On Sun, 19 Feb 2006, Carl Youngblood wrote:
You get what you pay for.
Unfortunately, SSL certs seem to be an exception to that rule. SSL certs
convey almost no useful information, and the low barriers for attackers make
the quality of security low even for the small class of users who can discern
between "safe" and "dangerous" scenarios. Still much better than nothing, but
the extra money some CAs charge doesn't seem to be providing much additional
security.
If all you want is encryption, Godaddy certs are fine. But if you look at
the fact that even their most expensive cert only comes with $1000 of
insurance, while instantssl.com and verisign certs come with $1,000,000, you
can see the difference. Granted you'll probably never use the insurance,
but customer confidence is an important issue. If I were running a business
that used SSL I would use instantssl for that reason alone. I think their
price/value ratio is the best out there.
While I have seen Verisign and "consumer confidence" in adjacent sentences
before, this might be the first time I've seen them used with that relative
polarity from anyone other than their marketers. (Verisign/netsol has been
harshly criticized for a number of unethical behaviors, including sending
deceptive domain renewal notices to customers of other registrars and
redirecting every single unregistered .com domain to their own signup site).
Incidentally, I can't find anything about a $1M guarantee on their site -- do
you have a URL for that?
Instantssl.com appears to be Comodo, who I once exchanged emails with about my
friend's erroneous choice of a 512-bit RSA certificate -- the tech claimed
that 512-bits was plenty secure and refused to reissue a stronger cert. 512
bit RSA modulii were broken years ago, and would probably take a modern PC,
say, a month to factor. Unfortunately, the $1M guarantee from Comodo doesn't
seem to cover you if the attacker gets his cert for your domain from somebody
else.
-J
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
