Are all SSL domain validation basically the same technically speaking?

Question

I've googled this and haven't really been able to find a straight answer and this question which I have read is a bit different and is a bit outdated considering the landscape has changed a lot recently.

What I want to know, is if you aren't planning to get a OV or EV certificate and just need the plain DV type certificate then we have offerings of varying types, such as:

• Free Certificates from places such as Let's Encrypt
• Many hosts are giving away free certificates now with their hosting (not always by Let's Encrypt)
• AutoSSL from cPanel (Free)
• $198 Standard SSL certs from DigiCert
• $59 Standard Certs from RapidSSL

I could go on, but you get the point. Is there any technical difference between these certificates? From what I have read certificates from LE only last 3 months so you will have to renew them quite often - is that about it?

If there is no real difference then why not go with the free ones provided by cPanel? Why would one spend $198/year when they can get it for free?

The only other non-technical difference I can think of is that if you pay for one then you get the included insurance.

Are browsers more likely to have the ones you pay for in their CA trust store and free ones should be avoided because of this?

So I think I understand the non-technical differences, but am looking for an answer on if paying for one is going to be technically or a more "safer" option?

Answer 1

"If there is no real difference then why not go with the free ones provided by cPanel?"

Use this interface to install an SSL certificate on a domain, subdomain, or addon domain. Before you can use this feature, you must create or purchase a certificate, and you must possess the certificate's key.

Directly from cPanel's website it looks like you MUST either purchase a cert, or you can use one cPanel provides, but that MAY be a self-signed certificate. Without seeing what is offered by cPanel, I have no way of guaranteeing what cPanel is offering is a CA signed certificate.

If you choose the free certificate from cPanel, it will tell you if it is of the self-signed variety:

When you install a certificate, this interface indicates whether your certificate is self-signed. Self-signed certificates are easy targets for attackers and generate security warnings in your users’ web browsers. Only install a self-signed certificate temporarily, until you can replace the certificate with a certificate from a valid certificate authority (CA).

You can actually look at the certificate you are provided and determine if it is "technically" the same as another.

If you want to decode a cert on your computer use the following:

openssl x509 -in certificate.crt -text -noout

If you don't mind providing your certificate to a website to be "read" (this is the same thing that happens when the cert is read while in use):

https://www.sslshopper.com/certificate-decoder.html

Usually you select a modulus value (2048 or 4096, anything less is weak), the PKI encryption type (ECC or RSA, either is safe for common use), symmetric encryption type (AES 128 is safe for common use) and any hashes (SHA-256 is common, I prefer SHA-384 because more bits). If you compare two RSA 2048, AES-128, SHA-256 certs they are technically the same regardless of how much they cost.

In March of 2020 most browsers will no longer accept SSL (any version), TLS 1.0, or TLS 1.1. If you have the option, ensure that you are using a TLS 1.2 certificate, at minimum.