[development] A Rose By Any Other Name... SSL Certs

António P. P. Almeida appa at perusio.net
Tue Mar 1 06:13:52 UTC 2011 

On 1 Mar 2011 04h43 WET, gordon at heydon.com.au wrote:

> Hi,
>
> I have a new client and they require me to get an SSL
> certificate. Ideally an EV certificate because they detail with
> financial information (not credit cards) and would ideally require a
> higher level of identifiable security that what a standard
> certificate provides.
>
> Usually for clients that do not really require any real security for
> there website and when a self signed certificate will do, I will use
> a free certificate from startssl.com, not only does it give the full
> security their certificate authority is recognised by all browsers.
>
> While grabbing a certificate for another client I noticed that they
> offer an EV certificate for US199 for 2 years, where as thawte.com
> (who I usually use when I need a proper certificate) for the same
> certificate si $US995 for 2 years. and verisign is 1730 for the
> same.
>
> I know that technically there is zero difference in security between
> the 2 providers and they will both provide the exact some levels of
> encryption.
>
> The EV certificate from startssl.com is 1/5 of the price of one from
> thawte.com so looking that it is a much better financially. but the
> issue is really "trust". Thawte.com or even Verisign have a much
> higher level of trust and what startssl.com has. Would a normal
> person (not like us) really care about this.
>
> Remember also to provide an EV certificate you still need to meet
> some strict guidelines.
>
> I am conflicted with this, on the one hand I can provide my client
> with a financially acceptable option that will give their clients a
> much higher level of identity, and make sure they are dealing with
> my client, but on the other hand it is not a thawte/verisign.
>
> Comments please.

StartSSL is now a recognized CA. It's available in all browsers AFAIK,
so why the doubts? There might be a difference in the indemnity they
provide in case of losses resulting from certificate malfunction. If
that is the case ask your client if that's acceptable. Make your
decision based on that.

Don't know how (in)complete is this table:

https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_SSL_certificates_for_web_servers

--- appa

More information about the development mailing list