143

While shopping for a basic SSL cert for my blog, I found that many of the more well-known Certificate Authorities have an entry-level certificate (with less stringent validation of the purchaser's identity) for approximately $120 and up. But then I found that Network Solutions offers one of these lower-end certs for $29.99 (12 hours ago it was $12.95) with a 4-year contract.

Is there any technical security reason that I should be aware of that could make me regret buying the lowest-end certificate? They all promise things like 99% browser recognition, etc. I'm not asking this question on SE for comparison of things like the CA's quality of support (or lack thereof) or anything like that. I want to know if there is any cryptographic or PKI reason so avoid a cert which costs so little. It, like others, says that it offers "up to 256 bit encryption".

Flimzy
  • 677
  • 1
  • 6
  • 14
Luke Sheppard
  • 2,237
  • 3
  • 15
  • 21
  • 6
    Relevant - http://security.stackexchange.com/questions/13453/are-all-ssl-certificates-equal – Kyle Rosendo Aug 14 '12 at 21:28
  • 20
    "_it offers "up to 256 bit encryption_" no the CA or cert does not! **Your TLS server does.** – curiousguy Aug 15 '12 at 01:04
  • 10
    If you still decide to go for the 'cheapest', do remember that you can get them for free (http://startssl.com being one such provider) – Andy Smith Aug 15 '12 at 13:13
  • 6
    Talking about 256 bit encryption in the context of certificates is nonsense. That part of SSL is completely independent of certificates. – CodesInChaos Oct 25 '12 at 21:35
  • 1
    Because Godaddy is a douchenozzle? There are plenty of other cheaper options, rapidssl, geotrust, etc. – nowen Oct 25 '12 at 21:16
  • 5
    Note that as of today, you can just get a good and trusted SSL/TLS certificate for free from a project backed by Mozilla and EFF. Take a look at https://letsencrypt.org – d33tah Jun 08 '16 at 19:19
  • update: in late 2016 StartCom aka **StartSSL** was bought by **WoSign** who were caught issuing and backdating certs in violation of CABforum rules, and are **now widely distrusted**; see https://security.stackexchange.com/questions/18919/are-there-technical-disadvantages-in-using-free-ssl-certificates (and https://security.stackexchange.com/questions/91292/how-do-i-report-a-security-vulnerability-about-a-trusted-certificate-authority !) – dave_thompson_085 Aug 02 '17 at 02:35
  • Duly noted. Thank you for the update on StartSSL. As it happens, I'm using a different CA now, but not for that particular reason. – Luke Sheppard Aug 03 '17 at 04:52

14 Answers14

92

For the purposes of this discussion there are only a couple differences between web signing certificates:

  1. Extended vs standard validation (green bar).
  2. Number of bits in a certificate request (1024/2048/4096).
  3. Certificate chain.

It is easier to set up certificates with a shorter trust chain but there are inexpensive certs out there with a direct or only one level deep chain. You can also get the larger 2048 and 4096 bit certs inexpensively.

As long as you don't need the extended validation there is really no reason to go with the more expensive certificates.

There is one specific benefit that going with a larger vendor provides - the more mainline the vendor, the less likely they are to have their trust revoked in the event of a breach.
For example, DigiNotar is a smaller vendor that was unfortunate enough to have their trust revoked in September 2011.

mskfisher
  • 149
  • 4
Tim Brigham
  • 3,762
  • 3
  • 29
  • 35
  • 29
    "_The more mainline the vendor the less likely they are to have their trust revoked in the event of a breach._" correct, but "too big to fail" principle stinks! :( – curiousguy Aug 15 '12 at 01:06
  • 38
    @MrGlass It is not so much trust in the CA as **trust that the very big CA will not be punished, ever, for doing evil things** because that would punish its clients too. It's true and it stinks. – curiousguy Aug 15 '12 at 01:08
  • @Tim, Are there even CAs that sell 4096 bit certs? – Pacerier Apr 12 '16 at 15:30
  • 6
    @Pacerier If your CSR (certificate signing request) has a 4096-bit key, most CAs would accept it the same way as a CSR with only 2048 bits. By the way, Let's Encrypt (https://letsencrypt.org/) is a free, non-profit CA that issues standard domain validation certificates. – tonytan Jun 08 '16 at 19:33
29

Good stuff in other answers, let me add some remarks about proper CA behaviour.

