Comparison of SSL Certificates

Question

My web application most definately needs an SSL certificate

I was looking into godaddy's: http://www.godaddy.com/ssl/ssl-certificates.aspx

The standard doesn't appear to have the lock in the URL bar, which a lot of users might not consider secure... How true is this? The Standard has https:// obviously in the bar, but is that enough to persuade users to want to enter in confidential information??

I'd appreciate any experience anyone has had with this. or any alterates they've dealt with. Is $100/year really the going rate for an SSL cert that has the lock in the url bar?

Thanks SO!

Answer 1

standard ssl certs are JUST as secure, cryptographically, as the premium ones. The same algorithms/keys are used. The premiums just cost more because, supposedly, the certificate authority has spent a few extra microseconds pretending that they've verified your identity. It's mostly just a marketing ploy to suck extra $$$ out of clients for very little actual gain in security.

Most web users have no idea about SSL, or even to know about looking for the lock icon. They'll enter their personal information anywhere they think it'll benefit them somehow. Establishing a site's trustworthiness is far harder than just saying "hey, we've got SSL".

Answer 2

I think you mostly hit the nail on the head when you asked:

is that enough to persuade users to want to enter in confidential information??

But, really, the question should be:

is that enough to persuade MY users ...

As I started my reply, Marc B just posted his - and I agree with most of what he said - I think this is ultimately a marketing question that only you / your business can answer.

If you're eBay, and the lack of a lock icon in the address bar may turn away 0.01% of your customers - it's probably well worth the price.

If you're just starting out, and trying to keep expenses low - probably including one of those silly "Secured by GoDaddy SSL" or whatever icons / logos they have on your site is a good compromise.

Answer 3

As stated by others, the Extended Validation (EV) certificate is structurally similar to standard Domain Validation (DV) certificate. The difference is not about securing the pipe between the browser and the site, but rather the level of diligence done by the Certificate Issuer in the process of granting a certificate.

Certificates are like passports. Saying that the certificates are the same is like saying two passports from two different countries have the same security features. It means they have the same protection against being forged. It doesn't however tell anything about whether the certificate/passport was issued to the right person. That's the difference between Domain and Extended validation certificates.

For example, I don't know the actual criteria used, but 'Domain Validated' means just that. Hey, we contacted you at an e-mail address with this domain and you're from that company, so here's the certificate that you paid for. Validated by domain.

By comparison, the extended validation would mean that maybe the certificate issuer contacted the legal department of the company that owns the domain requesting the certificate to verify that the requester is authorized to get a certificate for that domain. That way they can verify that just because you work at the company, you're not going to be able to get a certificate with the company's domain issued to you.

So, as others have stated, does that mean your users will know the difference and be paranoid enough about the information they're giving you to care? You may not know. If they're supposed to give financial information, I'd spring for the extra $$$. If not, it probably doesn't matter as much.