I wanted to talk about SSL certificates for quite a long time now

I wanted to talk about SSL certificates for quite a long time now (so that a site would open on https).

Quite often, our clients ask for recommendations on what certificates they need, the ways to buy them, and why they vary in price, depending on different providers.

So what does SSL/https do?

Imagine you need to call a friend of yours, say, Nick, to deliver information of special importance. Today, a lot of people are concerned about their privacy since their conversation can be bugged by interception of a GSM call. Consequently, they are looking for "secure channel" for their conversation. Some people choose applications like Viber or Skype, and some use encrypted Internet telephony so that the communication channel would be secure.

SSL/https is one the communication channel protection means. By using SSL/https one can secure their data between a computer and a server of the site you are working with. Otherwise, an attacker intruding your connection to the site can get following types of data:

• list of pages you visited;
• markers of sessions (if you, for example, added an item to the shopping cart);
• logins / passwords / search requests;
• any other data that you send to an unprotected site.

While using SSL encryption, only the domain name and service port where the data is being sent are available to the attacker. The rest of the data is simply inaccessible.

It’s also necessary to point out the following popular statement:

If your site is "read-only"(for example, a corporate site, a landing page, a static site-directory, etc.) and you do not expect a user to enter any kind of data, you can safely avoid an SSL certificate, using http only.

Unfortunately, this is a popular misconception.

Nowadays, many search engines lower the site in the listing if it does not have an SSL certificate. In fact, it is necessary for all sites.

Here follows an example. Our corporate site is completely static and hardly has any server logic. This is an information site with many pages. Hacking it is meaningless as well as hacking its visitors. Nevertheless, the site has a feedback form where visitors can leave their data so we could contact them - link. This is exactly the source of vulnerability - without the use of https encryption, an attacker can intercept such user data as their name, email, sent files, passwords in the text of the message.

By using SSL certificate and encryption interception of data becomes a significantly complicated process.

Why does one buy a certificate from a provider and can not create it yourself?

An SSL certificate consists of three basic elements:

1. the certificate itself,
2. private (hidden) encryption key,
3. public (open) encryption key.

Let's say the key is a very large 1024 characters password. Without delving into encryption algorithms, it is obvious that the longer the password, the more difficult it is to break it. The certificate contains information about identity of its owner and an issuer. You can generate all three elements by yourself and it's absolutely free.

But there’s one catch: no one, except your computer, will be able to verify the authenticity of a secure connection, since no one else has the access to information about the keys.

At this point, a certificate provider (registrar) is involved - it stores public data about the certificate, and provides them to any requestor. Therefore, when you visit the https resource, your browser looks at the certificate who issued it, makes a request to the registrar's server and checks whether the certificate issuer and public keys correspond to the claimed by the resource. Thus, the browser identifies the resource as secure.

What prevents one from entering as a registrar and installing a server that confirms the originality of the certificate?

Money, a lot of it. The price is incredibly high for one or several certificates for a couple of decades. Once there was a monopoly, and only 3-5 companies were issuing certificates. Now everyone can become a provider.

To do this you need to :

• Create your own server infrastructure for storing and issuing certificates (or buy it at a high price);
• Get safety standard certification;
• Send requests to be added to the registry of all companies that are checking certificates in any way (for example: Microsoft + Windows, Apple + MacOS + iOS, Google+ Android, and other operating systems, browsers - Firefox, Chrome, Safari etc). Almost each company requests going through the procedure of verification, standardization and so on. The whole process is rather expensive and long.

Why does the price differ significantly (for example, $15 and $150 per year)?

It is necessary to understand price forming factors:

1. The actual issuing of the certificate is work of the processor's for a few seconds, the cheapest work.
2. Annual storage of the certificate on the provider’s servers is a little more expensive than the issuing.
3. User account – some companies include it in the price to get investments back and keep user accounts updated.
4. Commissioning of income.
5. Support in case of questions or a request for manual check up of the applicant. This is the most expensive service in the certificate. It takes 2-3 hours of work of a professional, and if a provider is from a country like Ukraine, then an hour of routine work there is cheap ($2+), but if a provider is from the U.S., then an hour is more expensive ($30+).
6. Insurance is another important aspect, which also affects the cost, depending on the location of the provider and its insurance partner. Insurance comes into force if your certificate was hacked and important data was accessed. Many companies offer the same certificate with different insurance plan at different prices. In reality, it's rather difficult to prove that the certificate was hacked. Consequently, insurance in countries like Ukraine exists rather de jure than de facto.

