[BNM] secure server SSL certificate advice

Robert J Shepherd, Screen Play bnmlist@brightonnewmedia.org
Thu Mar 27 12:22:53 2003


There is no such thing as a free lunch.

Firstly Thawte (owned by Verisign) is cheaper than Verisign, so that's worth bearing in mind.

But secondly, yes, there are new kids on the block, apparently offering lower prices. Comodo's InstantSSL (www.instantssl.com) is one of the better known examples, with an advertised initial price of only $49, against Thawte's $199. However, this includes a warranty of only $50 and no TrustLogo, without which the certificate is of little practical commercial use. To get the TrustLogo, and the fast-track you mentioned, costs $119 per domain name.

OK, that's still cheaper. But then you get into the nature of the certificate. We did some research into this whole question a couple of months ago and found this:-

* The newcomers are very new and have yet to prove that they'll still be around - and still have public confidence - in years to come, which is a fairly vital attribute. For example, when we looked, Comodo (and others) had yet to pass the Web Trust Audit, which could well become the standard for all Certificate Authorities this year. What will happen to the companies that don't pass it? Bad press? Loss of public confidence? Revocation of authority? And what will happen to the sites they've certified? There could be quite an unholy (and expensive) mess in trying to move the domain names to another Authority. And meanwhile, ISPs and site producers who've recommended them to clients will have a lot of grovelling to do, to keep their clients.

* The authentication procedures vary from supplier to supplier. Thawte/Verisign uses third party validation and authentication on all information provided by the applying entity. Others (again including Comodo) just check the domain name against the whois list. This leaves a lot of room for fraud ... and if fraud is ever perpetrated and discovered on any kind of scale because of this poor authentication, certificates from those suppliers could become commercially worthless.

* Don't believe that you're getting full 128-bit certification from the cheap guys, despite what they say. Thawte's & Verisign's 128-bit Supercerts are true 128-bit: most (if not all) others say they're 128-bit but mean *up to* 128-bit, depending on the version/age of your browser, and are therefore only the equivalent of the Thawte/Verisign standard offerings.

This all sounds like PR for Thawte. It isn't. Personally, I don't very much like Veri$ign and its subsidiaries (particularly Network $olutions). But in the same way that we may call Micro$oft names but still acknowledge the necessity of using their products, so I believe it behoves us to place SSL trust with those who've best proved their trustworthiness.

HTH

Robert


>-----Original Message-----
>From: Simon [mailto:BNM@sussexweb.co.uk]
>Sent: 27 March 2003 10:36
>To: bnmlist@brightonnewmedia.org
>Subject: [BNM] secure server SSL certificate advice
>
>
>we need to have a SSL certificate for a clients server.
>in the good old days of old I would have automatically gone for Verisign,
>but I'm told there are others out there now that are a) cheaper and b)
>quicker to get sorted out.
>
>any suggestions?
>
>cheers,
>s./
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003
>
>-8<---------------------------------
>Info/Subscription/Archives - www.brightonnewmedia.org
>
>Archive Search - http://www.roddis.org/bnm/search.html
>
>BNM Powered by - www.screen-play.net