4

My web application most definately needs an SSL certificate

I was looking into godaddy's: http://www.godaddy.com/ssl/ssl-certificates.aspx

The standard doesn't appear to have the lock in the URL bar, which a lot of users might not consider secure... How true is this? The Standard has https:// obviously in the bar, but is that enough to persuade users to want to enter in confidential information??

I'd appreciate any experience anyone has had with this. or any alterates they've dealt with. Is $100/year really the going rate for an SSL cert that has the lock in the url bar?

Thanks SO!

Walley
  • 99
  • 2
  • 10
  • Since Firefox 4 (I think), the padlock is no longer in use and has been replaced with a colour code in the "site identity button": https://support.mozilla.com/en-US/kb/Site%20Identity%20Button – Bruno Nov 24 '11 at 20:37

3 Answers3

11

standard ssl certs are JUST as secure, cryptographically, as the premium ones. The same algorithms/keys are used. The premiums just cost more because, supposedly, the certificate authority has spent a few extra microseconds pretending that they've verified your identity. It's mostly just a marketing ploy to suck extra $$$ out of clients for very little actual gain in security.

Most web users have no idea about SSL, or even to know about looking for the lock icon. They'll enter their personal information anywhere they think it'll benefit them somehow. Establishing a site's trustworthiness is far harder than just saying "hey, we've got SSL".

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • So, the difference between 12.99 a year and 100/year lol, is so minuscule, it isn't even worth it? – Walley Nov 24 '11 at 17:13
  • 1
    It's up to you. I'm just saying that on the back-end, there's no difference between the two cert types. The same algorithms, the same cryptography, the same security. It's purely a visual thing in browsers. If spending an extra $87/yr to get a splash of blue/green in the address bar is worth it, then go for it. – Marc B Nov 24 '11 at 17:17
  • Solid advice. Thanks Marc :) ! – Walley Nov 24 '11 at 17:46
4

As stated by others, the Extended Validation (EV) certificate is structurally similar to standard Domain Validation (DV) certificate. The difference is not about securing the pipe between the browser and the site, but rather the level of diligence done by the Certificate Issuer in the process of granting a certificate.

Certificates are like passports. Saying that the certificates are the same is like saying two passports from two different countries have the same security features. It means they have the same protection against being forged. It doesn't however tell anything about whether the certificate/passport was issued to the right person. That's the difference between Domain and Extended validation certificates.

For example, I don't know the actual criteria used, but 'Domain Validated' means just that. Hey, we contacted you at an e-mail address with this domain and you're from that company, so here's the certificate that you paid for. Validated by domain.

By comparison, the extended validation would mean that maybe the certificate issuer contacted the legal department of the company that owns the domain requesting the certificate to verify that the requester is authorized to get a certificate for that domain. That way they can verify that just because you work at the company, you're not going to be able to get a certificate with the company's domain issued to you.

So, as others have stated, does that mean your users will know the difference and be paranoid enough about the information they're giving you to care? You may not know. If they're supposed to give financial information, I'd spring for the extra $$$. If not, it probably doesn't matter as much.

Shawn D.
  • 7,895
  • 8
  • 35
  • 47
  • They will be giving financial information back and forth, but that will be handled by a flavor of Paypal. This is primarily, atleast right now for the user's login. – Walley Nov 24 '11 at 17:48
2

I think you mostly hit the nail on the head when you asked:

is that enough to persuade users to want to enter in confidential information??

But, really, the question should be:

is that enough to persuade MY users ...

As I started my reply, Marc B just posted his - and I agree with most of what he said - I think this is ultimately a marketing question that only you / your business can answer.

If you're eBay, and the lack of a lock icon in the address bar may turn away 0.01% of your customers - it's probably well worth the price.

If you're just starting out, and trying to keep expenses low - probably including one of those silly "Secured by GoDaddy SSL" or whatever icons / logos they have on your site is a good compromise.

GoDaddy Icons

Steve
  • 31,144
  • 19
  • 99
  • 122
  • I've always wondered what the benefits of these logos are: how many users bother clicking on them (otherwise, any fake website could show this image)? Plus, they don't even guarantee that it's the cert that is being used for the connection to the user... – Bruno Nov 24 '11 at 20:42
  • 2
    @Bruno - you're thinking like a developer. You've gotta think like a marketing guy. – Steve Nov 25 '11 at 05:01