There are no certificate providers in Ukraine, it is too expensive. Therefore, on preferential terms, we have companies that resell the issuance of certificates and save money by on cutting staff’s salaries and insurance payments.

Should one take the most expensive certificate that would display the name of your company in a green square with a little lock? It’s perfect option for boosting own self-esteem or visual distinction, but with cheaper options available, not more than that.

Free certificate

Today, there is another option to get a certificate — Let'sEncrypt the registrar. There you can get working certificate with some restrictions absolutely for free.

A little introduction

Over time a concept of commercial certificate developed a significant drawback. In the early 2000s, if a developer created a prototype or a mini-version of a big idea, or if an investor started a new web startup, it was necessary to purchase a security certificate for the security of the data transmission channel. Prices were starting at $50+. So, for example, if a student does a term paper and s/he was intended to show the fact of secure connection, s/he had to buy a certificate. At the same time, without a verified certificate every time you load https page, a “connection is not secure” message appeared, which is not the best option for demonstration of the project, is it?

Every year the number of geek programmers like this grew, and it became easier to enter the industry of web solution development. Today, even housewives can create a website about themselves basically for free, just by following an instruction. Technologies have become more accessible, hosting has become almost free, but certificates still cost $50+, the same way they did before. Imagine that you need a page about yourself, with your own domain name, fully processable by search engines. You buy a $10 domain and hosting for $2-5 per months, create a site based on a convenient CMS with a free template (for example, AcroCMS). And that's it. Today you have paid only $15. Then, the search robot sends you a recommendation: “Move your website to https to get higher rankings in search engines”. But for the same cost you can make 3 more sites like this.

Let me remind you a couple of things included into the price of a certificate:

• Insurance, which basically remains useless.
• Support service, which, in case of a problem, will result into someone reading you a page from the instruction. Since 2003, we filed dozens of different certificates for registration as a part of project development from scratch, and only once contacted the support service when they failed to verify in the U.S. a company registered in Eastern Europe. The company got a refund.

Thus, in April 2016 appeared Let'sEncrypt — a new registrar of certificates. This is a fully automatic service that allows you to create free certificates for your domain name.

It is free of charge for the following reasons:

• Insurance was eliminated as an unnecessary aspect
• Automation of the process made technical support redundant. The registrar is able to check if the domain belongs to you or not without human participation. Speaking of expenses on old services, this process has also been automated for a long time now.
• Among the creators/sponsors of the new registrar are Cisco, Mozilla, and the University of Michigan. The first makes hundreds and thousands of routers. When you log into the web interface of the router, you need to protect the channel from "backdooring", otherwise all your data can become accessible for someone else. A step like this is a great money saving deal. The second one is not just a browser, but a whole fund whose products include a programming language and an operating system. The company is an active supporter of free software. The latter is a university that in this way allows millions of students and geeks to create their own https mini-projects.

In less than 2 years, the project has reinforced its standing in the development of small sites and web applications. Many hosting companies built in support for Let'sEncrypt to simplify and facilitate the process of obtaining a certificate and its auto update every 90 days.

On the other hand, there are several negative aspects:

• Let'sEncrypt strictly limits the number of requests from one IP per hour, so that unscrupulous users can not create thousands of certificates per minute, using the service for mercenary purposes. But even this way, there is a risk of being locked out for a couple hours in case of a domain authorization error.
• Obtaining a certificate, requires a little more knowledge than just a click of a few buttons. Although hosting companies elaborated user-friendly interfaces, there are some projects where such a certificate requires manual installation and update every 90 days, and customization specialist service might turn out to be more expensive than buying a certificate for a year.
• The service does not issue corporate certificates as it's not its niche. Therefore, large companies and businesses will need to continue buying certificates as they did before.

Thank you.