homepage Welcome to WebmasterWorld Guest from 54.226.180.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
SSL certificate issuers
Are these reputable or what?
thiefware




msg:645616
 7:40 pm on Nov 26, 2002 (gmt 0)

When I recently went to buy another SSL certificate for one of my clients from GeoTrust (www.geotrust.com [geotrust.com]) (formerly Equifax Certificates), I found that their whole cost structure had changed and depending on what you wanted, it would cost differently.

I used to be able to get an SSL cert for $95 that would of course allow for verification of a secure connection and provide the company name and address if a person happened to view the certificate details by clicking on the Lock in the corner. Now that same certificate (now called True BusinessID) costs $249. Verisign is higher yet and thawte is a little bit lower at $199.

Geotrust also provides a QuickSSL cert for $139 but it does not give all the details of the business when someone clicks on the lock to get information, but just the URL (from what I understand from the conversation I had with them).

I thought there had to be lower priced SSL certs that were of high quality and offered the same features as the True BusinessID from GeoTrust or Thawte, both of which provide the indication of a secure transaction and the business information.

I found 2 sites that sell certs: [instantssl.com...] and [qualityssl.com...] and both sell them for considerably less at $69 a year. Has anyone dealt with these 2 SSL certs sites? Are their certs equal in features and quality to the other 3 companies?

Looking for feedback...

 

mikeD




msg:645617
 9:34 pm on Nov 26, 2002 (gmt 0)

never heard of any of those companies, defintely go with some well known companies when dealing with SSL

thiefware




msg:645618
 12:04 pm on Nov 27, 2002 (gmt 0)

I'm not much interested in whether or not they are well known. If that were true, we'd stick with AT&T and MCI just because they are well known and also some of the highest priced phone companies. It does not matter to me about the amount of publicity of a company.

What I want to know is if anyone else has tried these companies and if so, what did you think. I thought with the readership here, someone would have some first hand experience. Heck, if we only went with well known sources, nobody would have even tried “Thawte SSL's” when they were small and unknown just a few years ago. They used to be priced more cheaply until they “GOT WELL KNOWN”. Same holds true with GeoTrust (formerly Equifax SSL certs)--they were not known until they got some of the pie and decided to raise their prices.

What I'm looking for is helpful feedback about the companies and user experiences (if anyone has any). I'm hoping someone has already given them a try and can provide some feedback.

bcc1234




msg:645619
 2:52 am on Nov 30, 2002 (gmt 0)

The only real difference between all those companies is how long they have been in business.
Older installations of browsers do not have those new companies in the list of trusted CAs, and do not really support CA chaining; therefore, their certificates will be flagges as self-signed (somewhat) to the users of old browsers.
And that is a bad thing. That really scares people away.
I personally don't care, but many-many (way too many) people think that the little lock at the browser frame really means something.

thiefware




msg:645620
 7:51 pm on Nov 30, 2002 (gmt 0)

Yeah I hate that little lock too--sure doesn't tell the truth many times. The system was broke before it was forced upon us.

Anyone know of other good low priced solutions? It's time the big boys had some competition like with the domain name registration and Network Solutions. At one time we were paying $50 a year, then $35, then $25. Now we can get them for $15 or less (or even $6.95) per year. Verisign and Thawte (Thawte is owned by Verisign) has ripped us off for long enough. It's time we let them know that the service is not worth much more than $80 initially and only about $40/year thereafter if even that.

bcc1234




msg:645621
 10:19 pm on Nov 30, 2002 (gmt 0)

Yeah I hate that little lock too--sure doesn't tell the truth many times. The system was broke before it was forced upon us.

LOL, that's not what I meant. The system itself is actually as close as it even comes to being perfect.
It's just the chances of a payment info being stolen in the process of a transmission are so low that it's not even worth mentioning.
But hey, since Joe Average User says he wants to see a lock - we must all get one :)

It's time we let them know that the service is not worth much more than $80 initially and only about $40/year thereafter if even that.

Actually, technically it's nothing compared to domain registry in terms of required resources.

The most expensive part of the system is (at least should be) the authentication of an applicant.
So I would say $80/$40 sounds just right.

After all, theoretically, I could start issuing certificates tomorrow. It's just a matter of establishing enough authority so that the browser (and other ssl apps) vendors would start including me in the root list by default.

But hey, most people don't even have a clue about the authentication part of the whole SSL deal.

A few weeks ago I talked to one sales rep at a cc processor and he was convinced that if I bought my own certificate - it would be somehow illegal or at least illegitimate. And the only "right" way to do it was to redirect people to their servers with their own certs. I was too tired to explain him his stupidity, but that pretty much shows where most people stand as far as SSL goes.

And Verisign (and others) are not about to let go of such a cash cow any time soon.

I'm way too lazy to check what is required to get into the SSL business, but I'm sure they made it as hard as possible.

thiefware




msg:645622
 11:13 pm on Nov 30, 2002 (gmt 0)

Verisign did design it to make it very difficult to break into the SSL certs business. Verisign knew that the current method to become a registered certs authority and to get it to work on the browsers would make it next to impossible for anyone to jump on the SSL bandwagon.

