homepage Welcome to WebmasterWorld Guest from 107.22.45.61
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Extended Validation SSL Certificates: Are They Worth The Investment?
Huge price increase
Compworld




msg:3288797
 7:41 pm on Mar 21, 2007 (gmt 0)

I have to renew my certs and Godaddy (as well as others) are offering these new SSL certs with the green validation bar. They are 20 to 40 times more expensive than regular SSL's. Am I going to loose business if I do not upgrade to these new SSL certs? Since I have several sites, these certs are really expensive and not at all economical.

 

celgins




msg:3288889
 8:39 pm on Mar 21, 2007 (gmt 0)

Why would you lose business? If you're running an ecommerce site, most visitors/buyers look for the "https" or the padlock in the bottom right corner of their screen to verify that the session is secure.

It probably doesn't matter to them what level of SSL cert you have installed.

LifeinAsia




msg:3288890
 8:39 pm on Mar 21, 2007 (gmt 0)

I feel it's a scare tactic the companies are using: Upgrade to the really expensive certs or your bar won't be green!

I suspect (hope) that so many sites won't be duped into it that in the end, visitors will view a green bar as something wrong because every other secure site they visit is yellow.

We're certainly not going to fork over the extra money.

cameraman




msg:3288951
 9:30 pm on Mar 21, 2007 (gmt 0)

I agree, most people don't even know about extended validation yet (and it seems to me that most don't even look at their address bars <grin>).

To any visitor that asked, I'd quote the godaddy explanation to them - that it's mainly useful to financial institutions etc. and that the 'extension' is focused on validating the existence of the entity - doesn't have anything to do with encryption strength.

lgn1




msg:3289203
 2:58 am on Mar 22, 2007 (gmt 0)

The prices will need to come way down before extended validation, becomes popular. I could see paying 20-30% more for this, but not the highway robbery prices they are charging.

Eventually, competition will force the prices down, where companies will start considering them.

Its interesting that GoDaddy is advertising the certificates for $500, but then say that a certificate can be issued in 2-4 hours. I wish I could charge $250 an hour for my services :)

Compworld




msg:3289298
 4:51 am on Mar 22, 2007 (gmt 0)

Just crazy what they are trying to charge. 500 - 1000 for a SSL cert. I feel like it is 1997 all over again. Where's the bubble now?

physics




msg:3290243
 9:42 pm on Mar 22, 2007 (gmt 0)

I think the fact that you can't just self-sign certificates (and have them work without a browser warning) is kind of crazy in itself. With turbo ssl certs all they do is check that you control the domain. To me what really matters with a SSL cert is that the data is encrypted, full stop. So buy a turbo ssl unless you're looking to burn cash.

jtara




msg:3290295
 10:26 pm on Mar 22, 2007 (gmt 0)

It will take some time, but I think these certificates will eventually become VERY important, IF the certificate-issuers take verification seriously.

The whole idea behind this is that in order to get one of these, your identify is verified. You have to prove that you are who you say you are.

I think at some point, consumers will refuse to make monetary tranactions with a site if they do not get the green bar. Why on earth would you send money to somebody whose identity you cannot verify?

To me what really matters with a SSL cert is that the data is encrypted, full stop

If you aren't doing monetary transactions, or dealing in sensitive data, sure. (But if you aren't at least dealing in sensitive data, why do you need encryption?)

Compworld




msg:3290568
 5:17 am on Mar 23, 2007 (gmt 0)

Last time I checked, Turbo SSL has 256 bit encryption. These extra verification certs will only pick-up steam if the price comes back to earth. In addition, having an attorney or CPA send in a letter on the behalf of the company is pushing it. Verification could be done by the articles of incorporation, copy of gov't issued identification, etc.

webdoctor




msg:3290959
 2:59 pm on Mar 23, 2007 (gmt 0)

The whole idea behind this is that in order to get one of these, your identify is verified. You have to prove that you are who you say you are.

I think at some point, consumers will refuse to make monetary tranactions with a site if they do not get the green bar. Why on earth would you send money to somebody whose identity you cannot verify?

Verifying the identity of the individual/company behind a domain name doesn't mean the transaction is safe - at least not for the common usage of the word "safe".

If they'd been available back then, you can bet that Enron would have bought an extended validation certificate, and www.enron.com would have have been showing a pretty green bar right until the bitter end.

jtara




msg:3290983
 3:22 pm on Mar 23, 2007 (gmt 0)

Verifying the identity of the individual/company behind a domain name doesn't mean the transaction is safe - at least not for the common usage of the word "safe".

No, but it verifies that you are dealing with who you think you are dealing with - and not a phisher.

Banks, Paypal, etc. I'm sure welcome this.