If the CA has an history

  • of lack of security policy enforcement,
  • of violation of "browser approved CA" agreement,
  • of signing of non DNS names using their official root certificate (like IP addresses, or non existent DNS names f.ex. bosscomputer.private),
  • of lack of transparency about its behaviour and its resellers,

and the end user (like me) inspects your certificate, and knows about this, that might reflect badly on you. Especially any CA that is a subdivision of a company also in the business of connexion interception.

When I see USERtrust or COMODO or Verisign in a certificate chain, I am not positively impressed.

curiousguy
  • 5,038
  • 3
  • 25
  • 27
  • 6
    Can you suggest any ways that a potential customer can identify which CA's have a history of the sort of improper behavior that you mention? (Google for mentions in the press?) – D.W. Aug 15 '12 at 16:32
  • 33
    What did Comodo and Verisign do wrong? – Joe Z. Apr 13 '14 at 01:08
  • 8
    Yeah… Please, elaborate on that last phrase "When I see USERtrust or COMODO or Verisign in a certificate chain, I am not positively impressed.". Turns out, one of my friends have seen a certificate issued by COMODO when checking the identity of his bank's website in his browser, and now I start wondering if it is suspicious… – Display Name Jun 21 '15 at 16:16
  • 2
    Maybe he's not impressed with the incidents with [Comodo](https://en.wikipedia.org/wiki/Comodo_Group#Controversies) and [Versign](https://en.wikipedia.org/wiki/Verisign#Controversies)? The USERtrust certificates were improperly issued by Comodo (as [explained here](http://askubuntu.com/questions/497923/fake-usertrust-com-certificates-in-chrome)) – SameOldNick Jan 18 '16 at 18:30
  • @curiousguy, **Which CA would you** have chosen? GeoTrust, the one google uses? – Pacerier Apr 13 '16 at 16:20
18

From a technical standpoint, the only thing that matters is browser recognition. And all of the trusted authorities have very nearly 100% coverage.

I could say more, but to avoid duplicating effort here's a nearly-identical question with a lot of well-reasoned responses: Are all SSL Certificates equal?

tylerl
  • 82,665
  • 26
  • 149
  • 230
13

In light of the latest NSA revelations, I'd say the entire concept of commercial Root CAs is fundamentally flawed and you should just buy from the cheapest CA whose root certificate is installed in browser and operating system trust chains.

In practice, we need multiply-rooted certificate trust chains instead of the current singly-rooted trust chains. That way, instead of ignoring the real power of governments to "coerce" commerical providers - you'd simply get your certificate signed by multiple (preferably antagonistic) governments. For example, have your Bronies vs Juggalos cage match website signed by USA, Russia, China, Iceland and Brazil. Which might cost more but would really reduce the likelihood of collusion.

LateralFractal
  • 5,173
  • 18
  • 41
  • Why not use a DLT like bitcoin blockchain to have certificate signed as part of a transaction? – Jon Grah Jan 06 '18 at 02:55
  • @JonGrah That might work. But the problem isn't how the certificate is electronically secured but rather that we are accepting a single in-real-life source of trust instead of several sources of trust with sovereign-immunity unlikely to collude or be coerced. – LateralFractal Jan 15 '18 at 06:30
10

For a domain validation certificate, the only thing that matters is whether browsers accept the certificate as trusted. So, take the cheapest cert that is trusted by all browsers (or all browsers you care about). There is no significant cryptographic reason to prefer one supplier over another.

(You will of course have to pay more for an extended validation certificate, but that's an entirely different class of certificate. I think you already know that.)

