I’m curious what the benefits are of paying for SSL certificates vs using a free provider such as letsencrypt.

What exactly are you trusting a cert provider with and what are the security implications? What attack vectors do you open yourself up to when trusting a certificate authority with your websites’ certificates?

In what way could it benefit security and/or privacy to utilize a paid service?

And finally, which paid SSL providers are considered trustworthy?

I know Digicert is a big player, but their prices are insane. Comodo seems like a good affordable option, but is it a trustworthy company?

  • somenonewho@feddit.org
    link
    fedilink
    English
    arrow-up
    15
    ·
    2 months ago

    Worked as a sysadmin for years dealing with all kinds of certificates. Liek others have said if you can’t automate the process a paid certificate buys you 12 months at a time in validity. Also wildcard certificates are more difficult to do automated with let’s encrypt. If you want EV certificates (where the cert company actually calls you up and verifies you’re the company you claim to be) you also need to go the paid route

    In my experience trustworthyness of certs is not an issue with LE. I sometimes check websites certs and of I see they’re LE I’m more like “Good for them”

    • Laser@feddit.org
      link
      fedilink
      English
      arrow-up
      11
      ·
      2 months ago

      Also wildcard certificates are more difficult to do automated with let’s encrypt.

      They are trivial with a non-garbage domain provider.

      If you want EV certificates (where the cert company actually calls you up and verifies you’re the company you claim to be) you also need to go the paid route

      The process however isn’t as secure as one might think: https://cyberscoop.com/easy-fake-extended-validation-certificates-research-shows/

      In my experience trustworthyness of certs is not an issue with LE. I sometimes check websites certs and of I see they’re LE I’m more like “Good for them”

      Basically, am LE cert says “we were able to verify that the operator of this service you’re attempting to use controls (parts of) the domain it claims to be part of”. Nothing more or less. Which in most cases is enough so that you can secure the connection. It’s possibly even a stronger guarantee than some sketchy cert providers provided in the past which was like “we were able to verify that someone sent us money”.

      • i_am_not_a_robot@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        Having a non-garbage domain provider can be a luxury. I used to work at a place where we were paying boatloads of money for certificates from Sectigo for internal services, and they were charging us extra per additional name and even more if we wanted a wildcard, even though it didn’t cost them anything to include those options. Getting IT to set up the DNS records for Let’s Encrypt DNS verification was never going to happen.

        • Laser@feddit.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          I was also with a provider that didn’t offer API access for the longest time. When they then increased prices, I switched, now paying a third of their asking price per year at a very good provider.

          I guess migrating is difficult if the provider doesn’t offer a mechanism to either dump the DNS to a file or perform a zone transfer (the later being part of the standard).

          Can only recommend INWX for domains, though my personal requirements aren’t the highest.