Networking

Shopping for the right SSL: What are the options?


When looking to use SSL certificates to secure communications, there are many different options available. Extended Validation, SGC, standard SSL, and domain-validated SSL are the options generally available from commercial SSL signing authorities. There are also the options of self-signing certificates or using one of the free SSL providers.Self-signing certificates may or may not be a viable option depending on the resources available. Free SSL certificates are fine for home or lab use; I use free SSL certificates from StartCom in my test lab and have no complaints. Firefox and Safari recognise the StartCom CA as standard which is very encouraging-IE users still need to install the CA as a trusted authority.

For corporate use, it's likely that you will want to go with one of the commercial certificate authorities: Verisign, Thawte, and GeoTrust are three that come to mind; the last two are actually owned by Verisign anyway! Verisign certificates tend to be more expensive than those issued by Thawte and GeoTrust, who are both dead level. I can't see a good reason for this; perhaps it's related to the certificate warranty offered by Verisign. Verisign could also claim to have a much more widely recognised brand; so long as the certificate is valid, and there is a lock showing in the browser, I doubt the majority of users would take any notice.

So what about the various types of certificate available?

Extended validation

Due to the ease which some fraudsters seem to have been obtaining properly signed SSL certificates, the Extended Validation certificate is now being pushed by certificate authorities as offering the next level of customer assurance. Companies applying for an Extended Validation certificate need to undergo a more rigorous vetting process than for a standard SSL certificate.

If you are using Windows Vista then you may have noticed that some SSL-secured Web sites show a green bar identifying both the company and the certificate authority, while sometimes it simply shows a padlock icon on a blue button. Only certificates with Extended Validation credentials can show the green address bar.

I haven't seen many Web sites using EV certificates; I'm sure their usage will slowly but steadily increase. These are the most expensive option, costing $1499/yr from Verisign and $899/yr from Thawte or GeoTrust.

Assured encryption (SGC)

Server Gated Cryptography came to be as a result of U.S. legislation, which limited encryption levels used in software outside of the United States. Exported software would only offer weakened encryption algorithms while an SSL handshake was taking place.

The legislation included an exception for financial transactions and this is where SGC entered the scene. SGC certificates were only available to financial organisations and would allow all users to connect with a higher level of encryption. During an SSL handshake, the client software checks the server for an SGC enabled certificate and if detected, it will reconnect with stronger ciphers.

The legislation has now been dropped and any organisation can purchase an SGC certificate. This could be desirable if visitors are known to be using older browsers, which may default to a lower level of encryption than is actually available. An SGC certificate will cost you $995/yr from Verisign or $699/yr elsewhere.

Standard SSL

A standard SSL certificate pretty much does what it says on the tin. It verifies the identity of a server and it's owner.  It also offers encryption of up to 256-bits depending on the ciphers supported by the client application. As mentioned above, older applications that are capable of using a 128/256-bit cipher may not do so unless presented with a SGC certificate. If you know that visitors will be using a modern browser then a standard certificate may well be adequate. Before issuing an SSL certificate, the authority will first verify the legitimacy of the business making a request and also check that the person submitting the request is authorised to do so.

One of these certificates will cost you $399/yr from Verisign or $249/yr from Thawte.

Domain-validated SSL

The last option is the domain validated certificate. Much easier to obtain and much cheaper than a standard SSL certificate, domain validated certificates can be obtained within minutes, providing that basic procedures are followed correctly.

Domain-validated SSL serves to offer full SSL encryption while verifying that the certificate has been registered by the domain owner or an authorized party. If you look at a domain validated certificate, you will notice that under the ‘Subject' entry that only the Common Name (CN) is listed but not those of your company. This is because requesting a domain validated certificate does not involve background checks, only verification of domain ownership.

Due to this, a domain-validated certificate only verifies the host you are connecting to and that encryption is in place, not the legitimacy of the business. A domain-validated certificate is therefore not really suitable for use in e-commerce.

Verisign do not offer a domain-validated certificate; Thawate offer their SSL123 certificate for $149/yr.

Deciding which certificate fulfills your requirements is a personal choice and very much depends on why you are using SSL in the first place. If you're using the certificate to protect a public Web site that takes online payments, then an SGC-enabled certificate with Extended Validation will be the best option. This will verify your identity giving potential customers peace of mind; it will also ensure that they have the highest level of confidence in the authenticity of your digital certificate. It is, unfortunately, still a little too expensive for the majority of smaller online businesses and too new for a lot of larger businesses to have adopted.