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 1
    "_the cheapest cert that is trusted by all browsers_" and does not have bad things associated with its provider name? – curiousguy Aug 15 '12 at 01:04
10

No matter which CA you go with, your users' assurance that they're actually communicating with your site and not an attacker is only as good as the worst CA their browser trusts - an attacker who wants to forge a certificate can shop for a CA with bad practices. So I don't see any plausible argument that your choice of CA impacts your site's security, unless you choose a CA that generates private keys for you rather than signing a key you provide, or that disallows large key sizes.

Other than that, as others have said, it's probably a good idea to avoid CA's whose mix of bad practices and small size makes it plausible that their trust might be revoked by one or more browsers, since this would impact the accessibility (and public perception) of your site.

  • 1
    This is an excellent answer, made all the more excellent by your inclusion of the users' perception. Perception is an ever present, if unwelcome, aspect of the security posture of any information system. – Luke Sheppard Sep 17 '14 at 19:34
  • @R. This answer is misleading and wrong because the user himself **could have** checked your certificate chain from the browser UI if he wants to. So if buy get a better chain, your user would know that and hence allocate more "trust" to it. (Assuming they [know how to](http://security.stackexchange.com/questions/18666/is-there-any-technical-security-reason-not-to-buy-the-cheapest-ssl-certificate-y#comment219196_23186) of course...) – Pacerier Apr 12 '16 at 15:41
  • 1
    @Pacerier: That's a big assumption you're making. And from the perspective of the site (not an individual user) it's rather irrelevant. It doesn't matter to the *site's* security that a few ultra-technically-inclined users can evaluate the chain of trust themselves, just that bad-CA-shopping works for an attacker who wants to trick some/most of your users. – R.. GitHub STOP HELPING ICE Apr 12 '16 at 18:54
9

You will soon be able to You can get certificates for the low cost of zero € with Let's Encrypt.

They are technically as good as any other (non-extended validation, basically without the green bar on your browsers), the main point being the capacity of browsers to recognize it as trusted (they will are).

The only drawback is that there is a call-back from Lets' Encrypt to your site or DNS, which makes the certificate generation painful (if not impossible) for internal (non-Internet) sites.

WoJ
  • 8,968
  • 3
  • 33
  • 51
  • 1
    They are: https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html – Deer Hunter Oct 20 '15 at 10:08
  • @DeerHunter: correct, I read that queuing up for lunch a moment ago. Answer updated, thanks. – WoJ Oct 20 '15 at 10:27
  • As I understand it right now to get a trusted cert from letsencrypt you need to get your domain whitelisted in their beta program (which is somewhat oversubscribed). – Peter Green Nov 14 '15 at 15:17
  • @PeterGreen: they are currently in a private beta (the provided certs work great), the [public beta starts on 3 Dec 2015](https://letsencrypt.org/2015/11/12/public-beta-timing.html). – WoJ Nov 14 '15 at 15:20
  • @WoJ, Btw any disclaimers? Are you a staff or "interested party"? – Pacerier Apr 13 '16 at 15:50
  • @Pacerier huh? staff like in "let's encrypt staff"? No. "Interested party"? **of course** I am an interested party. Interested in this FREE service and supporting with all my security guy heart such a useful FREE way for everyone to enhance their security (not because it is certificate but because this forces people to think about what they are doing and what protects them from which risk). – WoJ Apr 13 '16 at 17:29
8

In general the two things which you probably can pass on are the EV (since that is just the green bar gimmick) and also SGC does not really provide any real benefit today (since it only applies to browsers from the days of IE5 and before)

This site provides a good overview of why to avoid SGC: http://www.sslshopper.com/article-say-no-to-sgc-ssl-certificates.html

theonlylos
  • 223
  • 1
  • 6
6

Ignoring the technical aspects of certificate encryption, the issue to consider is trust and reputation. If you are only concerned about encryption of the traffic, then you can use a simple self signed certificate. On the other hand, if what you want to achieve is to provide a level of trust that you or your site really is who/what it claims to be, then you need a certificate from a certificate authority which people trust.

The CA achieves this level of trust through vetting of the people they sell certificates to. Many of the cheaper certificate providers achieve their lower prices by reducing their operational overheads and this is often done by having less rigorous vetting processes.

