You Get What You “Don’t” Pay For
After reading this headline, I imagine many of you are probably thinking, “Of course this guy is going to be against free SSL/TLS certificate programs. They’re giving away one of his company’s core products for free!” Well yes, I do work at a company that sells TLS certificates, but I’m not here to tell you these free programs are bad and you should obviously go with GlobalSign (or whoever) instead. I think anything that helps with more mainstream adoption of encryption is a great thing. I have to use the internet too, after all, and a little piece of me dies each time I see a form or payment page (or any page really) not using TLS.
Now, this post is geared toward the service provider and hosting company crowd – digital business is driving the need to encrypt everything. We’re hearing from more and more companies in this market that they want to start providing TLS as their own service to all their customers and these free TLS certificate programs are obviously catching their eye. Again, this is a good thing! I’m excited that these companies are investigating ways to make TLS easier for their customers, which in turn means a more secure, safer internet for everyone.
However, not all of these free programs are the same and there are some limitations. It’s important to not get hung up on the “free” aspect, but rather take a step back and consider what you’re actually looking for in a TLS solution and then compare your options. Below are some things I think you should consider if you’re looking at a free certificate program.
Do Your Customers Need Higher Trust Than DV Certificates?
We believe that any TLS is better than no TLS, since all certificates, regardless of assurance level, offer session security and encrypt any information submitted through the website. So depending on your needs (or more specifically, your customers’ needs), Domain Validated (DV) Certificates from a free TLS provider may be sufficient. However, if tying brand identity into their web presence is important to your customers, you may want to consider a TLS provider that can issue Extended Validation (EV) and Organization Validated (OV). EV TLS offers the highest trust and lends the most credibility to websites because it prominently displays the company name in the browser’s address bar and turns it green. While OV Certificates contain the verified company info, they do not change the default browser behavior.
Providing multiple levels of assurance can also improve your customer experience – your customer wants an EV Certificate and can now get one directly from you, rather than having to deal with another vendor – or give you a competitive advantage by expanding your service offering.
What Kind of Support Can You Expect, If Any?
If you choose a free TLS certificate vendor, you may have to pay for support (see our “free isn’t always free” section below) or not receive support all together. If you plan on handling your customers’ support issues yourself or leaving it up to them to sort out their own issues, then vendor support may not be that important to you. However, if you don’t have the capacity to handle support tickets in-house or you are providing TLS as a value-added offering that reflects upon your user experience, support is essential. If problems or issues are not resolved in an expedited manner, your customers aren’t going to be happy and you risk losing them. Additionally, you should ask the vendors that you are evaluating if they can meet required service level agreements (SLAs).
"Free" Doesn't Always Mean Free
In the business world, free or freemium products are often a path to get you to pay for something else. Commercial technology and software vendors are not giving you freeware out of the goodness of their hearts. When you want the full features, functions, advanced capabilities, or service and support, you then need to make a purchase or sign a service agreement. This tactic has been used by many technology companies past and present with great success.
When you are evaluating free TLS certificate options, you should be aware of any additional or hidden costs. While they may offer free DV Certificates, you need to evaluate the cost of the entire package. Consider:
- Is there a path to upgrade to TLS certificates that provide a higher level of assurance? If so, what’s the cost and process?
- Does the TLS vendor offer flexible licensing for all types of certificates and will the solution scale to meet your current and future needs?
- Are there any strings attached? For example, do they require you to commit to an annual sales number or certain marketing campaigns and initiatives?
- As mentioned above, do you have to pay extra for support?
- Are there any set-up or account fees?
- Some free programs have free DV, but there are significant commitments to purchase OV and EV certificates. You may find that the blended price for the package you need is actually less expensive from CAs with competitive pricing.
Is Free SSL/TLS Right for You?
Providing TLS as a Service (TLSaaS) for your customers makes encryption much more accessible and helps create a safer, more secure internet for everyone, so I encourage all service providers to investigate their options. At the end of the day, the solution and vendor you choose to power the integration, whether one of these free certificate programs or otherwise, is a decision only you can really make.
If integrating TLS is part of your business strategy and a value added offering that differentiates you from others, then you must consider a TLS certificate provider that can deliver a complete solution – enabling you to automate and manage certificate lifecycles, provide the types of certificates your customers need, adhere to your support SLAs, and meet your customers’ expectations.