A Rose By Any Other Name... SSL Certs
Hi, I have a new client and they require me to get an SSL certificate. Ideally an EV certificate because they detail with financial information (not credit cards) and would ideally require a higher level of identifiable security that what a standard certificate provides. Usually for clients that do not really require any real security for there website and when a self signed certificate will do, I will use a free certificate from startssl.com, not only does it give the full security their certificate authority is recognised by all browsers. While grabbing a certificate for another client I noticed that they offer an EV certificate for US199 for 2 years, where as thawte.com (who I usually use when I need a proper certificate) for the same certificate si $US995 for 2 years. and verisign is 1730 for the same. I know that technically there is zero difference in security between the 2 providers and they will both provide the exact some levels of encryption. The EV certificate from startssl.com is 1/5 of the price of one from thawte.com so looking that it is a much better financially. but the issue is really "trust". Thawte.com or even Verisign have a much higher level of trust and what startssl.com has. Would a normal person (not like us) really care about this. Remember also to provide an EV certificate you still need to meet some strict guidelines. I am conflicted with this, on the one hand I can provide my client with a financially acceptable option that will give their clients a much higher level of identity, and make sure they are dealing with my client, but on the other hand it is not a thawte/verisign. Comments please. Thanks in advance. Gordon.
On 1 Mar 2011 04h43 WET, gordon@heydon.com.au wrote:
Hi,
I have a new client and they require me to get an SSL certificate. Ideally an EV certificate because they detail with financial information (not credit cards) and would ideally require a higher level of identifiable security that what a standard certificate provides.
Usually for clients that do not really require any real security for there website and when a self signed certificate will do, I will use a free certificate from startssl.com, not only does it give the full security their certificate authority is recognised by all browsers.
While grabbing a certificate for another client I noticed that they offer an EV certificate for US199 for 2 years, where as thawte.com (who I usually use when I need a proper certificate) for the same certificate si $US995 for 2 years. and verisign is 1730 for the same.
I know that technically there is zero difference in security between the 2 providers and they will both provide the exact some levels of encryption.
The EV certificate from startssl.com is 1/5 of the price of one from thawte.com so looking that it is a much better financially. but the issue is really "trust". Thawte.com or even Verisign have a much higher level of trust and what startssl.com has. Would a normal person (not like us) really care about this.
Remember also to provide an EV certificate you still need to meet some strict guidelines.
I am conflicted with this, on the one hand I can provide my client with a financially acceptable option that will give their clients a much higher level of identity, and make sure they are dealing with my client, but on the other hand it is not a thawte/verisign.
Comments please.
StartSSL is now a recognized CA. It's available in all browsers AFAIK, so why the doubts? There might be a difference in the indemnity they provide in case of losses resulting from certificate malfunction. If that is the case ask your client if that's acceptable. Make your decision based on that. Don't know how (in)complete is this table: https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_SSL_certificate... --- appa
On Tuesday 01 March 2011, Gordon Heydon wrote:
Hi,
I have a new client and they require me to get an SSL certificate. Ideally an EV certificate because they detail with financial information (not credit cards) and would ideally require a higher level of identifiable security that what a standard certificate provides.
Usually for clients that do not really require any real security for there website and when a self signed certificate will do, I will use a free certificate from startssl.com, not only does it give the full security their certificate authority is recognised by all browsers.
While grabbing a certificate for another client I noticed that they offer an EV certificate for US199 for 2 years, where as thawte.com (who I usually use when I need a proper certificate) for the same certificate si $US995 for 2 years. and verisign is 1730 for the same.
I know that technically there is zero difference in security between the 2 providers and they will both provide the exact some levels of encryption.
The EV certificate from startssl.com is 1/5 of the price of one from thawte.com so looking that it is a much better financially. but the issue is really "trust". Thawte.com or even Verisign have a much higher level of trust and what startssl.com has. Would a normal person (not like us) really care about this.
Remember also to provide an EV certificate you still need to meet some strict guidelines.
I am conflicted with this, on the one hand I can provide my client with a financially acceptable option that will give their clients a much higher level of identity, and make sure they are dealing with my client, but on the other hand it is not a thawte/verisign.
Comments please.
What they would be paying for is the right to use the Thawte/ Verisign Logo on their site. If your client thinks this is important then so be it, they will have to pay.
