bazianm Posted June 23, 2004 Posted June 23, 2004 I am looking into SSL certiifcates for a store and I looked at Verisign. Kinda pricey but I will do Verisign if I have to. I am interested in knowing: 1) If you use verisign, do you also use their payment module? 2) If you use verisign, have you experienced any problems (either in general or with OSCommerce in particular?) 3) If you don't use verisign, whom do you use and what has your experience been? Thank you so much for your assistance.
AlanR Posted June 23, 2004 Posted June 23, 2004 Do you seriously believe that a shopper who visits your site cares who provides the certificate? All they care about is the little padlock without errors and many would not miss the padlock if it didn't show up. I believe that Verisign has run a very successful marketing campaign and made buckets of money pretending that encryption is a dark art. I think tying a company's financial credentials to an ecrypted link they, most cases, have no control over is absurd. Your hosting company has far more control over the security of the ssl connection and facilities than you ever will. The Verisign "monopoly" has been well and truly broken now. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
bazianm Posted June 23, 2004 Author Posted June 23, 2004 OK, I'll buy that. BUT, what I want to avoid is a security warning that the source of the certificate is not from a "trusted" source. I have done some checking (www.whichssl.com) and the issue is browser compatibility. Based on their compatibility chart, the most "ubiquitous" SSL certificate companies are: Verisign (99.5%), ($895/Year) Thawte (99.5%) ($199/Year) Instant SSL (99.3%) (Between $69-$119/Year) Entrust (99.3%) ($149/Year) Baltimore (99.3%) ($349/Year) As you can see there is a significant price differential. (BTW, I only quoted prices on 128 bit encryption). There are also differences in the $ warranty they will give on the plans and other things. Now, I am perfectly willing to go with a company other than verisign (in fact I want to). What I am hoping the community hear can help me with is their own personal experiences with SSL certification companies. Which one do you use (if you don't mind my asking)? Thanks for your time. Menachem
TerryK Posted June 23, 2004 Posted June 23, 2004 I use Thawte. I was pretty ticked off at them at my last renewal time because I'd moved and they were trying to make me jump through hoops to renew my certificate. But ultimately, it had been due to a misunderstanding on their part that they owned up to, and apologized for. What I like about Thawte is that it IS a recognized name and I think that provides customers with an added level of trust that might not be there with some of the other SSL companies. The fact that they're thorough in checking company information, though a pain for me when I was renewing, I think speaks to their mission to provide our customers with as 'safe' a shopping experience as they can -- from the perspective of knowing WHO is behind them anyway. What I DON'T like about Thawte is that it is under the Verisign umbrella, which in turn was bought out by NSI (Network Solutions), a company that I have absolutely no use for. However, I decided to put my prejudice aside to maintain consistency with my SSL certificate after the handover. For the past couple of days, Thawte has had a problem with their server rendering the image generated by JavaScript that's displayed on sites. I was quite happy with their live chat support (even though the problem is still not solved...) HTH, Terry Terry Kluytmans Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like: Add order total to checkout_shipment Add order total to checkout_payment Add radio buttons at checkout_shipping (for backorder options, etc.) Duplicate Table Rate Shipping Module Better Product Review Flow * If at first you don't succeed, find out if there's a prize for the loser. *
AlanR Posted June 24, 2004 Posted June 24, 2004 As you can see there is a significant price differential. (BTW, I only quoted prices on 128 bit encryption). There are also differences in the $ warranty they will give on the plans and other things. A fair number of hosting providers are selling the GeoTrust 128 bit ssl for $49 a year. Wait and within a year everyone will be around that price point. It only takes one company to overturn the apple cart. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
djs Posted June 24, 2004 Posted June 24, 2004 Yep, Geotrust is the way to go. Just don't buy it direct from them, do a google search for "GeoTrust $49". Most other certs are chained certs, if I understand correctly, GeoTrust is not, it's a root cert. Very brpwser compatible as well. Dan Dan Stevens
KimBradshaw Posted June 24, 2004 Posted June 24, 2004 I just got one from Starfield Technologies part of the Godaddy Group and it cost $99 for two years. One year is $49 I had to supply a bunch of paperwork proving the company was mine, but that really is a good thing. Customer support was wonderful.
