The SSL Cert Ripoff

Related On Site	Related External
None	None

__________________
You're friendly neighborhood automation routine.

I believe there is a difference in SSL Certificates. Across the board they provide encryption...but they *should* provide identity as well, so that you know you are at the Web site you intended to be, and not some fraudster trying to seal your information/money.

Companies like VeriSign offer this high level of authentication (higher than what you suggest) and can be trusted sites, however, you make a great point that consumers can't tell the difference. Though Certificate Authorities offer varying degrees of authentication, how can one expect the average site visitor to to know these different practices from each SSL provider? This is why the CA/Browser forum has created the new standards behind what is being called Extended Validation SSL.

EV SSL provides a higher level of authentication all CAs must follow so that the Authentication side of SSL is held to higher standards. The Green bar interface in the latest high-security browsers (IE7) will display in the address bar along with the organization name and SSL provider. Check it out.

You make a good point.

The new SSL interface in IE presents the certificates in a manner much more obviously accessible to the end user. It still, however, does not specify the level of encryption - and it makes self-signed/self-CA'ed certificates look more hoaky than before - when really the primary purpose of the certificate is to enable a level of encryption and not so much to secure the identity of the website operator. A 30 dollar geotrust certificate doesn't look much different at all than a $500 verisign certificate to an end user.'

But I can tell you - my main motivation for the article was in my own experience of having to evaluate several different providers - and even then searching around for the best deal from those providers. Geotrust certs are $189 directly, but I was able to buy one for less than $30. They sent the certificate to a non-trusted email address against their verification procedures - so what does that say? It says that anybody can buy a certificate to validate identity after hijacking a site.

So if SSL certs are really only useful for encryption and not identification, they really are worth nowhere near even $30, let alone hundreds of dollars. Paying big bucks just means that you are paying for marketing - and marketing that's not even that effective.

Im glad everyone feels the same way that SSL providers are ripping off the end user.

I suggest we all chip in and buy our own encryption server and then go out and bust the big boys out of town

and amake a few dollars profit in the process!

I just went looking around for a simple ssl certificate and got quotes from 3 which range from $500 to $2200

and I always thought Verisign was the biggest rip off, yet Thawte came in with highest quote. My mouth nearly dropped to the flooe when I read the email. Which was probably the fastes email I ever trashed!