choosing the right SSL certificate

We're looking to purchase some SSL certificates to secure the login pages of ecommerce sites. It is not required to secure the actual payment process as this is protected by a third party with its own verisign certificate. rapidSSL looks like a good (and cheap) option but a salesperson has told me that they are only suitable for "test sites" and recommended that we use one that is 4 times the cost. Can anyone make any recommendations about what we should be looking for and what we should consider?

Thanks.


Solution 1:

Certificates are, regardless of what sales people say, objectively pretty much all the same with regards to encryption. They all enable 'good enough' encryption, which really mostly depends on the configuration of the web servers, and somewhat on the capabilities of the browser. The US ban on exporting strong encryption was lifted some years ago, so today pretty much all browsers will support a 128-bit Twofish or AES encryption, if the server proposes this. (Surprisingly many servers still use 56bit DES, RC4 or other weaker schemes, due to ignorance of the sysadmin, or to lower CPU load on the server.)

The problem of long daisy-chained certificate trust relationships is also pretty much gone. Most browsers today have a fairly complete set of pre-installed trusted CAs. Open your browsers cert UI to see yours (Firefox 3: Tools > Options > Advanced > Encryption > View Certificates).

From time to time you can find promotions where resellers offer Comodo, Digicert or similar certificates for ~20 USD or so.

The level of 'trust' your site inspires in customers may be a consideration. Arguably, a Verisign site seal and the green Extended Validation bar in compliant browsers is better than a simple 128 bit encryption with a certificate from GoDaddy. It's hard to tell, it will depend a lot on your user demographics, age, computer literacy et cetera.

One thing: It can be beneficial to keep your DNS Whois information accurate, as it is a big part of how CAs verify you before issuing a certificate. I would imagine that getting your certificate from someone you're already doing business with, such as your web host / DNS registrar, is easier than getting verified by Comodo, Thawte etc.

So my proposal is to asses your users, and whether a more 'trustworthy' branding on the site seal will create more sales. And then do one of the following:

  • Get the cheapest 128 bit certificate you can from a reseller / DNS registrar / whoever with whom you already have an account. Maybe investigate briefly who signs the Cert, and what the root CA is, but don't sweat it unless it is a pretty obscure CA chain.
  • Get a Verisign or similar well-known (and bloody expensive) SSL cert with good brand value, and display their site seal prominently. Consider going for an Extended Validation cert.

The "Extended Validation" certificates add some value IMHO, because the browsers visually assure users that everything is OK with the green address bar, prominent company name etc. Unfortunately, these certificates are also expensive, and more annoying to get validated for.

Solution 2:

I can definitely understand your confusion because it is a bit of a confusing area. As others have said here, generally a certificate is a certificate and provides the same level of protection and looks the same to end users. However there are differences, mostly regarding levels of verification.

Verification Levels

There are three basic levels of verification: domain only, domain and business, and domain business and identity of representative. Domain only is actually quite weak authentication when you think about it, it doesn't prove you are who you say you are or that you have the right to use the brand. However to most end-users they won't know the difference and they will see the locked icon. Domain and business is what is typically provided, and they normally require something trivial like a corporate credit card to verify you are the business in question.

Extended Verification is the new standard that requires extra steps by the CA to verify you are actually who you say you are and are the legal entity allowed to trade under that name. See wikipedia's entry for more details. In Firefox an EV certificate will show as a Green box slightly to the left of the URL itself with the company name.

Indemnity

Each SSL provider will give different Indemnity insurance should you someone else fraudulently either use your certificate or your domain coming from the same CA. I think its very rare that people actually need to go down this path

Coverage across browsers

Typically all major SSL providers will be supported on all major OSes out of the box straight away. Some may require you to serve an intermediate chain bundle, which can be a hassle.

Revocation

Not all CA's support the ability to revoke certificates - surprisingly to me when I last looked at this only a handful had certificate revocation url's listed. If your serious about your security pick one that does have a revocation URL.

Summary

Your needs sound basic and simple, I would recommend you purchase something cheap. RapidSSL, InstantSSL, GoDaddy or any of the other large players are all fine.