Top Providers Of SSL Certificates In 2021: What You Get For Your Bucks

To grow, every business needs a good reputation. That requires protecting your customers’ data and privacy.

It’s no longer enough to just protect financial transaction data. Users expect any personal information that they send to you — such as name or phone number — to be protected.

That’s where SSL certificates come in. They need to be part of your online security mix.  Indeed, Google now considers SSL certificates to be a best practice for all websites, not just e-commerce sites.

What You’ll Learn

Read on to learn what SSL is, how SSL certificates work, and what types are available. You’ll also get guidance on good options for your small business.

If you’re not technically oriented, don’t worry. When you purchase an SSL certificate, do it from a source that will install it for you (for a modest fee) and provide 24/7 support.

Browse the table below to give you a quick overview of the big players in the SSL space.

Digital.com offers real user opinions of the industry’s biggest providers, and we compile real user ratings from Twitter comments to give you an overall approval score. Here’s how to choose the best SSL certificate for your small business or startup website or online store.

Company	Main features	Price	Rating	More
Comodo	Trusted by 99.9% of web browsers Up to $2,000,000 warranty Full 128/256 bit encryption Free 1 year PCI & vulnerability scanning 30-day money-back guarantee More features at comodo.com	From 7.27 /year	40% score	Visit website Read reviews
GeoTrust	Up to 256-bit encryption Trusted by 99% of web browsers Up to $500,000 warranty Free 24/7 customer service Free 30-day trial plus money-back promise More features at geotrust.com	From 68.50 /year	71% score	Visit website Read reviews
GoDaddy	Protects your site and all subdomainis Web Application Firewall prevents DDoS attacks Configurable malware scanning Annual site cleanup and remediation More features at godaddy.com	From 75.00/year	N/A	Visit website
RapidSSL	30-day money-back guarantee Up to 256-bit SSL encryption Trusted by 99% of web browsers Up to $10,000 warranty Free SSL reissue & competitor replacement More features at rapidssl.com	From 59.00 /year	40% score	Visit website Read reviews
Symantec SSL	Free 24/7 customer support ECC, RSA & DSA algorithm support Nearly 100% compatible with browsers & systems 30-day free trial $1,500,000 warranty More features at symantec.com	From 279.00 /year	80% score	Visit website Read reviews
Thawte	Trusted by 99% of web browsers Up to $500,000 warranty Full 128/256 bit encryption Free EV upgrader tool Free 21-day trial plus money-back promise More features at thawte.com	From 47.00 /year	50% score	Visit website Read reviews

What is SSL?

SSL stands for Secure Sockets Layer, a standard security protocol. SSL ensures that the connection between a web server and a web browser is encrypted. This means that any data passing between the server and the browser will also be encrypted, and therefore protected.

What sort of data passes from web browsers to web servers? Think of anything that you type online into a form field on a website. This can include name, email address, phone number, home address, social security number, messages, and financial data.

Note: Technically, the updated version of SSL is called Transport Layer Security (TLS), but the SSL terminology is so widespread that it’s remained in common use. Sometimes writers use the term TLS/SLL.

Video: What is SSL? What are the benefits of using an SSL certificate?

What is an SSL Certificate?

An SSL certificate is required in order to establish the secure, encrypted SSL connection.

To understand what’s in an SSL certificate, let’s first look at how a small business owner obtains SSL protection.

1. Purchase an SSL certificate.
2. Activate and install it. This includes generating something called a certificate signing request (CSR). As part of that process, you’ll follow instructions to generate a pair of cryptographic keys: a public key and a private key.

The verification of your business, your identity, and the identity of your website is part of this process.  When you generate the cryptographic key, it digitally attaches your organizational details to a domain name, web host name, or web server name.

For small businesses, the certificate will typically confirm your:

1. Domain name or hostname
2. Company name
3. Location
4. Date of certificate creation
5. Date of certificate expiry

When activated and installed, visitors to your site will see a padlock icon and the “https” protocol, signifying that your site is secure.

How do I Get Help Installing an SSL certificate?

If you’re obtaining your SSL certificate from a web host, then they can install it for you. Otherwise, you can purchase it from a vendor who offers installation for a modest fee.

