Let me preface this post by saying that I could be completely wrong… I just want to rant and say those expensive Extended Validation SSL certificates are a big scam! All certificate authorities offer some sort of Extended Validation Certificate, it usually cost two to three or even ten times a normal certificate. So, these certificates are more secure right? NO!
Verisign currently offers 4 different types of SSL certificates, the highest priced is 1500$/yr (with a multi-year discount). The cheapest is 400$/yr. So the 1500$ version is more secure than the 400$ version, right? Well, it depends on what you mean by “more secure”. The simplest answer is no! Each of these SSL certificates can have an encryption level up to 256-bit (pretty much the highest available to date). What does that mean? Well, basically if a person orders a 256-bit cert, it would take a hacker a billion years to crack. What I don’t understand is Verisign actually allows people to order 40-bit SSL certs in their cheapest and 3rd most-expensive certificates (which is much more insecure). So what do you get with the most expensive SSL certs? Well, the person ordering it gets a bunch of services, none of which affects the actual SSL certificate.
GeoTrust also offers four different types of SSL certificates, the highest priced is 500$/yr and the cheapest is 150$/yr. The 500$/yr version is a wildcard cert which allows them to buy one certificate for multiple subdomains (e.g. www.domain.com and portal.domain.com would use the same cert). The next cheapest is the 300$/yr version which should technically be considered the “highest” priced version, since multiple subdomains is actually a useful feature. And again, the encryption level for each type of these certs is up to 256-bit.
I could give more examples from various other certificate authorities. I recently wrote a post about my experience purchasing an SSL Certificate from CheapSSLs.com. I bought a 3-year, 256-bit SSL certificate from PositiveSSL for only 30$… total! So what is the difference between the certificate I purchased and the certificates you can get for 150$-15000$ from the “other guys”? NONE! They both have the same encryption level, they both will tiake a hacker a billion years to crack.
Yet, time after time I see people being duped into buying these expensive certificates. I’ve heard stories about how purchasing the EV (extended validation) certificates have increased a sites conversion rates by 87%! Yet, I have never heard a single consumer tell me that they only buy from sites with the “green url bar”. Pretty much the only “benefit” you get with the EV certificates is a “green url bar”. Maybe I’m completely wrong, or completely insane, maybe I know too much about encryption, or not enough about consumers. With the EV certificates, it takes longer to get your certificate because you have to prove that you are the site owner (usually by phone/fax). With the cheaper version, you only have to have a valid administrator email address for the domain you’re purchasing from. In my opinion, both of these verification methods can be social engineered (one is not more secure than the other). So tell me, am I wrong? Is there really a practical benefit in purchasing the more expensive certs from the “other guys”? Are my 10$ SSL certificates less secure than the 1500$ certificates?
To further support my claim, Comodo actually offers a free SSL certificate (that has a 90-day expiration date). It too has up to 256-bit encryption and they claim that it is “a fully functional SSL certificate trusted by over 99% of browsers.” Of course, it’d be better to go with a paid version that gives you at least one year, that way you don’t have the hassle of renewing it every 90-days… but kudos to them for being so forward thinking.
The best you can say is that the more expensive certificates require sites to go through more red-tape and hoops to verify they are who they say they are, which is what makes them more secure. The certificates themselves are not more secure though, they all offer the same encryption level, which is ultimately securing your data.
P.S. There are malware and methods out there that can bypass all these security methods, whether you’re using an EV or a 10$ cert on your site.