If an Extended Validation equipped certificate is a little too expensive but you still want to make sure that users are fully protected, then an SGC certificate will probably be a good compromise. An SGC certificate is also desirable if you know that some users will be connecting with old software, which will default to weak encryption ciphers.

Standard SSL certificates are still quite adequate for the majority of uses. Most visitors will have recent browser versions capable of high encryption, and the standard certificate still verifies that your business is legitimately registered.

Domain validated certificates are fine when there is no e-commerce involved and all of your visitors are ‘known;' that is to say, that they are known by you and you are known by them. While the domain validated certificate does not give the general public any guarantee that you are who you claim to be, it does verify that the server being connected to is the one authorised to serve that domain and not a third party. Encryption of up to 256-bits is available with 128-bits being the norm under most modern browsers. I think a domain validated certificate would be quite acceptable for securing access to corporate resources where visitors would be company employees with a known minimum level of browser security (which can be enforced via embedded browser checks). A domain validated certificate can be particularly useful in situations where a fast deployment is required. The certificate can be requested/installed within minutes and can always be replaced with a full SSL certificate later on.

I'd be interested to hear what types of certificates you use to protect various types of online resources. Do you feel Extended Validation offers any real benefit or is it just an attempt to increase the CA's revenue? Do you consider domain-verified certificates good enough to cover services like Webmail or is an SGC certificate worth the extra investment? Leave a comment and share your views.

8 comments
sumit
sumit

There are many companies who are offering standard services as cheap as $20 per year( Godaddy for instance). These certificates are OK for webmail and some minimal use.Browser Support is a major reason of not using a $20 cersts. Godaddy for instances is not recognized as a Valid CA by firefox.

EduTechsupport
EduTechsupport

Particularly for the domain validated certificates. $20 for 1 year, with discounts for multi-year. You can get a 10 year cert for $160

cotsweb
cotsweb

Thank you for a very helpful article. I wonder if the average web user actually knows that there are different levels of certification. My suspicion is that as long as they see a padlock on their browser and https at the top of their screen they will be happy. If this is the case then the cheapest certification option is quite adequate, it tells the user that they are operating over an encrypted link and that is all that matters to them. I think that most people verify the identity of the site by other means, like typing in amazon.com rather than following links in a spam email. Obviously this doesn't give them the same level of security, but ignorance is bliss. It will probably take a high profile case to change this mindset and educate the general public about certificates.

dennis
dennis

In both my IE7 and Firefox2.0 I have a GoDaddy class2 CA listing. I was considering getting a GoDaddy SSL cert for a non-profit for OWA access. GoDaddy has low-cost certs, but are they too cheap? Do you think it's worth the extra $100 for a more reputable CA for a non-profit with tight spending?

Justin Fielding
Justin Fielding

I would be very surprised if your average user has ever actually inspected a certificate. That doesn't have to be a bad thing; as you said most users are concerned with encryption and verify the identity of the site by checking the URL is correct. If you're using the website for e-commerce then a full certificate is a must. Back-office and user portals don't really need that level of validation so I think the domain level cert does the job quite adequately.

gadiandi
gadiandi

You are right that GoDaddy is just as compatible as VeriSign certs in major browsers. I would probably recommend using them for OWA access since everyone using it will already trust that you are who you say you are. The fact that they are cheap doesn't mean anything if they provide what you need. If you do want more options for choosing an SSL certificate, I recommend www.sslshopper.com

mb.techrepublic
mb.techrepublic

I'd say if you only want to provide a certificate for limited (closed group of users) access, such as SSL VPNs (cf. SSL Explorer), or OWA, then GoDaddy is a good choice - it's the one I made. It suits me fine since if I access a borrowed corporate, private or web-cafe computer, the "owner" doesn't see any "are you sure you want to go visit this seemingly suspect site?" message which you would get without any certificate. The certificate won't change the level of security, just its perceived ease of use. Hope that helps [edited for clarification]

gadiandi
gadiandi

Technically the level of security does change if you don't use any certificate because a certificate is required to enable SSL. You're probably talking about a self-signed certificate though, in which case, you are right: a purchased SSL certificate and a free self-signed certificate offer the same level of security but the purchased one is far less annoying.

Editor's Picks