SSL Certificate Authority (CA) Reviews

[Shirty Girl]

Hello,

I am in the process of researching and buying a SSL Certificate for my e-commerce web-site so I can take payments via Protx's VSP Direct payment solution.

I have found a site reviewing the main CAs on - sslshopper dot com -

... but there do not seem to be that many reviews for each CA, so it may be misleading.

The prices vary a lot between CAs: I don't want to spend money unneccessarily but I don't want to buy something that doesn't do the job.

Does anyone have experience of CA companies? Can you give a positive / negative review of any of them? Particularly, I am interested in whether VeriSign is worth the money.

Does anyone have experience of SSL certificates more generally ? Can you give advice? Are they all pretty much the same?

Thanks for your help,

Helen

 

[ServWise]

To be honest they are all much of a muchness, what you should check is that the CA is a root CA, basically that it is listed in the root list of CA's in most common browsers.

I can recommend RapidSSL and GeoTrust from experience, they both use the Equifax Global CA and it is a highly trusted root certificate authority.

If your looking to provide more "Trust" for your visitors (I don't know what kind of data your looking to transfer) then the GeoTrust True BusinessID with EV is the one to go for (Turns your browser bar green in latest browsers), but it isn't cheap.

If you are just after having a secure SSL connection then just go for a bog standard RapidSSL it's just as secure as any other SSL certificate (Even the EV).

Remember the price increase is not about making it more secure it just about offering more "trust" see my blog entry for whats really what

http://www.servwise.com/blog-sam/index.php/2008/06/24/got-website-need-ssl/

We sell the RapidSSL for only £6.95 + Tax (the lowest price anywhere AFAIK) as well as lots of certificates from GeoTrust and SBS.

Visit http://www.servwise.com/en-us/SSL-certificates.php

 

[IH-Rameen]

Hello,

I am in the process of researching and buying a SSL Certificate for my e-commerce web-site so I can take payments via Protx's VSP Direct payment solution.

I have found a site reviewing the main CAs on - sslshopper dot com -

... but there do not seem to be that many reviews for each CA, so it may be misleading.

The prices vary a lot between CAs: I don't want to spend money unneccessarily but I don't want to buy something that doesn't do the job.

Does anyone have experience of CA companies? Can you give a positive / negative review of any of them? Particularly, I am interested in whether VeriSign is worth the money.

Does anyone have experience of SSL certificates more generally ? Can you give advice? Are they all pretty much the same?

Thanks for your help,

Helen

We use GeoTrust for our certificates. We provision them (have provisioned over 1,000 certs)..

Certificates have 2 primary functions.

1. Encrypt Communications

Certificates will encrypt the communication between your browser and the web server. Typically certs will use a 128bit keys, which is enough. Getting a more expensive certificate won't make the encryption anymore secure.

2. Verification

SSL certs are designed to verify the authenticity of the remote server (person your customers are sending details to). This is where price matters. Typically the more you pay, the more level of verification is performed, in turn the more trust your customers have in you.

That said, you need to consider how many will actually bother to check the certificate details.

A RapidSSL certificate will do basic domain verification, whereas extended certs and more expensive certs will go much deeper into verifying your business etc.

So really, I would recommend a GeoTrust cert. the type of cert you decide is more or less how much verification you want to perform and your budget.

You can have a look at our GeoTrust certificates here: http://innohosting.com/ssl.htm

Hope that helps

 

[mke]

Helen, it really depends upon what you are looking for. The facts are:

All of it is based upon an Open Source application called OpenSSL.

Browser proprietors appear only to recognise the more expensive ones - to the point where those involved in IT, especially in encryption, wonder where and how much money is changing hands. Perhaps there is some kind of message in that.

There is no more or less security between a chain and a server certificate but there is a higher charge and more recognition with a server cert. Which leaves us to assume that a server cert is more easily tracked - therefore probably less secure - by the certifying "authorities".

Those browsers that require certification to be "registered" with them throw some very nasty warnings which do actually deter buyers, forcing the hands of sellers to use their "recognised" authorities.

GeoTrust is about the cheapest of the server, recognised ones, CAcert is free and probably the best but the proprietary browsers don't make money that way.

Tell us what you need and we will give proper, honest advice. That includes offering the most cost effective of those that meet your needs, without sacrificing the amount of browser recognition you need.

 

[Shirty Girl]

Thank you for your responses.

I’d like to give you some more information about my business:

I sell Fairtrade, organic cotton t-shirts to a young (15-25) market via an e-commerce web-site. A powerfully branded product and customer perception of site security are key marketing objectives.

My site will be built around CubeCart by a web-designer I have already commissioned. I have secured a hosting package from HostPapa.

I have decided to go for a payment gateway option where customers stay on my site for the entire transaction process. I hope that this will make me seem established as an on-line retailer and contribute to meeting the objectives above. I don’t need a SSL certificate for any other reason.

The process for payments will be:

- Shopper visits vendor’s website
- Vendor passes transaction information (including credit card data) to Protx
- Protx confirms and validates transaction information and the shopper’s card details are authorised or declined by the bank
- Protx returns bank authorisation results back to vendor, who in turn completes the transaction with the shopper on their own website

To use this payment option I need:

A website - sorted
A merchant account - sorted
A fixed IP Address – available from HostPapa
A 128-bit digital certificate
Certification under the PCI audit.

My marketing research shows that site security is a key concern of internet shoppers, therefore I am interested in purchasing a SSL certificate with a company where I can exploit their brand (e.g. put a logo on my site) and provide the level of security I want.

Thanks again,

Helen

 

[mke]

They all have a logo you can put on your site, Helen. They like the extra exposure they get from their user bases.

As I said earlier, GeoTrust is about the cheapest of the widely recognised ones. We sell them and the cheaper, but less recognised RapidSSL. You could have a free trial for the latter to see if it works for you. PM me for more advice and prices.