GeoTrust vs. VeriSign: An SSL Controversy
Survey results ignite debate over who has the biggest chops in the SSL certificate arena.
Who’s the top dog in the SSL certificate market? According to a GeoTrust statement, it is. VeriSign would have you believe otherwise, though. Regardless, bragging rights are at stake in a market that forms the basis of modern Internet security and may be on the verge of explosive growth.
GeoTrust made the claim that it had surpassed each of VeriSign’s individual SSL certificate brands in the North American SSL certificate market based on its interpretation of data from a May Netcraft survey. The survey measured the VeriSign brands RSA Data Security, VeriSign Trust Network and Thawte.
But according to Brendan P. Lewis, VeriSign corporate communications manager, GeoTrust parceled the data, so it looks favorably on them.
“Overall we still have a commanding lead of market share for SSL certificates. By far and away we still have more SSL certs out there.”
Lewis contends that, on the whole, VeriSign still outsells GeoTrust by a significant margin. A recent June SSL survey by Securityspace.com says VeriSign SSL brands command a global 47.29 percent market share across all domains as opposed to GeoTrust’s 15.6 percent market share.
GeoTrust is aware of the Securityspace.com findings, but sees a different aspect of the survey as a positive indication for their business.
“Securityspace.com also tracks SSL market share statistics, although they track the VeriSign brands in aggregate,” said Joan Lockhart, vice president of marketing at GeoTrust. “But the trend lines still confirm VeriSign and thawte’s dramatically declining market share and GeoTrust’s aggressive growth.”
GeoTrust also claims that part of its fast growth occurs in the enterprise market where SSL certificates are used behind the corporate firewall and cannot be measured by third-party survey services. VeriSign is also seeing growth in the number of enterprises that are securing themselves with SSL certificates.
The reason for the growth of the SSL certificate market, especially across the enterprise, is based on the ever-increasing importance of security amidst an ever growing list of attacks on the Internet and the need to secure Web services.
“We think that it is still a relatively new market, and that there is much room for growth on the enterprise side. In fact, we think the market is growing at about 40 percent per year,” said GeoTrust’s Lockhart.
“We see SSL being deployed in a wide range of applications, such as securing Web portals and messaging services in Web services, and it will be used in other extended enterprise applications.”
According to a recent Evans Data survey release, 70 percent of Web services developers use SSL as the primary means of securing their applications.
“SSL was originally designed for business-to-consumer transactions on the Internet,” said Joe McKendrick, an analyst with Evans Data in a statement. “However, SSL is gaining a new role, as 70 percent of respondents expect to use the security mechanism for Web services interactions, as well.”
SSL certificates may play a part in the fight against phishing and spam. The SenderID initiative being spearheaded by Microsoft will act as a caller ID for the originating domain for the sent e-mail. An authenticated SSL-secured domain name may play a critical role in that setup to help provide a stronger solution to stop the flow of spam.
“As we take steps to mitigate the problems of spam and e-mail-propagated viruses, the need for people to have an authenticated domain name rises exponentially,” said VeriSign’s Lewis. “So I think you’ll see a spike in the SSL market, as well. If this truly takes off there’ll be more people looking to authenticate themselves. And that can be through VeriSign or any other reputable certificate provider.”
SSL certificates are of course available from other vendors besides VeriSign and GeoTrust. Other options include free services from certificate authorities (CA), such as CAcert or simply doing something known as self-signing a certificate without going through a CA, which exist to provide a measure of authenticity to the validity of an SSL certificate. Without going through a browser-recognized CA, an alert box will pop up indicating that the certificate is not from a recognized authority. Microsoft recognizes CAs through its Root Certificate program.
Both VeriSign and GeoTrust strongly believe that it’s important to go through a recognized CA rather than going the free or self-signed route.
“These are fine for testing and internal use, but they don’t provide the ubiquity that products like GeoTrust and VeriSign certificates do in the public domain,” said GeoTrust’s Lockhart. “Companies [and enterprises in particular] want a reputable company to stand behind its certificates. And when you consider all of the costs in an e-commerce equation, the price of a certificate is a very small investment.”