integrating Let’s Encrypt as part of the next major release of cPanel/WHM. This means that providing that the server operator/hosting company you’re hosting with allows it, your web site will be protected by an SSL certificate for free – automatically.
CloudFlare is another company that’s offering free certificates. Their free tier allows you to encrypt between their servers and your own (origin) servers – combined with an origin SSL certificate that you install on your server that provides full, authenticated encryption between CloudFlare’s data centres and your server(s).
WordPress and Sucuri are also two other services offering free SSL certificates with their services.
So as you can see – the days of the paid SSL certificate appear to be coming to an end. The only exceptions are special SSL certificates that require additional validation and assurance – normally Extended Validation (EV) certificates – the ones you’ll normally see at a bank’s web site – the company name all in green alongside the green lock symbol. These certificates require a lot of paperwork. This consequently costs quite a bit more money (and time).
But for us mere mortals, we may well never have to spend a single penny on SSL certificates for our sites or services ever again. We can encrypt for free. And that’s a good thing.