Monday, April 14, 2014

Why is godaddy HTTPS/SSL certification so much cheaper than digicert, thawte, and verisign?

I am a novice on HTTPS/SSL but GoDaddy charges $12.99 and Digicert, thawte, and Verisign charge $100-1000+ for SSL certificates.

I must be missing something on the quality of the encryption or something. Can someone explain some of the basic differences that lead to these dramatically different prices?

Update $12.99 is a sale price. Typically SSL certificates cost $89.99 on GoDaddy. Here's a link on Godaddy which makes the very comparison this question asks about: http://www.godaddy.com/Compare/gdcompare_ssl.aspx?isc=sslqgo002c

Apart from unserious offerings, you can distinguish between cheaper domain-validated SSL certificates and the more expensive extended-validation SSL certificates (EV).

Both certificates are technically the same (the connection is encrypted), but domain-validated certificates are cheaper, because the seller only have to check the domain. The EV-certificates also require information about the owner of the domain, and the seller should check, if this information is correct (more administrative effort).

Normally you can see the difference when you visit the site with a browser. Firefox for example will highlight the domain in blue for domain-validated SSL, and green for extended-validation SSL.

Two examples:

https://accounts.google.com/ (domain-validated)
https://www.postfinance.ch/ (extended-validated)

In most cases the domain-validated certificate is fine, the user will have no disadvantages and the EV-certificates are really (too) expensive.

i just found that GoDaddy doesn't allow to "duplicates" certificate for your wildcards SSL.

That's a pitty since this is often used when you manage a farm of server and each one has its private key / csr.

(to compare, digicert do allow them, and unlimited number of them)

To be quite honest. there is absolutely NO difference when it comes to SSL certificates. The only contributing factor is the EV / non EV / Wildcard tags.

EV == Extended Validation: This means the site is actively " pinged " by the Certificate Authority on the provided IP of the domain, then a server-side script compares the IP address of the ping response from the CA, and the IP address YOU are visiting. This does NOT guarentee that there isn't a man-in-the-middle attack, or net-wide DNS poisoning. This just ensures that the site you are viewing is the same one the CA sees.

Non-EV == no one is actively checking the domain's IP against a logged / provided IP for security purposes.

Wildcard == *.domain.com based Certificates are often used when people have a multitude of subdomains, or a set of subdomains that are ever-changing, but still need valid SSL encryption.

The truth behind SSL Certificates.

You can make your own. They are no less secure than any other certificate. The difference being a " self-signed " certificate is not " vouched for " by any third party.

The problem with SSL Certificates is they are extremely over-priced for what they are. There is absolutely NO garentee that the site you are visiting belongs to whomever is listed on the certificate as owner / location etc. This defeats the purpose of the third-party-trust-chain model SSL was developed to use.

ALL Certificate Authorities known as CA's that sell their certificates, wants the user to believe that their certificate is somehow better. When in fact, they never check the information provided for the certificate unless there is an issue that may cost them revenue. This practice also defeats the purpose of the SSL trust-chain model.

I know of only ONE CA that indeed validates it's certificates. This is CACert.org.

For them to issue a " complete " certificate (business name, name, addres, phone etc..) you must meet one of their assurer's FACE-TO-FACE!.

However. most browsers do not use CACert.org due to pressures added to them by mega corporations like Thawte, Comodo, and Verisign.

So.. to sum it all up.

The only differences between certificates is the behavior of the CA. Certificates can't really be trusted to verify anything other than the connection to the site is useing encryption.

At the end of the day, people think paying $100 - $1000 somehow equates to trustworthiness. This is NOT the case. It just means you deal with less sophisticated or less established crooks.

Reference:
http://webmasters.stackexchange.com/questions/28595/why-is-godaddy-https-ssl-certification-so-much-cheaper-than-digicert-thawte-an

No comments: