Niber

Anyone experienced in e-commerce? I'm in the market for a SSL certificate but I see prices ranging from $19.00 to - $500.00

What's the difference? Should I just go cheap?

Godaddy ($14.95)

DigiCert ($144)

Verisign ($500+)

.. Help.

the_mo

most browsers have a list of certain certification authorities and accept certificates, which are signed by those institutions. verisign is one of em, prolly the largest but also most expensive one. while others might sign your certificates, you dont gain much from it, since the browser wont accept the certificate by default.

from a look at the pre-installed list within firefox, digicert and verisign are among the trusted authorities, godaddy is not listed. so in case youd use a godaddy-signed certificate, users browsing your page will get a warning about a certificate, which is not signed by any trusted authority.

in case of a.. lets say verisign-signed certificate, the users wont notice, that theyre surfing a https website, if it isnt for the tiny lock at the bottom of the screen (like you dont get a warning as stated above when logging in to popular https-services, as SoEs accounting, amazon or the-like)

Pinski

https://www.thawte.com/

Is another option.

But yah, as said above, the larger older ones are more expensive because they've had a stranglehold on the market, once more and more start accepting GoDaddy as a CA, they'll drop in price drastically.

__________________
Calaglin, Former Illusionist/Guild Leader of Dissolution on Nektulos
Calaglin, Former Illusionist/Guild Leader of Confirmed on Unrest

Niber

Geesh, theres quite a margin between the different companies. 15$ or $500+? Digicert seems like the cheapest (established) company at $144. What a racket.

Morara

Verisign is a pretty much guaranteed accepted across the board. You get what you pay for.

__________________

Niber

I cant justify a $400+/yr on a SSL certificate from Verisign. That seems ridiculous.

the_mo

it is

you can find the list of built-in trusted CAs in firefox via

tools --> options --> advanced --> encryption --> view certificates --> authorities (please ignore the 2 AOL entries, that must be a very bad joke obviously)

Niber

Mm, mine lists GoDaddy, I guess I accepted it along the way.

the_mo

well... i must admit i found it aswell, must have overlooked it previously

besides: you cant accidently accept new CAs to your browser settings, but you can accept individual website's certificates permanently.

the whole point about the certification story is this: assuming youve got a connection, which happens to be encrypted, as it would be for you communicating with your site via https... the traffic would then be encrypted. BUT the question is this: how trustworthy is the CA you chose? maybe theyve got black sheeps among their lines leaking certification keys, so that a possible attacker could generate his own CA-approved certificate for YOUR website, which could then be used to fake a communication in a way, that the attacker would reach a man-in-the-middle state and could get all the transfered data in plain-text and your browser still showing the closed lock indicating everything is fine throughall this.

so as already said: what you really pay for is the NAME behind the CA, the general amount of trust the CA has got.

im not talking negatively about godaddy or anything, in fact ive never really heard of godaddy until 2 days ago, where someone wanted DNS-whois'ses for several yadda-flames.com domains which showed up with godaddy as the registrar. so i dont know, what godaddy is, esp. how big they are, what their public standing is and so on

Niber

That's what I don't get, GoDaddy is a monster name -- worlds largest domain name registrar. They claim 99% browser recognition and have SSL clients like Toyota, Dominoes, Hooters, Xerox, Nascar.. etc, major names.