David Coulson on 10 Jul 2013 05:01:07 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] https Certificates Question

On 7/10/13 7:44 AM, Brad wrote:
The difference between the various price points for SSL certs is determined by the features which are enabled on that cert.
Depends on the application for the certificate. Commercial CAs typically offer some level of warrenty in the event data is compromised due to a vulnerability in their CA (no idea if anyone has successfully made a claim however). There is also often an argument by the marketing people that a 'trusted by blahblah' logo, where blahblah is a universally known vendor, increases conversion rates on retail sites. Same argument goes for EV-SSL certs that change the URL bar to green.

For example, a basic SSL web server cert (usually cheap or free), is different than the cert used to sign software or perform other types of signing/encryption features (this is the $250+ price point). For a web server, you just need the basic cert though you can get certs with higher levels of encryption for more money if you are more security conscious.
The 'level of encryption' usually has little to do with who signs the cert - It's based on the key length you start out with (min 2048bits now), and the cipher negotiated with the client. A free startssl cert and a $2k/yr EV-SSL cert from Verisign offer the same level of encryption (assuming no variation in server or client platforms). The signer of the cert is really all about how much everyone 'trusts' each other.

Also unclear to me if certain vendors/CAs are considered 'not good enough' by PCI scan tools. Never experienced that though.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug