Re: [PLUG] https Certificates Question

[David Coulson <david@davidcoulson.net>]

On 7/10/13 7:44 AM, Brad wrote:
> The difference between the various price points for SSL certs is 
> determined by the features which are enabled on that cert.
Depends on the application for the certificate. Commercial CAs typically 
offer some level of warrenty in the event data is compromised due to a 
vulnerability in their CA (no idea if anyone has successfully made a 
claim however). There is also often an argument by the marketing people 
that a 'trusted by blahblah' logo, where blahblah is a universally known 
vendor, increases conversion rates on retail sites. Same argument goes 
for EV-SSL certs that change the URL bar to green.


> For example, a basic SSL web server cert (usually cheap or free), is 
> different than the cert used to sign software or perform other types 
> of signing/encryption features (this is the $250+ price point). For a 
> web server, you just need the basic cert though you can get certs with 
> higher levels of encryption for more money if you are more security 
> conscious.
The 'level of encryption' usually has little to do with who signs the 
cert - It's based on the key length you start out with (min 2048bits 
now), and the cipher negotiated with the client. A free startssl cert 
and a $2k/yr EV-SSL cert from Verisign offer the same level of 
encryption (assuming no variation in server or client platforms). The 
signer of the cert is really all about how much everyone 'trusts' each 
other.

Also unclear to me if certain vendors/CAs are considered 'not good 
enough' by PCI scan tools. Never experienced that though.


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug