Should you trust free SSL certificates?

Risk management in business is everything. In fact it’s the main job of an entrepreneur to manage risks related to the business. One of the tools to manage risk is a binding contract. By means of a binding contract it is possible to hand over some risk to another party in exchange for a fee. Now, the fee is the key element to it. Why should another party be liable for your risk in exchange for nothing? That’s abusive! That’s why only a fee makes a contract binding. But that’s not a sufficient condition. The fee must also be reasonable (so-called “reasonable consideration”). If the fee is not reasonable, the contract is abusive again.

Now, imagine some complex piece of technology, e.g. secure communication. You don’t how it works. You only need an SSL certificate that works. You go to a certification authority, you pay money and get an SSL certificate.

To give out a certificate the certification authority needs to conduct a relatively complex process. In particular they needs to:

  • ensure that you exist
  • ensure that you are you
  • ensure that their own certificate is properly connected to the chain of trust, e.g. establish relationships with industry associations and browser vendors
  • ensure that your certificate does not appear in the revocation list by accident

This all is required to keep your certificate working and keep your business going. But you don’t need to know that, you only need an SSL certificate.

To make simple reliance on an SSL certificate possible, certification authorities issue a warranty: “our job is to make sure everything works for you, regardless of what is in there, in exchange for a fee”. After the fee is paid or compensated in some other way the warranty becomes claimable.

But if you got your SSL certificate for free, how can a warranty, even if there is such, can be claimable? If you did not exchange anything of value, how can there be a binding relationship?

For example, you’re making $1.000.000,- a year and your shop runs on a free SSL certificate. One day your SSL certificate appears in a revocation list by accident (or “by accident”). Your business is down because no one can connect to your website.

So you go to your certification authority and claim a damage. But you are not in a contractual relationship with them, you don’t even have obligations to fulfill, so your certificate is ephemeral, just a sequence of bytes in the computer. And you don’t have a receipt to prove that a transaction ever existed. In fact, there’s no transaction, because nothing trans acts, you just got a file generated by a computer, that’s it.

Consequently, if you got your SSL certificate for free, you seem to be back to square one with regard to the risk management. Equally, you could have used a self-signed certificate if the infrastructure allowed that.