Why is there so many different SSL types?

[Ricky Spanish]

I was looking at different SSL Certificate options last night and notice there are many different types available at many different price ranges. Why are some $10/YR, and others $500/YR? I know their protection level differs, but what is preventing a $10/YR certificate from having the same features as a more expensive one? Is it just to create perceived value to sell more expensive ones or is there a real reason?

 

[D. Strout]

Several things: the cheaper certificates are just for basic encryption that won't freak out browsers. Stepping up from that, you get wildcard, which costs more because of more "surface area". More expensive ones include features like SGC, which upgrades the cryptography levels on the server by some magic - which shouldn't be necessary these days. See the linked article for more. Even more expensive ones include EV, which produces the green bar. This, I'm sure you know. But a further "feature" is warranty. Generally, the more expensive, the more warranty you get. Warranties aren't worth much, IMHO, because basically it's "if our cryptography fails and you lose customer data, this is how much we'll pay out". Modern cryptography should pretty much preclude such failures, except for stuff like heartbleed, which would not be the CA's fault.

 

[Deleted]

One thing that I've always fought with the IETF since the mid 90s was the use of CAs.. how many of you actually have looked through the CA list? I don't trust them, and neither should you.

 

[MannDude]

One thing that I've always fought with the IETF since the mid 90s was the use of CAs.. how many of you actually have looked through the CA list? I don't trust them, and neither should you.

Why is that? I'm pretty ignorant on the subject too, so if you can explain it to me like I am five, that'd be much appreciated.

 

[Hxxx]

Why there are different type of Cars?

 

[D. Strout]

explain it to me like I am five

/u/???

In answer to your question, see this.

 

[Ricky Spanish]

Several things: the cheaper certificates are just for basic encryption that won't freak out browsers. Stepping up from that, you get wildcard, which costs more because of more "surface area". More expensive ones include features like SGC, which upgrades the cryptography levels on the server by some magic - which shouldn't be necessary these days. See the linked article for more. Even more expensive ones include EV, which produces the green bar. This, I'm sure you know. But a further "feature" is warranty. Generally, the more expensive, the more warranty you get. Warranties aren't worth much, IMHO, because basically it's "if our cryptography fails and you lose customer data, this is how much we'll pay out". Modern cryptography should pretty much preclude such failures, except for stuff like heartbleed, which would not be the CA's fault.

Thank you, that helps. The warranty thing makes sense too.

 

[dano]

At places I have worked, we didn't have an "extended validation" SSL cert, and we did over 1 billion a year in sales that year, and the next year(online). At other places I have "walked the halls of", an EV cert didn't matter and they still didn't sell anything to keep afloat for the year(bye bye startup).

To be honest, I think a Namecheap 1.99 cent Positive SSL cert should work fine for most folks, and once your making real money, and have more capital to blow, you can move on to a wildcard or EV...but I don't think EV makes people hit the "Checkout" button, it only makes them feel a hair better, for those that do notice...prolly 1 in 10.

Otherwise, the subject of CA's -- yes, I have reviewed them...and yes, I feel similar, how can we just "trust" these "supposed" secure entities? At the end of the day, we are just hoping that the CA has their ducks in a row and the root is secure, and the cypher is keeping the bits from being read by the bad guys.

 

[JFSG]

The expensive certificates generally involve a more thorough screening of the organisation behind the website. This involves man-hours. However, the only certs I know of that are >$500 are either wildcard certificates or those from Symantec. They are selling the brand more than selling the cert.

 

[Schultz]

Regular certificate - Offers basic SSL. No real verification. Limited in terms of functionality.

Wildcard certificate - Allows you to, for the most part: have SSL on subdomains, for example - SUBDOMAIN.MyDomain.com. No documents need to be submitted.

Extended Validation (EV) - Better protection, insurance & encryption. Also you get the "green bar" in your browser. Requires detailed verification & documents submitted to SSL issuer.

(note: I might've missed a few classes, but for the most part, I remember it that way)

SSL certificates can range in prices depending on the issuer, security of the certificate, algorithm used, browser compatibility rates & more. Choosing an appropriate SSL certificate depends on your personal needs. If you were for example running a small website, no financial transactions & just wanted an SSL certificate, a regular cert will suffice - on the other hand, if you were running a website that accepted financial transactions, you would want an EV certificate.

Also, the big difference between a regular certificate & an EV certificate is that the EV has to be manually reviewed and all documents authenticated by the SSL issuer.

 

[Abdussamad]

What matters more than how much you spent on the cert is how you installed it. Quite a few hosts here have incorrectly installed ssl certs. They don't check them using online tools. If they did they would see that they are missing an intermediate cert. It won't show up when browsing because your browser has encountered the intermediate cert on other sites and cached it. But if someone were to use a fresh browser profile they would see an error message.