Why Are SSL Certificates So Expensive? 192
Posted by Cliff on Sunday March 18, 2001 @04:48PM from the arms-and-legs dept.
hip2b2 asks: "SSL over HTTP is becoming a very popular way of securing websites for eCommerce and other forms of secure transactions. A vital ingredient of a SSL protected website is an SSL certificate. In the Philippines, most of the secure website here buy their certificates from Verisign. Why should we trust a certification authority that is located in a different country and charges and arm and a leg for a certificate instead of a local one? I can pay 349USD for a Verisign or 125USD for one from Thawte. which is not cheap here. With an exchange rate of around 48.50PHP per USD. this amount is beyond the reach of most local sites who just want to setup secure sites to try out the technology or use it for some charitable purpose. How do we expect to promote the use of SSL in our websites locally with these prohibitive costs? This problem is not limited to the Philippines, I presume that other countries could also relate to this issue." Right now, the cost of an SSL certificate is one of the prices for doing business on the internet (in addition to bandwitdh costs), but what would it take to start up another company that issues CAs, especially if you want to do it outside of the US?
"Is it a question of trust? Do local ecommerce and secure sites trust verisign more that say a local company that provides secure certificates? What confuses me is why is there no proliferation of trusted local institutional CAs? In the future, Verisign might end up being another Network Solutions .
Oh wait! Network Solutions is a Verisign company!
Why Are Verisign Certificates So Expensive?
by Anonymous Coward writes:The main issue with SSL certs that causes the most grief is that SSL, as implemented, serves two purposes:
- Some degree of proof of identity
The thing is, 99% of the people who want to use SSL could care less about establishing their identity or the location of their server. They just want to encrypt the data to prevent casual interception. Unfortunately for
them, SSL won't allow web sites to have one (encryption) without the other (identity) without imposing its own penalty: scaring web site visitors and making them affirmatively agree to accept it as "untrusted". In all likelihood, most USERS wouldn't care about the identity aspect either. if browsers didn't make such a big deal about it and give less astute users the impression that they'd be safer submitting their info in the clear. Untrusted certs aren't less effective as encryption keys. they just have zero worth for establishing identity.
A reasonable compromise that could be deployed by the Powers that Be (Microsoft & Netscape) would be to create an explicit category of untrustworthy SSL certificates whose only worth was encryption alone, and tell users exactly that the first time they encounter such a cert, and make it easy for users to check the "never bother me about this again" button.
You are about to securely submit encrypted data to a site of unproven identity. This is safer than submitting data to a site without using encryption (something you've probably done dozens of times per day without giving it a second thought), but not as safe as submitting data to a site using a proper SSL certificate that additionally establishes the identity and location of the web server to which you are submitting the data. Do you wish to continue?
[x]Don't bother me in the future
Within a few months, it would de-mystify such certs, and users would dismiss the first instance of such browser-generated notices the same way they dismiss the notice generated during the first instance of insecure and SSL form submits now.