The SSL Cert Ripoff

SSL Certs are unbelievably easy to generate. It takes literally a matter of seconds. So why exactly are people paying upwards of $700 for certificates? Because they can. Because they don't know any better. Because they fall for unethical marketing tactics.

Really, what is SSL? For most, it serves as encryption between a web browser and a web server - ensuring that things like passwords don't get transferred in plain text accross a network. All the SSL Certificate does is enable the encryption.

You can generate your own, but that will actually present the user with an dialog message saying that the certificate was not signed by a "trusted authority". Funny that the user never had a voice in deciding who was trusted in the first place.

The thing is, the trusted authorities do very little to add to the security mix. Almost nothing in fact. A few of the trusted authorities will actually require somebody to fax in something like Articles of Incorporation, but those are few and far between, and none of the services require that kind of authentication on all of their certificates.

End users don't know the difference between a several hundred dollar verisign certificate and a $29 godaddy certificate. Nor do they care.

All SSL offers is encryption. It's not a verification of identity by any means. Anybody can get one, and if you look around you can find them for under $20. Or, like I said, you can generate your own in less than a minute for free.

There used to be a free trusted service available, but they have since been bought out by GeoTrust. Go figure.

02-12-2007, 05:07 PM
Marwaan	Re: Discussion: The SSL Cert Ripoff I believe there is a difference in SSL Certificates. Across the board they provide encryption...but they *should* provide identity as well, so that you know you are at the Web site you intended to be, and not some fraudster trying to seal your information/money. Companies like VeriSign offer this high level of authentication (higher than what you suggest) and can be trusted sites, however, you make a great point that consumers can't tell the difference. Though Certificate Authorities offer varying degrees of authentication, how can one expect the average site visitor to to know these different practices from each SSL provider? This is why the CA/Browser forum has created the new standards behind what is being called Extended Validation SSL. EV SSL provides a higher level of authentication all CAs must follow so that the Authentication side of SSL is held to higher standards. The Green bar interface in the latest high-security browsers (IE7) will display in the address bar along with the organization name and SSL provider. Check it out.

02-12-2007, 06:52 PM
Steve Runs This Show     Join Date: Dec 2006 Posts: 159	Re: Discussion: The SSL Cert Ripoff You make a good point. The new SSL interface in IE presents the certificates in a manner much more obviously accessible to the end user. It still, however, does not specify the level of encryption - and it makes self-signed/self-CA'ed certificates look more hoaky than before - when really the primary purpose of the certificate is to enable a level of encryption and not so much to secure the identity of the website operator. A 30 dollar geotrust certificate doesn't look much different at all than a $500 verisign certificate to an end user.' But I can tell you - my main motivation for the article was in my own experience of having to evaluate several different providers - and even then searching around for the best deal from those providers. Geotrust certs are $189 directly, but I was able to buy one for less than $30. They sent the certificate to a non-trusted email address against their verification procedures - so what does that say? It says that anybody can buy a certificate to validate identity after hijacking a site. So if SSL certs are really only useful for encryption and not identification, they really are worth nowhere near even $30, let alone hundreds of dollars. Paying big bucks just means that you are paying for marketing - and marketing that's not even that effective.