We all love getting something free, but sometimes the free item can cost us a lot of time and money in the long run – likely more than we would’ve been willing to pay for it in the first place. Today, we’ll discuss whether this type of harsh life lesson might apply to securing your website and protecting your website visitors’ private information.

What are HTTP, Https, SSL and TLS?

Before we jump into the differences between free and Premium certification services, let’s look at what encryption is and why it’s so important to your company and your customers.

A company’s website gathers customer information in multiple ways: forms, registration credentials used for log ins, credit cards, etc. This sensitive information generally passes through dozens of servers and networks as it travels between your website and its final destination. At any stage in this treacherous journey the information can be intercepted by nefarious types and used with malicious intent, thereby destroying any trust or brand loyalty you had earned and potentially costing you a lot of money. A Secure connection safeguards against this by encrypting the user’s information before it leaves your site, and then decrypting it again when it arrives at its destination.

You may be familiar with HTTPS (or HTTP) because it comes before URLs in the address bar of your browser. HTTPS stands for Hypertext Transfer Protocol Secure, and is a layered combination of the Hypertext Transfer Protocol (the foundation of data communication for the web) and SSL/TLS protocol (Secure Sockets Layer and Transport Layer Security [a cryptographic protocol that enables secure communications over the net, with TLS being the successor to SSL]).

A secure HTTPS connection is provided via the use of a Secure Certificate, which gives your website a stamp of authenticity and security. This lets your visitors know they can both trust that the pages on your site are indeed authentic, and that you can be trusted to handle their sensitive information. For a deeper understanding of how HTTPS works, head here.
 

Which websites should have a secure certificate?

It used to be that HTTPS certification was only necessary for websites that dealt directly with high risk financial information like credit cards and bank account details, and personal communications i.e. e-commerce, banking and email platform sites. But in recent years, Google have ramped up their efforts to keep accounts and information private and secure, and to protect page authenticity across a wider variety of websites.

Sites with a secure HTTPS connection are identified by a closed green padlock icon and the word ‘Secure’ to the left of the URL in the address bar of your visitor’s browser – this tells them you value their privacy and have taken steps to secure it.

This is what you see in Chrome when you visit an HTTPS-certified website:

In January 2017 Google changed their Chrome browser so that websites with unsecured HTTP connections now have an ‘i’ icon displayed to the left of the address bar. Clicking on this icon warns the visitor that site is not secure. In October 2017, they went one step further, making ‘Not secure’ text display beside the ‘i’ icon when the visitor starts to enter data in any kind of field on an HTTP site. This is a sure way to make your visitor think twice before trusting your company with their sensitive information. Google have indicated that in the future all HTTP sites will display a ‘Not secure’ warning as soon as the site loads.

Here’s what you see if you visit a non-secure site:

 

Non-secure websites show the following when clicking the information icon:

Another reason to get your site HTTPS certified is that Google have decided that websites with HTTPS connections are safer and more secure than those without and these sites are rewarded with a slight preference in search results.

For further information, take a read of our post on Why We Recommend Secure (SSL) Certificates for All of Our Clients.

Premium vs. Free – Our position on it

To enable HTTPS on your website, you need to get a secure certificate from a Certificate Authority (CA). CA’s can offer either free or a paid (premium) certification.

So why would you pay for a premium certification when you can get it for free? As with most free services, the offering isn’t as all-inclusive as a paid service, so it’s important to understand what you’re missing out on.

As an example, in April 2016 the Internet Security Research Group (ISRG), a US based public benefit group focused on Internet security, launched Let’s Encrypt, a free, automated and open CA offering digital HTTPS certificates.

The free Let’s Encrypt service is aimed at businesses with smaller websites that don’t process confidential information and is a great ‘fit for purpose’ service for websites that only require very basic security.

However, if your website contains pages that request any personal information from your visitors such as:

• Contact or other web forms
• Account registrations – where users then log in with a username or password
• Shopping Carts – where credit card information must be submitted

Then you are asking for private and confidential information and therefore the Free Let’s Encrypt certification is definitely not for you. As a website owner it is your responsibility to keep your website visitor’s data secure.

Other areas left lacking by the free Let’s Encrypt certificates, that are taken care of with our premium certificates, include:

1. Only the domain name is verified (and not the organisation),
2. They focus solely on HTTP traffic (with no provision for e-mail or file transfers),
3. They provide no guarantee in the case of abuse occurring,
4. They don’t give an additional trust seal like a premium SSL certificate, and
5. Renewal is required every three months (rather than annually).
   
   

Locking all the doors

When we leave our cars, we lock all the doors, not just a couple to give the illusion of a secured vehicle. For the same reason, we don’t endorse free encryption services – sure it's cheaper but why take the risk?  We take website security very seriously, and only use premium HTTPS certificates. With our decades of experience in website security, and many hours of research into Certificate Authorities, we believe that the SSL Certificates that we use (issued by Digicert Rapid SSL) offer the best protection for price of any SSL Certificate on the market, and the cost is well worth the peace of mind it offers.