Things were so much easier back in 1998 when we first started developing eCommerce sites. Back then, in North America, the only name for SSL Certificates was Verisign (www.verisign.com
). Certificates were $500 per year, took about 2 weeks to get, and required almost as much proof of identity as a passport application.
In the intervening years the market has changed dramatically and you can order and receive an SSL certificate for your site in 15 minutes. The least expensive provider we have found is $20 yet there are still many companies selling SSL certificates for $1000 +.
Here is a laymans version of what it is all about. Some details might be a bit sketchy, but the gist of it is accurate.What is SSL?
SSL stands for Secure Socket Layer. It is an encryption protocol that protects data transmitted between your web browser and the web server. It is used to protect data from prying eyes and is the foundation of eCommerce. SSL encryption is available in many different strengths from 40 bit through 256 bit and more than likely 512 and 1024 but I have never actually looked. The higher the number the better the encryption. 40 bit encryption was pretty obsolete even before the days of eCommerce because modern computers can beat it too easily. 128 bit encryption has been the standard for the past 10 years.What is an SSL Certificate?
An SSL Certificate is installed on the web server and is used not only to provide the encryption but also to authenticate the server so that the web surfer knows who they are dealing with.Why the price difference?
SSL certificates rely on public key cryptography for their encryption. Web browsers include one part of this pair in what is called a root certificate. In the earlier days Verisign had a lock on this root certificate. Eventually, more certification authorities have gotten their root certificates shipped with the browsers or use the same public keys as the established players. Undoubtedly large sacks of cash change hands to set this up.
Now that the stranglehold on the root certificates has been broken, everyone and their sister can sell SSL certificates but not all are the same.What should I look for?
Being part of the industry, I look for a name brand certificate that includes some form of certification of ownership
and this is what we recommend to our customers. These certificates are more expensive than certificates that just authenticate the domain name. With the current market, I can register a domain name and get an SSL certificate that certifys the domain name from some vendors for under $30 and have a site up to scam unsuspecting shoppers in a day or less. The more expensive certificates confirm the identity of the owner
. The confirmation includes checking incorporation and business license details. This gives a much better guarantee that the company I am dealing with is legitimate.
When I talk to average web users, most of them just look for the little lock icon in their web browser and are happy with that. Very few have ever clicked on the site identity seals provided by the SSL vendors. It is unfortunate that the industry has not gone farther to educate the public about this difference. The presence of a site seal increases conversion rates by up to 9% but anyone can create a pretty seal that looks official and place it in their checkout. How many shoppers actually click the seals to verify the identity and encryption level? I wish I had that answer.What does the future hold?
A few years ago the vendors introduced extended validation (EV) certificates. These turn the address bar green in IE7 and this capability has now been added to most of the current browsers. It remains to be seen if this will have more of an impact building trust than the site seal and identity authentication but I have to think that the larger vendors will do their best to protect this space and avoid commoditization. Certificates with EV are about 3 times as expensive as the identity validated certificates we recommend and 35 times as expensive
as some of the quick no name certificates merchants can get.What do we do?
We recommend that our CommerceCM (www.commercecm.com
) customers spend the extra money and jump through the hoops to get identity authentication. In the end, it means an additional few hundred dollars per year and maybe 15 minutes of time to gather up the details and send them in. What is that? The profit from 4 web orders? Not much in the grand scheme of things.
Informed shoppers will continue to look at the details and with the constant phishing and other identity theft attempts, anything a merchant can do to establish their credibility will increase their chances of success. EV certificates are on our radar though and we will be recommending these to our more established and higher volume merchants as more of the market gets browsers that support the extra features.