When looking to use SSL certificates to secure communications, there are many different options available. Extended Validation, SGC, standard SSL, and domain-validated SSL are the options generally available from commercial SSL signing authorities. There are also the options of self-signing certificates or using one of the free SSL providers.Self-signing certificates may or may not be a viable option depending on the resources available. Free SSL certificates are fine for home or lab use; I use free SSL certificates from StartCom in my test lab and have no complaints. Firefox and Safari recognise the StartCom CA as standard which is very encouraging-IE users still need to install the CA as a trusted authority.
For corporate use, it’s likely that you will want to go with one of the commercial certificate authorities: Verisign, Thawte, and GeoTrust are three that come to mind; the last two are actually owned by Verisign anyway! Verisign certificates tend to be more expensive than those issued by Thawte and GeoTrust, who are both dead level. I can’t see a good reason for this; perhaps it’s related to the certificate warranty offered by Verisign. Verisign could also claim to have a much more widely recognised brand; so long as the certificate is valid, and there is a lock showing in the browser, I doubt the majority of users would take any notice.
So what about the various types of certificate available?
Due to the ease which some fraudsters seem to have been obtaining properly signed SSL certificates, the Extended Validation certificate is now being pushed by certificate authorities as offering the next level of customer assurance. Companies applying for an Extended Validation certificate need to undergo a more rigorous vetting process than for a standard SSL certificate.
If you are using Windows Vista then you may have noticed that some SSL-secured Web sites show a green bar identifying both the company and the certificate authority, while sometimes it simply shows a padlock icon on a blue button. Only certificates with Extended Validation credentials can show the green address bar.
I haven’t seen many Web sites using EV certificates; I’m sure their usage will slowly but steadily increase. These are the most expensive option, costing $1499/yr from Verisign and $899/yr from Thawte or GeoTrust.
Assured encryption (SGC)
Server Gated Cryptography came to be as a result of U.S. legislation, which limited encryption levels used in software outside of the United States. Exported software would only offer weakened encryption algorithms while an SSL handshake was taking place.
The legislation included an exception for financial transactions and this is where SGC entered the scene. SGC certificates were only available to financial organisations and would allow all users to connect with a higher level of encryption. During an SSL handshake, the client software checks the server for an SGC enabled certificate and if detected, it will reconnect with stronger ciphers.
The legislation has now been dropped and any organisation can purchase an SGC certificate. This could be desirable if visitors are known to be using older browsers, which may default to a lower level of encryption than is actually available. An SGC certificate will cost you $995/yr from Verisign or $699/yr elsewhere.
A standard SSL certificate pretty much does what it says on the tin. It verifies the identity of a server and it’s owner. It also offers encryption of up to 256-bits depending on the ciphers supported by the client application. As mentioned above, older applications that are capable of using a 128/256-bit cipher may not do so unless presented with a SGC certificate. If you know that visitors will be using a modern browser then a standard certificate may well be adequate. Before issuing an SSL certificate, the authority will first verify the legitimacy of the business making a request and also check that the person submitting the request is authorised to do so.
One of these certificates will cost you $399/yr from Verisign or $249/yr from Thawte.
The last option is the domain validated certificate. Much easier to obtain and much cheaper than a standard SSL certificate, domain validated certificates can be obtained within minutes, providing that basic procedures are followed correctly.
Domain-validated SSL serves to offer full SSL encryption while verifying that the certificate has been registered by the domain owner or an authorized party. If you look at a domain validated certificate, you will notice that under the ‘Subject’ entry that only the Common Name (CN) is listed but not those of your company. This is because requesting a domain validated certificate does not involve background checks, only verification of domain ownership.
Due to this, a domain-validated certificate only verifies the host you are connecting to and that encryption is in place, not the legitimacy of the business. A domain-validated certificate is therefore not really suitable for use in e-commerce.
Verisign do not offer a domain-validated certificate; Thawate offer their SSL123 certificate for $149/yr.
Deciding which certificate fulfills your requirements is a personal choice and very much depends on why you are using SSL in the first place. If you’re using the certificate to protect a public Web site that takes online payments, then an SGC-enabled certificate with Extended Validation will be the best option. This will verify your identity giving potential customers peace of mind; it will also ensure that they have the highest level of confidence in the authenticity of your digital certificate. It is, unfortunately, still a little too expensive for the majority of smaller online businesses and too new for a lot of larger businesses to have adopted.
If an Extended Validation equipped certificate is a little too expensive but you still want to make sure that users are fully protected, then an SGC certificate will probably be a good compromise. An SGC certificate is also desirable if you know that some users will be connecting with old software, which will default to weak encryption ciphers.
Standard SSL certificates are still quite adequate for the majority of uses. Most visitors will have recent browser versions capable of high encryption, and the standard certificate still verifies that your business is legitimately registered.
Domain validated certificates are fine when there is no e-commerce involved and all of your visitors are ‘known;’ that is to say, that they are known by you and you are known by them. While the domain validated certificate does not give the general public any guarantee that you are who you claim to be, it does verify that the server being connected to is the one authorised to serve that domain and not a third party. Encryption of up to 256-bits is available with 128-bits being the norm under most modern browsers. I think a domain validated certificate would be quite acceptable for securing access to corporate resources where visitors would be company employees with a known minimum level of browser security (which can be enforced via embedded browser checks). A domain validated certificate can be particularly useful in situations where a fast deployment is required. The certificate can be requested/installed within minutes and can always be replaced with a full SSL certificate later on.
I’d be interested to hear what types of certificates you use to protect various types of online resources. Do you feel Extended Validation offers any real benefit or is it just an attempt to increase the CA’s revenue? Do you consider domain-verified certificates good enough to cover services like Webmail or is an SGC certificate worth the extra investment? Leave a comment and share your views.