AlanR Posted June 24, 2004 Posted June 24, 2004 I had to supply a bunch of paperwork proving the company was mine, but that really is a good thing. Customer support was wonderful. This goes back to the point I made above. How is who you or a company are relevant to the integrity of an internet connection? Someone selling clothes or games or toys is not in the connectivity business, they're selling consumer products. If you check a GeoTrust link the company you find behind the cert is GeoTrust. They're the people guaranteeing the integrity of the link and that makes sense because they have control. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
TerryK Posted June 24, 2004 Posted June 24, 2004 This goes back to the point I made above. How is who you or a company are relevant to the integrity of an internet connection? The corporate check itself isn't relevant to the integrity of the connection, but as Thawte explains it: "thawte SSL Web Server certificates and SGC SuperCerts offer highest level authentication and verification procedures. This is crucial for businesses that wish to send a message to visitors that they (the businesses) have been thoroughly vetted by a highly trusted independent authority. These certificates therefore serve the dual purposes of protecting information (via SSL) and ensuring that communication is taking place with exactly who one thinks it is? all independently verified by one of the most respected Certification Authorities globally." Other companies (like GeoTrust) that perform the same kind of background checks are probably fine. I'd be a little leery if they didn't require some kind of identity confirmation before issuing a certificate. Terry Terry Kluytmans Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like: Add order total to checkout_shipment Add order total to checkout_payment Add radio buttons at checkout_shipping (for backorder options, etc.) Duplicate Table Rate Shipping Module Better Product Review Flow * If at first you don't succeed, find out if there's a prize for the loser. *
AlanR Posted June 24, 2004 Posted June 24, 2004 as Thawte explains it: "thawte SSL Web Server certificates and SGC SuperCerts offer highest level authentication and verification procedures. This is crucial for businesses that wish to send a message to visitors that they (the businesses) have been thoroughly vetted by a highly trusted independent authority. These certificates therefore serve the dual purposes of protecting information (via SSL) and ensuring that communication is taking place with exactly who one thinks it is? all independently verified by one of the most respected Certification Authorities globally." Sounds like sales talk to me. Are they indemnifying you? Insuring your customers against any loss they may incurr buying from you? You know the answer. Nope. You'd have to buy some other form of insurance. This is how Versign managed to make huge $$$, by deliberately confusing the technical aspect of ssl with some imaginary "insurance". Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
♥ecartz Posted June 24, 2004 Posted June 24, 2004 Sounds like sales talk to me. Are they indemnifying you? Insuring your customers against any loss they may incurr buying from you? You know the answer. Nope. You'd have to buy some other form of insurance. This is how Versign managed to make huge $$$, by deliberately confusing the technical aspect of ssl with some imaginary "insurance". By that argument, we should get rid of certificate authorities altogether. The technical aspect of SSL encryption is fully satisified by a self-signed cert (which will give a browser warning but fully secures the transmission). Nothing is added by the Certificate Authority *except* identity verification. Without identity verification, all the certificate says is that someone bought (or made if self-signed) a certificate and no one other than the person to whom you are sending data is receiving it. Cheers, Matt Always back up before making changes.
birwin Posted February 4, 2005 Posted February 4, 2005 Geotrust is a good certificate if you can deal with having IE 5.0 users (about 4% of the internet population) displaying an alert when they hit your site. As IE 5.0 fades away, the Geotrust cert will gain the 99% browser ubiquity. Presently it sits near 96%. Go to www.sslassistant.com for an unbiased assessment of CA certs. (whichssl.com is owned by Comodo).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.