Even when a new SSL authority has done the hoop jumping, it's still hard to overcome the older browser limitations because the older browsers do not recognize the new certs authority on the authority records for legit certs providers.

That was one of the major hurdles with GeoTrust (formerly Equifax). I talked with a technician from Equifax back in early 2001 and from the lengthy explanation, it sounded like a nightmare to break into and he saw it from the inside. Also Verisign had some part in qualifying the newly established authority before they became an authority which by design makes it that much harder to break into. The way it was explained to me then (and the details are kinda fuzzy now) sure sounded complicated to be in that business. Perhaps there is some sort of monopoly strangle-hold and we need to break them to allow more competition.

But once Equifax gained enough recognition, GeoTrust took over, jacked up the prices and now they are not any better than thawte in terms of pricing equivalent certs. We just need more alternatives.

I still say the system is already broken from a competition entry standpoint. It should be easier for competitors to break into the market and Verisign should not have any say so over who gets in, but they do--again that's why it's broken. Also, the browsers need to be set up to accept “certificate authority updates” of legit authorities so that all browsers are current even if the browser software is older--the other thing that makes the system broken.

In some respects, this certs thing is somewhat of a scam and Verisign should never have had that much control in the first place.

BTW, I know it's nothing like domain name registration. I was only using it as an example where competition caused prices to drop dramatically. It's like having certs costing about $60-$80 initial fee and renewals costing about $40 instead of costing $200-$400 initial fees and almost that much to renew. It's a rip-off business when you think about what you are getting.

A few weeks ago I talked to one sales rep at a cc processor and he was convinced that if I bought my own certificate - it would be somehow illegal or at least illegitimate. And the only "right" way to do it was...

hahaha, sometimes sales reps are so ignorant and Joe Average knows less than what they know. In fact we don't even need their paid certs to make a secured connection. However, the browser won't recognized that as legit and will throw up warnings like you said. What a pain.

...OK back to the question... Any more certs authorities that are good to work with?

bcc1234




msg:645623
 11:40 pm on Nov 30, 2002 (gmt 0)

OK back to the question... Any more certs authorities that are good to work with?

Nope :)
I think we've established that already.

thiefware




msg:645624
 12:49 pm on Dec 1, 2002 (gmt 0)

These 3 services can be added:

[entrust.com...]
[directnic.com...]
[securessl.co.uk...]

Night_Hawk




msg:645625
 9:40 am on Dec 3, 2002 (gmt 0)

Thiefware,
Check out this link it might be what you are looking for
[rackshack.net...]

thiefware




msg:645626
 5:13 pm on Dec 3, 2002 (gmt 0)

Wow, that's weird, only $49/year. I don't know what to make of that. It's the same GeoTrust cert I was looking at on the GeoTrust Web site, but there they were charging $139/year (see http://www.geotrust.com/webtrust/index.htm [geotrust.com]).

They sure mess with us on pricing, but it's cool if I can get one there for that price. Thanks for the info.

thiefware




msg:645627
 2:45 pm on Dec 4, 2002 (gmt 0)

OK, clarifications on GeoTrust:

Evidently with Certs ordering you can also get a verification seal. The verification seal is what made the True BusinessID cost more. Most people only get the cert by itself which is $139/year. It's still more than InstantSSL certs of comparable quality and Geotrust certs use to be $95/year.

After doing more research, I also find that the parent company of InstantSSL (Comodo Group) is actually the 3rd largest provider of certs. It's just not as widely publicised as Verisign or Thawte. And in other forums, I am finding Comodo (aka InstantSSL) being well thought of by a couple other people buying their certs saying that service was good. Pricing starts at $49/year for certs which is equal to the cert price at RackShack.

RackShack struck a deal with Geotrust to get a bulk savings (called them about it). For how long they are able to offer that deal, I don't know nor do I know if the renewal price would still be $49/year or at the regular $99/year. And that's the research into Certs and pricing (there's more but that's the main points).

zoobie




msg:645628
 7:47 am on Jan 16, 2003 (gmt 0)

freessl.com has 'em for $15 a year

amznVibe




msg:645629
 8:14 am on Jan 16, 2003 (gmt 0)

someone posted this chart around here and its very handy for your question

[whichssl.com...]

brendan




msg:645630
 9:55 pm on Jan 17, 2003 (gmt 0)

We have had experience with instantssl.com part of Comdo.net the parent company. They are pretty good in my opinion, they perform the same checks as Thawte except you can do them online if you have the right details like a DUNS for your business.

The one problem is that they sell certs which are not root trusted directly but this just means you have to install an extra key bundle in your web server software and full instructions are given plus their support have been very responsive when I have dealt with them.

We looked at Geotrust briefly after Thawte put their prices up.

For those who don't know much about secure certs they are free to issue and anyone can do it the only problem is that unless the issuer is trusted users visiting the site will see a message warning them of this fact. The issuers provide a service whereby they check you are who you say you are before they issue you a certificate.

But I don't see too much point in this they seem to think it establishes trust but just because a company can prove they exist there is no reason to say that they should be trusted.

With Comodo we have defiantely found a good partner, they have a great price and good service and support.

Just my 2p

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved