I think you are misconstruing my original post. I am not trying to be an advocate for Verisign. I said you would probably never use the insurance anyway. What I was mostly focusing on is customer perception. Many big companies go with Verisign for this reason alone. I don't like the company. I think that SSL certs could be done a lot more cheaply, but there are certain hoops that you should probably go through if you are going to do e-commerce and want to present as safe a storefront as possible. I'm not claiming any of these techniques will actually make your site any safer. I'm just saying that there is a difference in consumer perception about the safety of each company. But actually most consumers don't check the cert at all. For those that do, there may be a difference between getting a cert with $1000 of insurance and one with $1,000,000. BTW, I looked up Verisign's policy and their insurance is only $100,000: http://www.verisign.com/repository/netsure/netsure2.html. I was shooting from the hip, but it is at least a little more than $1,000. I should add though, that I have never heard of a single case where a cert has been verified that was not actually issued. (phishing attacks with slight domain name modifications are different and are not covered by this kind of insurance AFAIK).
Carl On 2/19/06, Jason Holt <[EMAIL PROTECTED]> wrote: > > > On Sun, 19 Feb 2006, Carl Youngblood wrote: > > > You get what you pay for. > > > Unfortunately, SSL certs seem to be an exception to that rule. SSL certs > convey almost no useful information, and the low barriers for attackers > make > the quality of security low even for the small class of users who can > discern > between "safe" and "dangerous" scenarios. Still much better than nothing, > but > the extra money some CAs charge doesn't seem to be providing much > additional > security. > > > > If all you want is encryption, Godaddy certs are fine. But if you look > at > > the fact that even their most expensive cert only comes with $1000 of > > insurance, while instantssl.com and verisign certs come with $1,000,000, > you > > can see the difference. Granted you'll probably never use the > insurance, > > but customer confidence is an important issue. If I were running a > business > > that used SSL I would use instantssl for that reason alone. I think > their > > price/value ratio is the best out there. > > While I have seen Verisign and "consumer confidence" in adjacent sentences > before, this might be the first time I've seen them used with that > relative > polarity from anyone other than their marketers. (Verisign/netsol has > been > harshly criticized for a number of unethical behaviors, including sending > deceptive domain renewal notices to customers of other registrars and > redirecting every single unregistered .com domain to their own signup > site). > Incidentally, I can't find anything about a $1M guarantee on their site -- > do > you have a URL for that? > > Instantssl.com appears to be Comodo, who I once exchanged emails with > about my > friend's erroneous choice of a 512-bit RSA certificate -- the tech claimed > that 512-bits was plenty secure and refused to reissue a stronger > cert. 512 > bit RSA modulii were broken years ago, and would probably take a modern > PC, > say, a month to factor. Unfortunately, the $1M guarantee from Comodo > doesn't > seem to cover you if the attacker gets his cert for your domain from > somebody > else. > > -J > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
