Got Web Ideas? Fishing for the Answers?
Think Outside The Code First!
|
|
Facts, Thoughts, and Opinions About Web Development and Business Strategy
|
|
|
|
|
|
|
|
|
I have yet to see anything that says one SSL provider offers a
more secure SSL certificate than the next company.
In fact, they are all the same in terms of their cryptology. There is no difference between a lower costing SSL
certificate from GODaddy and a higher priced one from Verisign. The only difference is the warranty associated
with the certificate which is half a joke.
Certificate Authorities (CAs) are listed inside of an Internet browser
as a trusted provider of SSL. If someone tries to use an SSL cert from someone who is not listed in the browser
then the cert will fail.
In order for a Certificate Authority to get listed in an Internet browser
they must provide a certificate that passes many checks and balances. The technical requirements are the same for all vendors.
You can see Microsoft's list of CA requirements here
Microsoft Root Certificate Program
Thus, all SSL certificates are the same in terms of their cryptology. One SSL provider cannot argue that their
SSL is stronger or more reliable than another's. The company that makes the browser has the final say and all
certs must meet the same criteria.
So why the wide range in price? Of brief importance is the perception of long term reputation. The longer an SSL
provider has been in business then the more they can be trusted. SSL providers like Verisgn will
use this as an excuse to jack up prices making people think their SSL product is better.
However, this argument holds little weight in the present day
as Internet users have become more astute about their security online. What they want to see is some
assurance of "Secure Shopping" and they know what to look for in their browser window to ensure that this
has happened (lock icon, SSL seal, etc.). I would also point out that if this was true then GeoTrust would
have never been able to take off like they did eventually being bought by Verisign.
Now we have GODaddy offering SSL certificates at much cheaper rates and holding a large share of
the market. GODaddy's certificates aren't even single root certificates.
They are chained root certificates. Many in the past would point
out that chained root certs have compatibility issues with certain browsers. Yet, this has pretty much been proven
to be a false. It may happen in extremely old browsers but apparently it is not a major issue or GODaddy
would not be making great strides in the industry. I have been using GODaddy certs ever since GeoTrust went out
of business and I have never had a problem.
So how is Verisign getting people to pay big money for their SSL certificates? The answer is the warranty that they
attach to the certificate. A warranty that is nothing more than a selling feature. It is called scaring people in to buying.
Every SSL comes with a warranty. The more you pay for the SSL certificate the higher the warranty. A lower
costing SSL certificate will carry a warranty worth a couple thousand bucks. A higher costing certificate
will carry a warranty of $100,000+. If the SSL certificate ever fails costing your customers damages then the
warranty can be used to reimburse those people. Thus, the consumer is basically put in a position to pit
themselves against what could happen one day vs. being too cheap to spend couple hundred bucks per year. However,
the SSL warranty must be analyzed in greater detail.
I have not uncovered any evidence that an SSL certificate provided by the major companies has ever failed.
In fact, rapidSSL backs this up in their FAQ
located here (it is under Warranty at the bottom).
SSL certificates are probably the most fail-safe thing ever. The SSL certificate is nothing more than a cryptology program
that is fired when a Web request comes in under https. These programs
never change once they are installed on the server. Thus, they are what they are when they are installed.
Taking that further, you basically have three sets of checks and balances to validate the SSL certificate.
- The CA has built and tested it's technology
- The browser provider has thoroughly tested the CAs SSL certificates
- A users Internet browser checks the validity and working state of the SSL certificate each time
a secure page is requested under https
The chances that an SSL certificate would ever fail is virtually non-existent. An SSL certificate would not
go bad on it's own. Unless it was issued in a non-working state, it would never suddenly fail. I doubt
you could even install a corrupt SSL certificate and it would certainly show all kinds of warnings in the
browser when testing it.
Now, lets say you did buy an SSL certificate and it failed causing one of your customers damage. Do you
think you are going to just call up Verisign or GODaddy and says, "Yeah, my SSL certificate failed and
I would like to cash in my warranty." Good luck. If you think they are going to just hand over the
cash without a fight then you are truly crazy. If an SSL certificate failed, especially one carrying
a six figure warranty, it is going to make big news. It would truly be the death of that company.
They likely are going to fight you tooth and nail to make you prove that it happened or that the
cert is not working because you, or some other outside source, corrupted it. Good luck.
You also want to keep in mind that the warranty is not like cashing a bond. They would only cover you
for the actual damages. You would need something that is absolutely catastrophic to happen in order
for a $250,000.00 warranty to be needed. Can a person even get a credit card that has a $250,000.00 balance on it?
The evidence pretty much speaks for itself. Purchasing an expensive SSL certificate just for the pumped
up warranty really does not make a lot of sense. There is part of me that would say that a large
company doing thousands of transactions per month should buy a more expensive SSL certificate with a
higher warranty. Just make sure you understand that you will never be using it. I hate to think
that Verisign scared me in to saying that.
| More |
|
• Updating DNS - Working Through Slow Propagation Issues
Monday, August 25, 2008
|
|
• Logocart.com - Awesome Logos and Awesome Service
Monday, August 25, 2008
|
|
• Why Many People Spend Money for Web Development and Get Nothing in Return
Friday, August 15, 2008
|
|
• Should You Really Allow Open Comment Posting?
Sunday, July 27, 2008
|
|
• Budget Web Hosting - Beware!
Thursday, June 26, 2008
|
|
• Domains Everywhere
Thursday, June 26, 2008
|
|
• There Must Be 50 Ways to Trick Your Customers
Thursday, February 28, 2008
|
|
• Copyright: Who Owns the Code?
Tuesday, January 15, 2008
|
|
|