Comments on: SSL Certificates: How To Select The Right SSL Certificate For Your Online Store

By: Jamie Gruener

Jamie Gruener — Thu, 11 Feb 2010 14:59:31 +0000

Bob’s is right in the sense that all 128-bit (or 256-bit, or whatever) SSL certificates accomplish the same task: they allow an SSL connection to be established at a certain level of encryption.

Otherwise, it’s just a question of trust. As a comsumer, do I trust Random Store’s SSL cert if it comes from GoDaddy more or less than I would trust Random Store’s SSL cert if it comes from Verisign?

And only if it were that simple. Each SSL provider offers levels of authentication. The EV option (gets you that snazzy green address bar) costs a bundle, but the SSL providers claim that confirm that the SSL certificate holder is, in fact, who they say the are.

Finally, no matter what SSL cert you have, all you’ve done is, at most, confirm that you are a real entity, with a real identity, and that the SSL cert is connected to it. Nothing more.

Finally, finally, you should care more about what browsers/devices will work with your SSL cert. Will your iPhone recognize it? Will your 3-year-old version of Firefox?

By: Jill Olkoski

Jill Olkoski — Mon, 28 Sep 2009 04:43:41 +0000

Hi Musah,
I honestly don’t know about the other companies. I’m also not a SSL expert – so I can’t answer your other question. Not much help I’m afraid. But I do trust GeoTrust and Verisign because institutions that I trust use them, and that’s what I base my opinion on.

By: Musah

Musah — Mon, 28 Sep 2009 03:02:16 +0000

Hi Jill.
I’m still waiting for some review of other certificate providing companies. Thawte, Globaltrust et all. How do they stack up? And bob raised eye brows. What is the real, real difference between 128 verisign and equivalent from my creation

By: Jill Olkoski

Jill Olkoski — Sun, 12 Jul 2009 17:32:02 +0000

Hi Bob,
I’m assuming your “guys” also includes the “gals” that are posting here on my blog. I’d be curious to get your references (feel free to post links) that verify your claims that all 128 bit SSL certificates are identical. Most SSL providers now only provide 256 bit, Many other folks who have posted have already talked about the value of having a widely recognized seal, and I don’t think that spending an additional $100 or $200 a year to add a seal that might increase sales is a bad idea or a “waste of money”. Many of my clients can make up that cost on a single purchase over the course of a year – if a single person makes a purchase based on the recognized seal, then the “waste of money” argument disappears. Small business owners spend thousands and tens of thousands of dollars in marketing and advertising. Spending a little more to help an online store look more secure is well worth it and what I recommend to clients. Getting the cheapest SSL certificate is not always the best overall business decision.

I’ll also add, that in addition to getting a widely recognized site seal, different SSL companies have very different steps necessary to get the SSL set up and installed. They also have very different levels of customer support. I’ve have excellent results with GeoTrust because of their instant online chat service – can help you with any issues immediately and they will verify the installation is correct when done. This is another reason that I always recommend GeoTrust to my clients.

By: Bob

Bob — Fri, 10 Jul 2009 18:39:38 +0000

Guys, SSL certificates are all using the same technology, so a 128-bit cert is a 128-bit cert, regardless of provider. There is no such thing as a “more secure” 128-bit certificate, other than the initial verification process while you are signing up. In other words, the price difference is mostly a marketing issue and not a security issue.

If your customers recognize Verisign or GeoTrust seals (or the silly and somewhat insignificant “green address bar”) and thereby trust your site more because of it, then that’s a legitimate reason to purchase. But its a marketing reason, that’s all. If customers don’t recognize the site seal or perceived security difference, the extra cash is essentially a waste of money. The only other considerations are chained vs root certs, which affect setup. As far as warranties/insurance, good luck ever proving that SSL was the cause of a security hole, as 128+ bit keys are virtually bulletproof (security breaches are caused by something other than SSL failure). Again, mostly marketing than actual protection. Hope this helps…

By: Jill Olkoski

Jill Olkoski — Mon, 01 Jun 2009 21:24:38 +0000

Hi Demtron,
I agree completely. Recently, DreamHost stopped selling GeoTrust SSL certificates, and when all of my clients come up for renewal, I’ve been advising them to renew with GeoTrust, versus purchasing the DreamHost generic ones. I agree that seeing logos from widely regarded companies such as GeoTrust or Verisign, it does carry with it the perception of safety. I too see Verisign on the various firms I do online business with, and feel good when I recognize the logo. So I do think that using a “well known and trusted” SSL certificate does add some level of implied trust to shoppers – and I’d think that it would be worth the extra cost to a website owner. Completely agree!

By: Demtron

Demtron — Mon, 01 Jun 2009 21:20:48 +0000

I found this site while searching for “which SSL cert is the best”. I have used Comodo for a number of years, but my client is brand-agnostic but wants to be like their competitors who have certs from Verisign and Thawte. I think there’s a lot to be said for name recognition.

For example, all the banks and CC companies I use have Verisign on their sites, which likely builds the perception that it’s better than others because XYZ bank uses it. Name recognition effects consumer behavior, and, of course, every cert vendor has some information on their site that talks about how the display of their cert badge on a site improves sales by some percent or whatever. This adds yet another variable to the mix when evaluating vendors.

By: Jill Olkoski

Jill Olkoski — Thu, 14 May 2009 16:51:59 +0000

Hi Harris,
I’d think so. I guess my opinion would be different if you told me that you were emailing medical records or financial records – the more sensitive the information, the more protection you might need. It’s really hard to figure out how much less secure a particular GoDaddy SSL might be versus a particular GeoTrust SSL. For my ecommerce clients, I usually recommend GeoTrust, because they’re a large company and credit card numbers are super sensitive. But you’d have to think about the worse case scenario in terms of data from your company getting out, and if the consequences are fairly minor, then maybe GoDaddy is fine.

By: Harris

Harris — Thu, 14 May 2009 06:14:52 +0000

I’m now choosing the right SSL provider for my company’s Exchange 2007 Server, purpose only for Webmail and the Pushmail, so I think Godaddy is already good enough, right?