This vendor also offers 24/7 customer support and step-by-step instructions for those who want to install it themselves.

A Brief History of SSL

SSL was invented in 1994 by Netscape, the same company that produced one of the first web browsers.

It was originally designed to encrypt the connection between two computers on the same network but ended up having a much bigger impact across the entire web. Version 2.0 — the first public version — was released in February 1995.

Do I Need an SSL Certificate?

If you have a website, an SSL certificate is a must-have to prove to your visitors that their actions on your website are private and secure. SSL certificates used to be thought of as must-haves only for online stores, but that has changed. With Google viewing SSL certificates as a best practice for all sites, it’s now considered a must-have for any website.

That’s because even if you don’t’ process payments, it’s likely your site collects information from visitors, via newsletter sign-ups, downloadable e-books, contact forms, and more.

Here’s what Kayce Basques of Google says about this:

You should always protect all of your websites with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users’ personal information, HTTPS is a requirement for many new browser features, particularly those required for progressive web apps.

Why Small Businesses Need SSL

As cyber attacks become more and more sophisticated, security is increasingly important. If your email account has been hacked, you’ll know just how inconvenient and unnerving it can be. Every e-commerce store in the world should now have SSL enabled to protect customer data. And if you run a small business, you should implement it, too.

A Trust Signal That Matters to Consumers

Why? Most online consumers now recognize a secure connection, because it’s highlighted by their web browser. Many will refuse to go ahead with an inquiry or purchase if the SSL padlock icon isn’t present in the browser URL bar. And with good reason.

Unsecured transactions represent a gold mine for hackers, and even a small data leak can result in identity fraud.

Even if you don’t accept payments on your website, you should still use an SSL certificate to secure users’ browsing.

What You Need to Know About Google and SSL

Since 2014, Google has given secure sites a boost in search results. (In fact, it has been keen to encourage the use of SSL since 2012.)

It’s a very small boost, but in competitive markets, it makes sense for small businesses to take advantage of any SEO advantage that comes along.

What Is a Certificate Authority (CA)?

SSL certificates are issued by trusted providers (also called “certificate authorities” or “issuers”), that are responsible for authenticating the business requesting the certificate. There are dozens of providers on the market, including Thawte, Symantec, and GeoTrust.

Prices vary from provider to provider. So it’s important to compare SSL certificate providers to ensure that you’re getting the best deal.

SSL certificates can be forged. So the issuing authority is important. It’s the authority that confirms that your small business is genuine.

In most circumstances, your browser will try to verify the signature from a list of known authorities. This list is built into the code of the browser itself, so verification adds very little overhead to loading times.

Understanding SSL Certificate Types

Now that you understand how certificates work, we can get into the detail of what each type does. Right now, there are three different types of SSL certificate. Let’s look at each one in turn.

Extended Validation SSL Certificates

Extended Validation – or EV – certificates are only issued once the provider has validated the website. This vetting makes the approval method very reliable. Typically, this type of SSL certificate is used for government agencies and very large businesses.

Organization Validation SSL Certificates

Organization Validation – or OV – certificates verify the business only. The provider, or authority, conducts a series of checks before the SSL certificate is granted. That includes the business’ trading address. If a website has this kind of certificate, customers should assume that the website is legitimate and connected to a genuine, functioning business.

Domain Validation SSL Certificates

The final certificate type is Domain Validation or DV. This type of SSL certificate involves the least amount of verification; the provider simply checks that the domain name is legitimately owned, and the registration data matches the SSL certificate application. The provider does this by running a check on the WHOIS record for the domain.

For Geeks: Technical Details and More History

Those who are technically inclined may be interested in diving further into the details of how SSLs work and how SSL became part of the Apache Web Server.

Initiating a Session

Initiating a session is as simple as loading a web page that begins with the https:// protocol.

Note the difference between http:// and https://. That extra ‘s’ is what makes the connection secure.

When you press enter, your web browser initiates a connection to the website. It will send information that is not confidential to do this. When the server replies, it sends the browser its certificate and a public key.

Your web browser then validates the certificate and returns a secret key to confirm that the connection is secure. Once that happens, all data is protected by a virtually unbreakable encryption algorithm.

