Welcome to WebmasterWorld Guest from 54.224.168.206

Forum Moderators: buckworks

Message Too Old, No Replies

SSL certificate issuers

Are these reputable or what?

     
7:40 pm on Nov 26, 2002 (gmt 0)

New User

10+ Year Member

joined:Jan 25, 2002
posts:36
votes: 1


When I recently went to buy another SSL certificate for one of my clients from GeoTrust (www.geotrust.com [geotrust.com]) (formerly Equifax Certificates), I found that their whole cost structure had changed and depending on what you wanted, it would cost differently.

I used to be able to get an SSL cert for $95 that would of course allow for verification of a secure connection and provide the company name and address if a person happened to view the certificate details by clicking on the Lock in the corner. Now that same certificate (now called True BusinessID) costs $249. Verisign is higher yet and thawte is a little bit lower at $199.

Geotrust also provides a QuickSSL cert for $139 but it does not give all the details of the business when someone clicks on the lock to get information, but just the URL (from what I understand from the conversation I had with them).

I thought there had to be lower priced SSL certs that were of high quality and offered the same features as the True BusinessID from GeoTrust or Thawte, both of which provide the indication of a secure transaction and the business information.

I found 2 sites that sell certs: [instantssl.com...] and [qualityssl.com...] and both sell them for considerably less at $69 a year. Has anyone dealt with these 2 SSL certs sites? Are their certs equal in features and quality to the other 3 companies?

Looking for feedback...

9:34 pm on Nov 26, 2002 (gmt 0)

Full Member

10+ Year Member

joined:Feb 25, 2002
posts:311
votes: 0


never heard of any of those companies, defintely go with some well known companies when dealing with SSL
12:04 pm on Nov 27, 2002 (gmt 0)

New User

10+ Year Member

joined:Jan 25, 2002
posts:36
votes: 1


I'm not much interested in whether or not they are well known. If that were true, we'd stick with AT&T and MCI just because they are well known and also some of the highest priced phone companies. It does not matter to me about the amount of publicity of a company.

What I want to know is if anyone else has tried these companies and if so, what did you think. I thought with the readership here, someone would have some first hand experience. Heck, if we only went with well known sources, nobody would have even tried “Thawte SSL's” when they were small and unknown just a few years ago. They used to be priced more cheaply until they “GOT WELL KNOWN”. Same holds true with GeoTrust (formerly Equifax SSL certs)--they were not known until they got some of the pie and decided to raise their prices.

What I'm looking for is helpful feedback about the companies and user experiences (if anyone has any). I'm hoping someone has already given them a try and can provide some feedback.

2:52 am on Nov 30, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1424
votes: 0


The only real difference between all those companies is how long they have been in business.
Older installations of browsers do not have those new companies in the list of trusted CAs, and do not really support CA chaining; therefore, their certificates will be flagges as self-signed (somewhat) to the users of old browsers.
And that is a bad thing. That really scares people away.
I personally don't care, but many-many (way too many) people think that the little lock at the browser frame really means something.
7:51 pm on Nov 30, 2002 (gmt 0)

New User

10+ Year Member

joined:Jan 25, 2002
posts:36
votes: 1


Yeah I hate that little lock too--sure doesn't tell the truth many times. The system was broke before it was forced upon us.

Anyone know of other good low priced solutions? It's time the big boys had some competition like with the domain name registration and Network Solutions. At one time we were paying $50 a year, then $35, then $25. Now we can get them for $15 or less (or even $6.95) per year. Verisign and Thawte (Thawte is owned by Verisign) has ripped us off for long enough. It's time we let them know that the service is not worth much more than $80 initially and only about $40/year thereafter if even that.

10:19 pm on Nov 30, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1424
votes: 0


Yeah I hate that little lock too--sure doesn't tell the truth many times. The system was broke before it was forced upon us.

LOL, that's not what I meant. The system itself is actually as close as it even comes to being perfect.
It's just the chances of a payment info being stolen in the process of a transmission are so low that it's not even worth mentioning.
But hey, since Joe Average User says he wants to see a lock - we must all get one :)

It's time we let them know that the service is not worth much more than $80 initially and only about $40/year thereafter if even that.

Actually, technically it's nothing compared to domain registry in terms of required resources.

The most expensive part of the system is (at least should be) the authentication of an applicant.
So I would say $80/$40 sounds just right.

After all, theoretically, I could start issuing certificates tomorrow. It's just a matter of establishing enough authority so that the browser (and other ssl apps) vendors would start including me in the root list by default.

But hey, most people don't even have a clue about the authentication part of the whole SSL deal.

A few weeks ago I talked to one sales rep at a cc processor and he was convinced that if I bought my own certificate - it would be somehow illegal or at least illegitimate. And the only "right" way to do it was to redirect people to their servers with their own certs. I was too tired to explain him his stupidity, but that pretty much shows where most people stand as far as SSL goes.

And Verisign (and others) are not about to let go of such a cash cow any time soon.

I'm way too lazy to check what is required to get into the SSL business, but I'm sure they made it as hard as possible.

11:13 pm on Nov 30, 2002 (gmt 0)

New User

10+ Year Member

joined:Jan 25, 2002
posts:36
votes: 1


Verisign did design it to make it very difficult to break into the SSL certs business. Verisign knew that the current method to become a registered certs authority and to get it to work on the browsers would make it next to impossible for anyone to jump on the SSL bandwagon.