The question should not be "Who is the cheapest certificate provider", but rather "Which certificate provider has the necessary reputation and level of trust which users or potential users of my service will accept".

P.S. Unfortunately, to some extent, the whole model is broken anyway. Few users even check to see who the CA is that issued the certificate and have little knowledge or understanding of the chain of authority involved.

Lie Ryan
  • 31,279
  • 6
  • 69
  • 93
Tim X
  • 3,252
  • 14
  • 13
  • 7
    I'd go as far as to say almost no users will ever check the issuer and even if they did wouldn't have a clue who was good/bad/indifferent.. – Rory McCune Oct 25 '12 at 22:13
  • Self-signed certificates for one's own personal web site are a PAIN. Some OSes (certain versions of Android, for instance) I have been unable to install a certificate, even having to do this for every device I use regularly wastes a lot of time, and have to click past a warning on 20 different tabs when chrome restart is a pain too. – Michael Apr 09 '14 at 22:27
  • 1
    @RоryMcCune, I'd go as far as to say almost no users would **know** how to check the issuer. – Pacerier Apr 12 '16 at 15:36
  • 1
    @Pacerier: I would go even one step further: that most users do not even know **that they can** check a certificate. – WoJ Apr 13 '16 at 18:54
3

From a pragmatic standpoint for a site with standard-type users, the only criteria that matters for an SSL certificate is "is it supported by the browsers that my users will use to access the site". As long as it is, you're fine with it being as cheap as possible.

A while back a potential differentiator was whether the certificate was EV SSL or not but to be honest I've not seen great user awareness of that, so unlikely to be worth the money.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
3

SSL certificate is used for two purposes.

  • One is securing online transactions and private information which is transmitted between a web browser and a web server.
  • Second is Trust, SSL is used for increase customer confidence. SSL proves secure session of your website, it means your customer trust on your website.

Each certificate has own validation process and following this process certificate authority validates your business reliability and send a certificate for your website.

A basic cheap SSL certificate only validates your domain authority and authenticated using the approver email verification system. Approver can easily get this certificate in just minutes with a generic email address.

OV and EV SSL certificates plugged with customer’s trust and through its strict authentication process, it gives the highest level of trust. EV SSL validates manifold components of identifying your domain and business information. It follows manual verification process and during this process system fails to verify or system defendants your business for potential false action then your order may be lined up for manual review.

The main difference in trust factor and brand reputation, while your customers see the green address bar in your browser then they feel more secure and encourage to make transactions. Otherwise, some differences between other features like encryption, browser compatibility, key length, mobile supports, etc.

Otherwise, certificates warranty explains differences. Certificate authorities provide extended warranty ($1K to $1.75M) against mis-issuance of an SSL certificate which explains the worth of your investment for website security.

While we focus on the price of a certificate, it doesn't matter where to buy your certificate – certificate authority or an authorized reseller. Authorized reseller offers same SSL products, same security features, better support at reasonably priced.

Jason Parm is affiliated with SSL2BUY (Global SSL Reseller)

  • 2
    Thank you for your answer, and welcome to Security.SE! Since you are employed at an authorized SSL reseller, and your answer mentions using resellers favorably, can I encourage you to include your affiliation in your answer, to be on the safe side? I know you're not promoting any specific product, so this is a gray area, but this is something your employer has a financial interest in, it feels better to disclose the potential bias just to be safe. (See also http://security.stackexchange.com/help/behavior for the official policy, or http://meta.stackexchange.com/a/145588/160917.) – D.W. Jun 24 '14 at 00:54
  • 1
    When push comes to shove I wonder if it's even possible to [**actually collect** the $1.5 million USD warranty](http://webmasters.stackexchange.com/questions/372/are-the-different-types-of-ssl-certificates-a-bit-of-a-scam/547#comment114497_547). How would this "warranty" work if 300k customers all start claiming for it? – Pacerier Apr 12 '16 at 16:15
2

It's a bit late but for other like me searching the web to find what SSL Certificate to buy and here is the outcome of my research:

On the technical side the expensive SSL Certificates offer dynamic seal which means a dynamic image displayed on a website that shows the current time and date of when the web page was loaded which indicates that the seal is valid for the domain it is installed on and is current and not expired. When the image is clicked, it will display information from the Certificate Authority about the website's profile which validates the web site's legitimacy. This will give visitors of the website increased confidence in the site's security.

