SSL Certificate Scam – Yay or Nay?

Let me preface this post by saying that I could be completely wrong… I just want to rant and say those expensive Extended Validation SSL certificates are a big scam! All certificate authorities offer some sort of Extended Validation Certificate, it usually cost two to three or even ten times a normal certificate. So, these certificates are more secure right? NO!

Verisign currently offers 4 different types of SSL certificates, the highest priced is 1500$/yr (with a multi-year discount). The cheapest is 400$/yr. So the 1500$ version is more secure than the 400$ version, right? Well, it depends on what you mean by “more secure”. The simplest answer is no! Each of these SSL certificates can have an encryption level up to 256-bit (pretty much the highest available to date). What does that mean? Well, basically if a person orders a 256-bit cert, it would take a hacker a billion years to crack. What I don’t understand is Verisign actually allows people to order 40-bit SSL certs in their cheapest and 3rd most-expensive certificates (which is much more insecure). So what do you get with the most expensive SSL certs? Well, the person ordering it gets a bunch of services, none of which affects the actual SSL certificate.

GeoTrust also offers four different types of SSL certificates, the highest priced is 500$/yr and the cheapest is 150$/yr. The 500$/yr version is a wildcard cert which allows them to buy one certificate for multiple subdomains (e.g. www.domain.com and portal.domain.com would use the same cert). The next cheapest is the 300$/yr version which should technically be considered the “highest” priced version, since multiple subdomains is actually a useful feature. And again, the encryption level for each type of these certs is up to 256-bit.

I could give more examples from various other certificate authorities. I recently wrote a post about my experience purchasing an SSL Certificate from CheapSSLs.com. I bought a 3-year, 256-bit SSL certificate from PositiveSSL for only 30$… total! So what is the difference between the certificate I purchased and the certificates you can get for 150$-15000$ from the “other guys”? NONE! They both have the same encryption level, they both will tiake a hacker a billion years to crack.

Yet, time after time I see people being duped into buying these expensive certificates. I’ve heard stories about how purchasing the EV (extended validation) certificates have increased a sites conversion rates by 87%! Yet, I have never heard a single consumer tell me that they only buy from sites with the “green url bar”. Pretty much the only “benefit” you get with the EV certificates is a “green url bar”. Maybe I’m completely wrong, or completely insane, maybe I know too much about encryption, or not enough about consumers. With the EV certificates, it takes longer to get your certificate because you have to prove that you are the site owner (usually by phone/fax). With the cheaper version, you only have to have a valid administrator email address for the domain you’re purchasing from. In my opinion, both of these verification methods can be social engineered (one is not more secure than the other). So tell me, am I wrong? Is there really a practical benefit in purchasing the more expensive certs from the “other guys”? Are my 10$ SSL certificates less secure than the 1500$ certificates?

To further support my claim, Comodo actually offers a free SSL certificate (that has a 90-day expiration date). It too has up to 256-bit encryption and they claim that it is “a fully functional SSL certificate trusted by over 99% of browsers.” Of course, it’d be better to go with a paid version that gives you at least one year, that way you don’t have the hassle of renewing it every 90-days… but kudos to them for being so forward thinking.

The best you can say is that the more expensive certificates require sites to go through more red-tape and hoops to verify they are who they say they are, which is what makes them more secure. The certificates themselves are not more secure though, they all offer the same encryption level, which is ultimately securing your data.

P.S. There are malware and methods out there that can bypass all these security methods, whether you’re using an EV or a 10$ cert on your site.

Comments

  1. Chris Albert says:

    Is all appearance, and the lack of consumers knowledge. If somebody sees something that cost more they automatically think it must be better.

    I normally recommend my customer’s use godaddy, it’s a name they know and it’s $50 bucks a year, 256-bit encryption.
    People are stupid and companies know and take advantage of that.

    • Thanks Chris… I would really like to see some solid research into why people think the EV certs are better (or how they are actually more secure). By the way, I personally hate GoDaddy’s SSL system, it is such a pain to navigate.

      Lew

  2. saltyBBQchicken says:

    All the Certificates are a SCAM! A Self Signed Cert provides the exact same Encryption level as Bought ones.

    The Problem Lies with the Web browser Developers. They allow paid certs not Not offer a warning like self signed ones do. (although its the exact same)

    The Cert companies were orginaly there to verify the Web sites as being legit, But when you order a cert and get it in 5 mins, Do you really think they took the time to verify the companys legitimancy?? In 5 Mins??

    Its a giant scam between web browser developers and Cert companies!!

    If only people were aware of this, too put a stop to that corprate scam!

  3. I partly agree, Certificate Authorities really make consumers dumber. Self-signed certs are just as good, provide the exact same encryption. But the CA’s want us to believe that they are providing a needed service.

    Unfortunately, most people freak out when they see the cert warnings. So we’re stuck needing to buy from a CA. Luckily there are cheap ones out there now.

