views:

935

answers:

3

I want to buy a 128bit SSL certificate for a website selling services. I checked http://www.rapidssl.com/ssl-certificate-products/ssl-certificate.htm and http://www.geotrust.com/ssl/compare-ssl-certificates.html. Why are the prices for QuickSSL (Geotrust, $249) and RapidSSL (rapidSSL, $69) so different? Is there any particular reason for this or it's just marketing?

RapidSSL says the following:

However it is our opinion that sites conducting more than 50 transactions will require a Professional Level SSL certificate due to the increased likelihood that the website's customers will expect SSL from a highly credible and established SSL provider and well known internationally accepted SSL brand.

(by "professional level SSL" they mean Geotrust certs)

P.S. will users really pay attention to the SSL issuing authority brand name?

+1  A: 

they both do the same job, just brand perception i guess

honestly i don't think the end user would even notice. as long as they see the little padlock they will be happy

ps. godaddy certs are cheaper

thanks a lot for your reply, I was also thinking that clients wouldn't even check who issued the certificate if their browsers trust the CA.
Vitaly Sharovatov
+2  A: 

The job of the SSL certificate authority(CA)/provider is to validate your organizational identity so that when customers access your web site, they not only get the padlock for security, but they know that your identity as the fully qualified hostname are authentic and not some phishing scam.

True, most all users look no further than the padlock indicating secure connection to their bank web site, email, etc. However, if the CA were to become compromised, all their customers' certs are vulnerable to man-in-the-middle attacks such that an interceptor can realtime decrypt the secure channel to capture confidential information. I have yet to hear about this actually happening, but it is a risk that may one day occur as certificate prices drop. MITM attacks are a big deal now with wireless hotspots becoming more and more prevalent.

One more thing is browser compatibility. You would expect that your newly purchased cert be compatible with every modern browser. This is because they are all loaded with a list of root CA certs that trust a select list of SSL certificate authorities. If you buy from a CA that is not on that list, all your client browsers will get a security warning that the site's cert is not trusted. Just doublecheck that RapidSSL, Geotrust, or whoever you go with is in the list of all the browsers you care about. (e.g. for Firefox, it's at Tools/Options/Advanced/Encryption/View Certificates/Authorities tab)

In the end, just get the cheapest one that gives you the level of encryption you want. It'll get the job done. Check with your web host provider. They may have discounts.

spoulson
thanks for the detailed and good answer!
Vitaly Sharovatov
A: 

I know this has an accepted answer already, but there is another aspect.

The more expensive SSL certificates usually have a better warranty when it comes to fraud. A lower cost SSL cert may cover $10,000 worth of fraud whereas a higher cost SSL cert may cover you for $100,000, for example.

Robert Rouse