A Static Seal is simply an static graphic image that can be placed on the website to indicate where the digital certificate was obtained from, however there is no click-through validation of the website and the image does not show the current time and date.

Also if you are buying more expensive SSL you will get more money in fraud warranty for your visitors, but only in case if the Authority issued a certificate to a fraudster and a visitor lost their money believing the website is legit. If you are not a fraudster there is no reason you should go for expensive certificate unless you want to show green address bar and increase the confidence in your visitors.

Technically there is no other difference

There is 3 main types of SSL Certificates

Single Domain

  • Secures both www and non-www versions of your domain
  • Examples: RapidSSL, Comodo Esential etc.

Wildcard

  • Secures all subdomains for a single domain including www and non-www versions
  • Examples Comodo Wildcard SSL, RapidSSL Wildcard etc.

Multi Domain

  • Most of Certificate Authorities give 3-5 domains with their basic price plan
  • You need to pay per additional domain. Typically arround $15-$20/year per domain
  • Examples Comodo Positive Multi Domain SSL

Also 3 types of domain verification

In order to get your SSL Certificate issued the Certificate Authority has to verify that you are who you said you are when requested the certificate with them. The following are 3 of the verification processes you have to go through when getting an SSL

1. Domain Validation

You have to validate your domain. Typically this happens through URL link sent to one of the emails on your domain or with file upload to your server. By far this is the quickest, simplest and cheapest SSL. The warranty against fraud with this type of validation is up to $10,000.

2. Organisation Validation

You have to provide supporting documentation about your organisation in order to get one of this certificates. This process is a bit slower and can take up to couple of days. This type of SSL security is required for large e-commerce websites or organisations that store sensitive user data. Typically this certificates offer dynamic site seal and offer higher warranty of up to $1,500,000 depending on the issuer.

3. Extended Validation

This are most trusted Certificates and will turn the address bar in your browser in green containing the name of your organisation. By far the slowest validation process of up to a week, depending on the external body verifying your details. You will have to provide the SSL Authority supporting documents like company incorporation etc. and they will pass this onto third party to verify it's validity. Once this process is successfully complete you will have the highest trust and warranty of up to $2,000,000 depending on the issuer.

What certificate to buy

This is all up to you. There is plenty of Certificate Authorities offering a lot for each need. For me the leading point is do not spend unless you have to. Basic SSL Certificate will do pretty much the same as the most expensive SSL on the market.

Here is some usefull links

Certificate Authorities

Some of the cheapest resellers

Pancho
  • 129
  • 3
  • 2
    I'm not sure this answers the question. – schroeder Oct 19 '15 at 23:39
  • Can you edit this question so that it more directly addresses the question? – schroeder Oct 20 '15 at 00:52
  • @Pancho, How does this so-called "warranty" work anyway? This doesn't make sense. See http://security.stackexchange.com/questions/18666/is-there-any-technical-security-reason-not-to-buy-the-cheapest-ssl-certificate-y/61691#comment219206_61691 . 1.5 million per user multiplied by 850k users would already cost you **12 trillion dollars**. – Pacerier Apr 12 '16 at 16:17
  • @Pacerier the warranty is in case a customer/visitor of your website is affected by misissued SSL certificate, and it's paid to the visitor not to you. It is hard to explain, but in simple words if you get a certificate for your website and the domain name is close to bank website or such and you start using it for fishing, stealing user accounts and passwords, stealing money etc. The CA will pay up to the amount that this certificate is covered by its warranty for each affected party. CA should not issue a certificate to domains that could be misleading visitors etc. if they do they'll pay. – Pancho Apr 13 '16 at 09:17
2

DV should be enough for most browsers

The article "Understanding risks and avoiding FUD" on Unmitigated Risk mentions three assurance levels of certificates signed by a certificate authority. To these three I will add two lower assurance levels possible without a CA-signed certificate. This makes a total of five tiers of HTTP security to consider:

