[development] A Rose By Any Other Name... SSL Certs

Gordon Heydon gordon at heydon.com.au
Tue Mar 1 04:43:49 UTC 2011


I have a new client and they require me to get an SSL certificate. Ideally an EV certificate because they detail with financial information (not credit cards) and would ideally require a higher level of identifiable security that what a standard certificate provides.

Usually for clients that do not really require any real security for there website and when a self signed certificate will do, I will use a free certificate from startssl.com, not only does it give the full security their certificate authority is recognised by all browsers.

While grabbing a certificate for another client I noticed that they offer an EV certificate for US199 for 2 years, where as thawte.com (who I usually use when I need a proper certificate) for the same certificate si $US995 for 2 years. and verisign is 1730 for the same.

I know that technically there is zero difference in security between the 2 providers and they will both provide the exact some levels of encryption.

The EV certificate from startssl.com is 1/5 of the price of one from thawte.com so looking that it is a much better financially. but the issue is really "trust". Thawte.com or even Verisign have a much higher level of trust and what startssl.com has. Would a normal person (not like us) really care about this.

Remember also to provide an EV certificate you still need to meet some strict guidelines.

I am conflicted with this, on the one hand I can provide my client with a financially acceptable option that will give their clients a much higher level of identity, and make sure they are dealing with my client, but on the other hand it is not a thawte/verisign.

Comments please.

Thanks in advance.

More information about the development mailing list