Even when a new SSL authority has done the hoop jumping, it's still hard to overcome the older browser limitations because the older browsers do not recognize the new certs authority on the authority records for legit certs providers.

That was one of the major hurdles with GeoTrust (formerly Equifax). I talked with a technician from Equifax back in early 2001 and from the lengthy explanation, it sounded like a nightmare to break into and he saw it from the inside. Also Verisign had some part in qualifying the newly established authority before they became an authority which by design makes it that much harder to break into. The way it was explained to me then (and the details are kinda fuzzy now) sure sounded complicated to be in that business. Perhaps there is some sort of monopoly strangle-hold and we need to break them to allow more competition.

But once Equifax gained enough recognition, GeoTrust took over, jacked up the prices and now they are not any better than thawte in terms of pricing equivalent certs. We just need more alternatives.

I still say the system is already broken from a competition entry standpoint. It should be easier for competitors to break into the market and Verisign should not have any say so over who gets in, but they do--again that's why it's broken. Also, the browsers need to be set up to accept “certificate authority updates” of legit authorities so that all browsers are current even if the browser software is older--the other thing that makes the system broken.

In some respects, this certs thing is somewhat of a scam and Verisign should never have had that much control in the first place.

BTW, I know it's nothing like domain name registration. I was only using it as an example where competition caused prices to drop dramatically. It's like having certs costing about $60-$80 initial fee and renewals costing about $40 instead of costing $200-$400 initial fees and almost that much to renew. It's a rip-off business when you think about what you are getting.

A few weeks ago I talked to one sales rep at a cc processor and he was convinced that if I bought my own certificate - it would be somehow illegal or at least illegitimate. And the only "right" way to do it was...

hahaha, sometimes sales reps are so ignorant and Joe Average knows less than what they know. In fact we don't even need their paid certs to make a secured connection. However, the browser won't recognized that as legit and will throw up warnings like you said. What a pain.

...OK back to the question... Any more certs authorities that are good to work with?

11:40 pm on Nov 30, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1424
votes: 0


OK back to the question... Any more certs authorities that are good to work with?

Nope :)
I think we've established that already.

12:49 pm on Dec 1, 2002 (gmt 0)

New User

10+ Year Member

joined:Jan 25, 2002
posts:36
votes: 1


These 3 services can be added:

[entrust.com...]
[directnic.com...]
[securessl.co.uk...]

9:40 am on Dec 3, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:Aug 26, 2002
posts:122
votes: 0


Thiefware,
Check out this link it might be what you are looking for
[rackshack.net...]
5:13 pm on Dec 3, 2002 (gmt 0)

New User

10+ Year Member

joined:Jan 25, 2002
posts:36
votes: 1


Wow, that's weird, only $49/year. I don't know what to make of that. It's the same GeoTrust cert I was looking at on the GeoTrust Web site, but there they were charging $139/year (see http://www.geotrust.com/webtrust/index.htm [geotrust.com]).

They sure mess with us on pricing, but it's cool if I can get one there for that price. Thanks for the info.

2:45 pm on Dec 4, 2002 (gmt 0)

New User

10+ Year Member

joined:Jan 25, 2002
posts:36
votes: 1


OK, clarifications on GeoTrust:

Evidently with Certs ordering you can also get a verification seal. The verification seal is what made the True BusinessID cost more. Most people only get the cert by itself which is $139/year. It's still more than InstantSSL certs of comparable quality and Geotrust certs use to be $95/year.

After doing more research, I also find that the parent company of InstantSSL (Comodo Group) is actually the 3rd largest provider of certs. It's just not as widely publicised as Verisign or Thawte. And in other forums, I am finding Comodo (aka InstantSSL) being well thought of by a couple other people buying their certs saying that service was good. Pricing starts at $49/year for certs which is equal to the cert price at RackShack.

RackShack struck a deal with Geotrust to get a bulk savings (called them about it). For how long they are able to offer that deal, I don't know nor do I know if the renewal price would still be $49/year or at the regular $99/year. And that's the research into Certs and pricing (there's more but that's the main points).

7:47 am on Jan 16, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 20, 2002
posts:179
votes: 0


freessl.com has 'em for $15 a year
8:14 am on Jan 16, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 16, 2002
posts:2010
votes: 0


someone posted this chart around here and its very handy for your question

[whichssl.com...]

9:55 pm on Jan 17, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:May 15, 2001
posts:112
votes: 0


We have had experience with instantssl.com part of Comdo.net the parent company. They are pretty good in my opinion, they perform the same checks as Thawte except you can do them online if you have the right details like a DUNS for your business.

The one problem is that they sell certs which are not root trusted directly but this just means you have to install an extra key bundle in your web server software and full instructions are given plus their support have been very responsive when I have dealt with them.

We looked at Geotrust briefly after Thawte put their prices up.

For those who don't know much about secure certs they are free to issue and anyone can do it the only problem is that unless the issuer is trusted users visiting the site will see a message warning them of this fact. The issuers provide a service whereby they check you are who you say you are before they issue you a certificate.

But I don't see too much point in this they seem to think it establishes trust but just because a company can prove they exist there is no reason to say that they should be trusted.

With Comodo we have defiantely found a good partner, they have a great price and good service and support.

Just my 2p