How SSL Became Part of the Apache Web Server

For a connection to be encrypted, both sides of the connection must be able to communicate. So in the case of SSL, both the user’s browser and the web server must understand the protocol.

This means that both browser manufacturers and web server makers had to add SSL to their applications.

The Earliest Versions of Apache

By far, the most used web server is Apache. Coincidentally, both Apache and SSL were released the same year: 1995. For obvious reasons, the first version of Apache didn’t include SSL because:

• There was no time to include it
• Almost no browsers supported it
• And the web wasn’t the commercial marketplace it is today

Adding SSL to Apache: Apache-SSL

But the potential of adding SSL to Apache was immediately apparent. So Ben Laurie took Eric A Young’s open-source SSLeay (eay for Young’s initials), which he first released in 1995, and combined it with Apache, which is also open-source. The result was SSL-Apache.

(Eventually, Apache-SSL switched from SSLeay to OpenSSL. This is because the SSLeay project was ended. OpenSSL was forked from the last version of SSLeay.)

So very quickly, people could have their own SSL-enabled server. But there was a problem. Every time SSLeay/OpenSSL or Apache was updated, Apache-SSL had to be updated. In addition to having to fix its own bugs, this required a lot of work. In other words, SSL-Apache was a maintenance nightmare.

Apache Modules to the Rescue!

Apache has a module system, which allows programmers to create compiled code that adds functionality to the base system. For example, mod_cgi adds a CGI system to the server.

So, in 1998, Ralf S. Engelschall decided to port Apache-SSL (1.17) into a module for Apache 1.2 that he called mod_ssl. This improved Apache-SSL in a big way. So when a new version of Apache came out, mod_ssl didn’t need to be changed.

However, because of conflicts with the Apache-SSL development cycle, for version 1.3 of Apache, mod_ssl v2 became completely independent of the older system. It was written from scratch and effectively became part of Apache.

In addition to Apache changes not affecting mod_ssl, mod_ssl could make changes without having to mess with the base Apache code.

This meant that changes to SSL or improvements to the module could easily be made.

How Does mod_ssl add SSL Encryption to Apache?

The mod_ssl does not provide SSL encryption to Apache itself. Instead, it provides an interface so that Apache can use OpenSSL. OpenSSL is an open-source implementation of the SSL/TLS protocols.

OpenSSL is the most popular encryption software library. It is used in most open-source software that wants to add encrypted communication to it.

Recent Forks

OpenSSL is a great product. But it isn’t perfect and not everyone likes it. As a result, over the past several years, a number of OpenSSL forks have appeared.

Agglomerated SSL

In 2009, Marco Peereboom released Agglomerated SSL. It doesn’t change the encryption code itself. Instead, it simplifies the interface.

This makes Agglomerated SSL easier to include in different programs. It is used, for example, to allow VLC to be able to play Blu-ray discs.

LibreSSL

Five years later, the Heartbleed bug appeared in version 1.0.1 of OpenSSL. It was so bad that it could allow hackers to determine a user’s private key. A number of quick fixes solved the problems of the Heartbleed bug. But it wasn’t until OpenSSL version 1.0.1g that Heartbleed was completely defeated.

The bug was not disclosed publicly for two years, in 2014. This caused the creation of LibreSSL by members of the OpenBSD project.

Within days of LibreSSL’s release, problems with it were reported, but it is not clear just how important these problems were.

Regardless of any early problems, LibreSSL has gone on to be developed. It is not only the default TLS for FreeBSD, but also for a number of Linux distributions. New releases are available on average every four months or so. Overall, it has had fewer problems than OpenSSL.

BoringSSL

Just after LibreSSL came out, Google released BoringSSL. But it isn’t meant for general use the way OpenSSL and the two other forks are. Google is working with OpenSSL and BoringSSL to create an SSL library for use with its own projects.

Google recommends against other developers using BoringSSL. But it is likely to be running in many applications people are using.

Mod_ssl Becomes an Official Part of Apache

Because of some changes in US law about exporting cryptography, mod_ssl became an official part of Apache 2. The Apache Software Foundation now maintains it.

Timeline

Given that server-side SSL involved two distinct applications and numerous teams and individuals, it’s helpful to see the timeline that brought us to our current state.