Difference between SSL products

I'm looking into getting a few SSL certificates for domains to cover the following:

  • autodiscover.example.com
  • remote.example.com
  • www.example.com

Wildcard certificates are too expensive, so I'm going to purchase a single certificate for each subdomain (I have enough IP addresses to go around).

My question is, what makes a $10 certificate better than a $100 certificate?

Take, for example, the the GeoTrust product range. I know what an EV is (don't need it), and I know what a Secure Seal is (our users trust us already, so don't need that).

But why would I go for a QuickSSL for $69 when I can get a RapidSSL for $10? The only difference is "Brand Recognition" (Moderate to Medium) and insurance.

Can anyone spread any light on what they mean by "Brand Recognition"? Our public website is already well trusted by our users, and the other two subdomains are just for Outlook Anywhere (and thus won't be displayed in a browser).


Solution 1:

From the typical end-users perspective there is effectively no difference between most certificates. Some even call the SSL system a scam. Even the EV certificates don't really make much to the typical end user over a cheap certificate. As long as the browser doesn't complain, most users are happy.

Unless you are running a bank, or have a large number of highly paranoid security professionals as customers then I suggest you get the cheapest certificate you can.

Solution 2:

This really is a bit of a complex question to answer properly...

When you are purchasing an SSL certificate you are basically purchasing "trust", which obviously isn't a particularly easy product to turn into a commodity.

Allow me to elaborate a little bit. What does an SSL certificate infer at the end of the day?

To me, it means that some organization out there in the ether has taken the time to verify that you are who you say you are and vouch for your authenticity.

This was always the entire premise behind SSL and historically when you wanted to obtain an SSL certificate there were only a couple of CAs (certificate authorities) out there who were capable of providing this service. They would go through quite a number of checks to verify that they were providing the SSL certificate to the correct entity (ie, the owner or administrator of the domain) and that the organization using the domain were legitimately linked to the organization/company name. Naturally they were providing this service at an absolute premium... And why not? They were putting their name and reputation behind the authenticity of the companies they were verifying.

As time went on, more companies managed to get in on the action and had their root certificates bundled as part of commonly distributed browsers. As is the way with competition some of these companies tried to differentiate themselves by dropping their pants on the prices. As part of this, some root CAs started offering "chained" certificates to other companies further down the line who could then on-sell certificates chained to the root certificates... As results of charging less obviously the quality of the checks which were being completed by the cut-price providers were being reduced. These days, I would be surprised if many of the rapid/instant/quick/etc SSL certificates are subject to ANY checks at all. Obviously, given that these checks and verifications aren't being done, the value in having one of these companies vouch for you is somewhat diminished (or non-existent).... but do end users even realize this? do they care?

Most of the time, probably not.

As you've pointed out though, you already have the trust of your users anyhow... so assuming you're not getting any errors in your client applications, I personally would just go for the cheapest certificates around.

On the other hand, if I was running a bank with thousands of users.. I'd pay top dollar to this verification.

HTH.