Thanks in advance. Gordon.
-- ----------------- Bob Hutchinson Midwales dot com -----------------
The way I approach things like this is that I am not a permanent employee of the company, therefore I do not acquire assets for the company if that asset outlives my tenure. I do this whether that asset has a cost or not. I won't even get a Google Analytics key, which is free. Someone who is permanently with the company must acquire it and provide me with the usage information, such as keys. What are they going to do when that certificate expires, call you back for ten minutes of work? Nancy Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr. ________________________________ From: Gordon Heydon <gordon@heydon.com.au> To: Drupal Development <development@drupal.org> Sent: Mon, February 28, 2011 11:43:49 PM Subject: [development] A Rose By Any Other Name... SSL Certs Hi, I have a new client and they require me to get an SSL certificate. Ideally an EV certificate because they detail with financial information (not credit cards) and would ideally require a higher level of identifiable security that what a standard certificate provides. Usually for clients that do not really require any real security for there website and when a self signed certificate will do, I will use a free certificate from startssl.com, not only does it give the full security their certificate authority is recognised by all browsers. While grabbing a certificate for another client I noticed that they offer an EV certificate for US199 for 2 years, where as thawte.com (who I usually use when I need a proper certificate) for the same certificate si $US995 for 2 years. and verisign is 1730 for the same. I know that technically there is zero difference in security between the 2 providers and they will both provide the exact some levels of encryption. The EV certificate from startssl.com is 1/5 of the price of one from thawte.com so looking that it is a much better financially. but the issue is really "trust". Thawte.com or even Verisign have a much higher level of trust and what startssl.com has. Would a normal person (not like us) really care about this. Remember also to provide an EV certificate you still need to meet some strict guidelines. I am conflicted with this, on the one hand I can provide my client with a financially acceptable option that will give their clients a much higher level of identity, and make sure they are dealing with my client, but on the other hand it is not a thawte/verisign. Comments please. Thanks in advance. Gordon.
On Tuesday 01 March 2011, nan wich wrote:
The way I approach things like this is that I am not a permanent employee of the company, therefore I do not acquire assets for the company if that asset outlives my tenure. I do this whether that asset has a cost or not. I won't even get a Google Analytics key, which is free. Someone who is permanently with the company must acquire it and provide me with the usage information, such as keys. What are they going to do when that certificate expires, call you back for ten minutes of work?
With Rapidssl (now Startssl) it is the Administrative Contact in whois that has to acquire the cert and it is that phone number, address and email address that will be used. I imagine that it is something similar with Thawte/Verisign
Nancy
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
________________________________ From: Gordon Heydon <gordon@heydon.com.au> To: Drupal Development <development@drupal.org> Sent: Mon, February 28, 2011 11:43:49 PM Subject: [development] A Rose By Any Other Name... SSL Certs
Hi,
I have a new client and they require me to get an SSL certificate. Ideally an EV certificate because they detail with financial information (not credit cards) and would ideally require a higher level of identifiable security that what a standard certificate provides.
Usually for clients that do not really require any real security for there website and when a self signed certificate will do, I will use a free certificate from startssl.com, not only does it give the full security their certificate authority is recognised by all browsers.
While grabbing a certificate for another client I noticed that they offer an EV certificate for US199 for 2 years, where as thawte.com (who I usually use when I need a proper certificate) for the same certificate si $US995 for 2 years. and verisign is 1730 for the same.
I know that technically there is zero difference in security between the 2 providers and they will both provide the exact some levels of encryption.
The EV certificate from startssl.com is 1/5 of the price of one from thawte.com so looking that it is a much better financially. but the issue is really "trust". Thawte.com or even Verisign have a much higher level of trust and what startssl.com has. Would a normal person (not like us) really care about this.
Remember also to provide an EV certificate you still need to meet some strict guidelines.
I am conflicted with this, on the one hand I can provide my client with a financially acceptable option that will give their clients a much higher level of identity, and make sure they are dealing with my client, but on the other hand it is not a thawte/verisign.
Comments please.
Thanks in advance. Gordon.
-- ----------------- Bob Hutchinson Midwales dot com -----------------
participants (4)
-
António P. P. Almeida -
Bob Hutchinson -
Gordon Heydon -
nan wich