Now, will the certificate issuers block issuance of certificates with names that are "confusingingly similar", though?

sandyeggo




msg:3291004
 3:36 pm on Mar 23, 2007 (gmt 0)

EV certs are available at network solutions now @ $399/year if you buy 2 years.
I dropped my verisign cert that cost me the same $$ and moved to netsol. I got our new EV cert installed yesterday. I dont know if it will actually make a difference, but I dont think it can hurt. I was using Verisign for brand recognition, but netsol isnt a household name as far as SSL goes so who knows...

webdoctor




msg:3291171
 5:46 pm on Mar 23, 2007 (gmt 0)


Verifying the identity of the individual/company behind a domain name doesn't mean the transaction is safe - at least not for the common usage of the word "safe".

No, but it verifies that you are dealing with who you think you are dealing with - and not a phisher.

IMHO it verifies that someone has the $$$ to pay for a certificate, and that's about it.

Read the description of the vetting process [cabforum.org]. The one that stands out is:

Right to Use Domain Name: The CA must take all steps reasonably necessary to verify that, as of the date the EV Certificate is issued, the entity named in the EV Certificate owns or has the exclusive right to use the domain name listed in the EV Certificate

Does anyone know how the certificate issuer is supposed to actually do that?

ytswy




msg:3291189
 5:59 pm on Mar 23, 2007 (gmt 0)

Does anyone know how the certificate issuer is supposed to actually do that?

There's the point. I think this was meant to be the idea once, but it just didn't happen; although there is a certain amount of consumer belief out there that a signed SSL cert (ie one that doesn't display a warning) makes some sort of guarantee about who you're dealing with.

This whole con with the green bar in IE7 is an attempt to reserect that money-spinner IMO, but unless the issuer starts making guarantees to the consumer then it's not going to mean anything more - the resellers will sell to anyone who pays.

SSL certs just guarantee encryption, and there's no reason at all apart from the browser warning that self-signed certs are inferior. It's a con, it always has been a con, and this whole "green bar" thing is just an attempt to make more money from the con.

</rant>

cameraman




msg:3291479
 10:15 pm on Mar 23, 2007 (gmt 0)

No, but it verifies that you are dealing with who you think you are dealing with - and not a phisher.

I haven't seen an EV certificate, but what's to stop a phisher from getting one, even forging the letter-from-the-lawyer or whatever other credentials are necessary? I don't know what the income for the average phisher is, but I have to think that they'd be willing to go to great lengths to rip people off - they already do anyway.

Even if the checks are in place to completely (uh huh) preclude that from happening, you still haven't eliminated misrepresentation whether it's identity or the goods/services. If you're not dealing in person, you don't have any assurance of identity, it's as simple as that (and even then..). I could sit here and tell you that I'm a 13 year old blue-eyed blonde girl or a 50 year old 400 lb hairy guy who smells, and you'd have no way of verifying either one - and web cams can lie, too.

If anything, I think people are becoming more jaded about it all. Last I heard, something like 5 million people per day go tromping through that online auction house - I'm occasionally one of them. They (and I) sit down happily with their credit cards or paypal IDs and send money off to people whom they've never met for goods with (bottom line) unknown state of disrepair. For that matter, they often don't even know where the money's going.

And why are they so happy and oblivious? Not because of yellow or green or fuscia address bars - because their bank cards give them fraud protection.

So who's getting scammed right now? I have to agree with ytswy - we webmasters. If enough sign up for it and people finally start saying 'oh gotta have that green bar' then yeah, we'll all have to go get them. Then someone(s) will find a way around it and we'll be right back here finding out how much the fuscia bar is gonna cost.

This is just starting back at the top of the road that we've all been down. Anybody remember video tapes? At first they weren't copy protected. Then they were. Someone defeated it. They enhanced it. Someone defeated it. Then they moved to dvds. Someone broke that. They enhanced it. Someone broke that. Now they've moved on to blue ray and HD. Guess what? Broken. Same story over and over for software, and all these efforts are paid for by the consumer. It's a waste of time and money.

Instead of repaving the same old tired road and waiting for potholes to inevitably develop, a better system should be devised for online transactions. I like the paypal model because the buyer pushes the money toward the seller instead of allowing the seller to pull it. Why can't the credit card companies do that? How about the funds always go into escrow until the goods are delivered? (I dono about services). B2B has worked on 30 day net for decades, why doesn't the common Joe[sephine] get that?

Why not have the green color just for financial institutions, who are all networked together and can decide who they let into their club? Then people know that when they're dealing with their banks or stock brokers it's supposed to be green, and the licenses required to qualify for the green are done in triplicate in person by qualified people in suits and Italian loafers the way the Almighty Greenback intended in the first place.

EV may very well take hold at some point, but just like everything else it will be because of the perception of security, not substance.

stroudtx




msg:3291617
 2:43 am on Mar 24, 2007 (gmt 0)

I don't plan to upgrade at all. Since most customers don't know what it is, it could actually cost sales when it goes green. Waste of money.

incrediBILL




msg:3291626
 3:02 am on Mar 24, 2007 (gmt 0)

IT'S A GIMMICK!

It doesn't make your site any more secure.

FWIW, who really cares how secure your SSL is when you probably don't keep all those open source PHP scripts up-to-date that let hackers waltz in with your out-of-date blog, ecommerce store or worse. The hackers then install a patch to your store that emails or IRCs your transaction details to the hacker so that SSL upgrade paid off, right?