  1. No TLS (http:)
  2. TLS with a certificate that is self-signed or from an otherwise unknown issuer
  3. TLS with domain-validated (DV) certificate from a known issuer (organization not part of certificate)
  4. TLS with organization-validated (OV) certificate from a known issuer (organization name in certificate)
  5. TLS with Extended Validation certificate from a known EV issuer (organization name and address in certificate)

Certificates that you buy from a commercial CA will be 3, 4, or 5. Most web browsers allow all but 2 with no interstitial warning, even though 2 is better than 1 in resistance to passive attacks. The commonly expressed rationale is that an https: URI with an unknown CA gives a false sense of security, particularly against a man in the middle, while an http: URI gives a true sense of insecurity.

But DV may scare Comodo Dragon users

But a minority of users use a web browser that warns on 3 as well. When a user of Comodo Dragon visits an HTTPS site that uses a DV certificate, it displays a different lock icon with a warning triangle, which resembles the "mixed passive content" icon. It also displays an interstitial warning screen before viewing the site. This warning resembles what browsers display for a self-signed certificate, and its text begins as follows:

It may not be safe to exchange information with this site

The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business.

This is intended to stop attackers who register a domain bankofamerrica.example for "Banko Famer Rica", put up colorably legit content about Costa Rica, obtain a DV certificate for that domain, and then change it to a site that impersonates Bank of America. It's also intended to stop an attacker who compromises a domain, adds a subdomain that he controls, and obtains a DV certificate for that subdomain. One such case happened in December 2015 once the no-charge DV CA Let's Encrypt went live. But it's been seen to display this message even for Facebook.

To not scare users of Dragon, you need to avoid DV certificates. But you don't need to buy an EV certificate. Just make a list of CAs willing to sell your organization an OV certificate whose root certificate is in all major browsers. Then there's no technical security reason not to buy the cheapest one.

If you're operating your blog as an individual, you may not qualify for an OV certificate from any CA. In this case, you just have to live with the warning in Dragon, and you can just go with a cheap DV certificate like the one StartSSL, WoSign, or Let's Encrypt offers.

Damian Yerrick
  • 562
  • 3
  • 15
  • I'm sure this is all technically true, but talking about your self-invented 5 tiers of security does not answer the question. And disclosure would be used when you are a certificate reseller, not when you (like most of the people here I think) got a website with a (hopefully signed) certificate. – Luc Dec 02 '14 at 18:18
  • @Luc The tiers are just background info to provide a means to compare five possible situations, three of which result from buying a certificate. I've fixed the answer to lead with the tl;dr version. – Damian Yerrick Dec 03 '14 at 01:09
  • I don't like this answer because it implies something called "Comodo Dragon" is relevant to the certificate buying process. If I code up a browser this weekend and warn on all but 5, that does not mean it matters for OP since no one will be using my browser just like no one uses Comodo's browser. I won't down-vote because I believe you answered in good faith and there is some value in this answer. –  Mar 11 '15 at 09:36
  • @TomDworzanski I took recent news as an opportunity to add a clarification about Dragon's (lack of) market share. – Damian Yerrick Jan 07 '16 at 15:58
  • @DamianYerrick, How many users does Comodo Dragon have anyway? – Pacerier Apr 12 '16 at 15:56
  • I have never heard of Comodo Dragon, but by reading their description *"Comodo Dragon is a Chromium technology-based Browser that offers you all of Chrome's features PLUS the unparalleled level of security and privacy you only get from Comodo."* I know that I will never use that. Whatever claims to have unparalleled-whatever security is usually crying for attention. – WoJ Apr 13 '16 at 19:01
0

I would like to add that while the technology is the same with 256 bit encryption, you are also paying for the following factors:

Level of validation - this is the amount of checks that the issuer will do to verify your company or website

Number of domains - how many domains this certificate will be valid for

Trust level - as members mentioned above, you can pay for different types of validation with are "trusted" more by users, thus the difference in pricing