    Lew

  4. No matter how strong the encryption you use is, it is useless if you are encrypting it with an attacker’s public key!

    If a user sees a self-signed certificate, he cannot know whether the private key really belongs to example.com, or if it belongs to that shady guy using the free wi-fi in the corner.

    I understand the point though. Although users who know what they’re doing can reject certificates from C.A.s who do only a little checking, most users don’t have a clue.)

  5. hotrider says:

    No matter how strong the encryption you use is, it is useless if you are encrypting it with an attacker’s public key!

    This is true but there are always risks and a certain level of trust involved when doing any kind of business with any site regardless of certificates.

    If a user sees a self-signed certificate, he cannot know whether the private key really belongs to example.com, or if it belongs to that shady guy using the free wi-fi in the corner.

    If the site has created there own Certificate authority and keys with OpenSSL and the client has loaded the client key in there browser they will know if the certificate is legitimate.

    This seems the best way to go instead of relying on so called expensive middlemen third party “authorities” who do little to no validation anyhow and instead create a way for websites to easily create there own certificate authorities and keys and develop a method of allowing end users to directly add those keys to there browsers.

  6. There are advantages in having a trusted third party issue certificates since, as xlq said, otherwise you don’t know if it’s a hacker who is responding to your requests with a bogus certificate.

    That said, anyone who has created a certificate knows it is done in a fraction of a second. Companies like Go Daddy are selling them now for $70/yr. That’s $70 for the creation of a certificate file that takes a split second to generate. They and others are ripping people off. Oh, but it’s for security, you might say. Well, one buys a bottle of Coke and also has some expectation of security, too.

    The reason prices are so high is that one has to join this “club”: http://www.cabforum.org/. The browser makers coordinate with each other, ensuring that only a limited number of “trusted” parties are able to produce certificates. Only the root certificates of the CAB Forum members are loaded into browsers.

    Do we want “just anybody” to be able to generate certificates? Probably not. However, I do believe that the very high prices for something produced with so little effort indicates that there is still not enough competition in this space and/or members engaged in price fixing. Otherwise, I see no reason why a certificate should cost more than the domain it serves to protect.

  7. Paul,

    Unfortunately, some trusted third party issuers have been found to not be trustworthy. I agree/understand that self-signed certs open us up to a greater risk of man-in-the-middle attacks. However, I also feel like there should be a better way to do this… if not definitely a cheaper way.

    But that’s why I use CheapSSLs.com and will probably never buy an EV cert.

  8. CA’s are most defiantly exploiting a relationship with browser companies and uneducated consumers. In regards to the EV cert, it certainty does exactly what it was intended to do: increase customer confidence. When a customer sees that big green bar that they normally only see on the “big” websites it does make a statement- regardless of the fact that it is ultimately worthless from a security standpoint.

    I really love the “Free EV SSL” upgrade hype that’s going around, damn fine print.

    • Hey Josh, I would love to see some unbiased research into whether or not the EV certs actually do increase customer confidence. I’m 100% positive if I were to ask my mom, she wouldn’t have a clue what SSL was or what the green bar means. I suspect my mom is a pretty decent representation of the major population too. But, I haven’t done or seen the research, so I could be completely wrong.

      • Lew, I did overstated that, or at least didn’t differentiate between types of customers. I “believe” it does boost the false confidence in a certain group of consumers that is moderately self educated on web security. Someone who is aware of browser security in terms of looking for the lock symbol when sending a form with sensitive data and who has noticed the difference when on sites such as Paypal or USBank vs. a typical web store. Their education on SSL security stops there however. Anyone above or below that demographic would not be any more or less impressed if it were an EV or not. So on one end we have a group who if they even saw the green bar would not know or care what it is. And on the other end we have a group of people that know exactly what an SSL cert is, how to make their own, and why it sucks having to buy one. That group though is obviously the smallest group. The first group probably makes up the majority.

        It would be interesting to see an actual study on the general consumers impression of an EV SSL vs non EV. It have not been able to locate any such study to date other than the 2006 study listed on the EV Cert wikipedia entry which does not support EV certs as expected.

        http://en.wikipedia.org/wiki/Extended_Validation_Certificate
        Effectiveness against phishing attacks
        In 2006, researchers at Stanford University and Microsoft Research conducted a usability study[8] of the EV display in Internet Explorer 7. Their paper concluded that “participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group”, whereas “participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate”.

  9. I just stumbled across this blog post. I have been learning about encryption for the past few weeks and I feel the same way. SSL Certificates are a scam in that they are priced too high, not that they don’t have value. I think they should be priced similar to domain names. And you shouldn’t have to pay crazy amounts more for wildcard certificates.

    I am a fan of https://www.cacerts.org , though their certificates still don’t give that nice green icon. I am hopeful that one day Google, Mozilla, Opera and Apple will add their root certificate to be accepted. They provide free certificates and they verify domain ownership. My GoDaddy certificate used almost the same process to verify me, so in reality it provides no more security or verification than a certificate from cacerts.org. On top of that cacerts.org has a process to verify you in person if you choose to increase validation. But alas they are considered just a notch higher than a self signed certificate.