SSL upgrade, puleeeeeez....

[edited by: incrediBILL at 3:03 am (utc) on Mar. 24, 2007]

Dinkar




msg:3291672
 6:09 am on Mar 24, 2007 (gmt 0)

You don't need to buy SSL, you can generate your own and install it on your server. CuteFTP software has a tool to create Self issued SSL.

stormy




msg:3291912
 4:24 pm on Mar 24, 2007 (gmt 0)

I think the fact that you can't just self-sign certificates (and have them work without a browser warning) is kind of crazy in itself.

I'm with physics on this one. Consumers don't even know what SSL (or a certificate) is. They do know that they have to look for the padlock icon and the "https" address, that's it. Self-signed certs are really useful (email/webmail over SSL for all your domains and control panels) and FREE. The browser warning drives me nuts.

jtara




msg:3292035
 8:23 pm on Mar 24, 2007 (gmt 0)

there is a certain amount of consumer belief out there that a signed SSL cert (ie one that doesn't display a warning) makes some sort of guarantee about who you're dealing with.

That's because it DOES.

A signed certificate guarantees that you are communicating with a web site at the domain name/IP address that the certificate was issued-to.

Of course, web sites change domain names often enough without updating their certificates that many users now routinely press "OK" for the browser warning of a mismatch without even thinking.

You at least know which website the certificate was issued-to. With a self-signed certificate, you do not know that. The difference is the promise of the certificate authority that "we issued this certificate to THIS website", vs. the self-signers own promise of same.

So, while there's no verification of the identity of the OWNER of the website (as there is with the extended validation certificates) there IS certification of what site it was issued to. This provides protection against man-in-the-middle attacks.

I would NEVER use a site with a self-signed certificate to make monetary transactions or to provide other sensitive information. Self-signed certificates are useful for testing and for internal use. (say, for connecting to a back-end server, for VPNs, for an intranet server, etc.) However, for internal use (and especially if you need multiple certificates) you should set-up your own certificate authority (the software is included with both Windows Server and Linux) rather than using self-signed certificates.

jecasc




msg:3292167
 10:29 pm on Mar 24, 2007 (gmt 0)

I've been using simple shared SSL that comes with my web hosting package ever since I started my online shop and I do not think it makes any difference. Actually I do not even think that the majority of people even care if you have Shared SSL, SSL or Extended Validation SSL or none at all. Hell - I had customers that send me their credit card details by email, I even had customers asking me if I could create a Paypal account for them. And I would be very surprised if anyone ever checked for the SSL certificate at all.

And if you want to make a customer feel safe make the checkout process as smoothly as possible with no warning messages at all and definetly not with a address bar that suddenly turns bright green. I would bet that as long as this feature is not very widely known it scares more customers away than it attracts.

vincevincevince




msg:3292490
 12:18 pm on Mar 25, 2007 (gmt 0)

The important thing here is that most consumers, by the time they've reached the secure area, have already decided to buy. Consumers are funny animals... it can be really hard to coax them to make a purchase, but once they've made up their mind even an insecure server certificate won't stop most of them. A yellow vs. green bar will make little to no difference.

It would make a serious difference if it was also used over HTTP. Not to secure the data but to verify the domain ownership etc.

It could be even stronger if it incorporated a complaints or rating process by which consumers could request the certificate be downgraded to yellow or red. Something like BBB.

BradleyT




msg:3292702
 5:56 pm on Mar 25, 2007 (gmt 0)

Right now the only site I've seen that has it is paypal. Not having it certainly isn't deterring me from using other sites that have my sensitive/financial infomation.

Dinkar




msg:3292818
 8:55 pm on Mar 25, 2007 (gmt 0)

I would NEVER use a site with a self-signed certificate to make monetary transactions or to provide other sensitive information.

I respect your opinion/decision. But I would like to request you to think on it, may I?

Q. Why we need SSL certificate?
A: To make sure that the information we submit will be received by the same site to whom we want to submit.

Am I right?

If I am right, then what's wrong with self issued SSL certificate?

Neither certificates offers any refund gurantee. And both types of certificates (self issued & third party) offer same functionality and security. Then why don't you trust self issued cert?

If you turst the website to give them your money and related information then why don't you trust it's self issued SSL cert?

I don't understand, so please explain.

Compworld




msg:3292932
 1:01 am on Mar 26, 2007 (gmt 0)

All certs, even the basic SSL cert. has some sort of financial guarantee. For Godaddy, here's there's:
Your Secure Certificate Provides Warranty Protection:

"Our warranty program provides $2000 of financial protection for your customers if they were to suffer financial loss as a direct result of relying on a certificate that was issued through our negligence."

Have they've ever been excerised, I could not tell you.

Dinkar




msg:3293044
 6:43 am on Mar 26, 2007 (gmt 0)

They don't need to excerised it unless someone hack the SSL.

And most probably it won't happen incase of self issued cert because all such cert are generated by different people by using different pass phrase.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved