SSL Certificates – More Expensive Doesn’t Mean A Thing!

Now normally in life, going for the cheap option doesn’t always work out well in the medium to long term – or if you’re really unlucky in the short term.

Although not free, we can definitely confirm that sometimes the best things in life are cheaper (OK, that’s not quite as catchy granted!).

SSL or Secure Socket Layer certificates are understandably (and rightly so) becoming more popular.  For companies of all sizes with an online presence they are pretty much a given these days.  And for most personal sites as well – even if its “just” protecting a members area, forum or blog.

SSL certificates can range from in the tens of pounds a year to the thousands of pounds a year

The Big SSL Myth

There’s a myth going round about SSL certificates, and its been going around for a while now.  So I only feel its right to dispel it.

“More expensive SSL certificates usually offer 0% extra protection”

Shocked?  Most are.  Apologies if you’ve just spat out your cornflakes as you’ve spent loads on one recently.

Most of the time more expensive on an SSL certificate means no extra protection.  The likely difference is the company providing it – i.e. there are well respected companies that have been around for a long time and have gained the trust of users – so they can be seen as more ‘valuable’ when it reality its the same as a genuine new start up that’s offering them much cheaper.

It’s the online equivalent of saying this site is protected by ‘Well Repsected and Established Company Ltd’ rather than ‘New Startup Ltd’.  The fact is, if they both sold you the same security, but for vastly different prices, your security would still be the same – the only difference would be the price you pay.

Having Said That….

Sometimes you do get nice extras thrown in – maybe a financial warranty backing up the certificate in case something goes wrong – however the chances of a claimable situation arising aren’t very likely and the benefit to most people will likely be nil (or not a lot).

However, the core point remains – the strength of the security offered is likely to be the same!

Lets Compare A Typical Offering…

123-Reg are a popular domain name, web hosting and SSL certificate provider (among other things web related).

Lets take a quick look at the SSL certificates they are offering:

Now, as you can see, we’ve got everything ranging from just £9.99 a year to £249.99 a year.  A big difference in price.

For some big businesses maybe the warranty or extra add ones might possibly be useful at some future point in time.  Might.  However, for all personal sites, 99.9% of contractors and the self employed as well as probably a great deal of small to medium sized businesses, the £9.99 a year 123-Reg SSL is probably going to be enough for your needs.

Need a little more convincing?

Lets take it line by line:

Activates Browser Padlock

Important feature – not from a security point of view but from a reassuring the user and giving them the signal that they are connected securely to your website.

Good job its included as standard with all of the SSL certificates.  No expensive SSL certificate is going to provide you with a nice padlock! ;).

Activates Browser Green Bar

Yes, a browser green bar is a nice little touch.  But are you really considering spending £249.99 on an SSL certificate?  If not, then as you can see, there’s no difference between the first three (except £60 a year in price!).

Unless you’re a bank, your users aren’t going to bat an eyelid about it not being there.  Pretty much the only organisations that have these are banks, the government and multi million pound corporations (and even some of them don’t bother with it).

Yes, it can sometimes give an extra warm fuzzy feeling of security to your user – but quite frankly, the vast majority of users don’t actually notice its there.

The extra security, you will probably not be surprised to find out, is not based on the browser bar being green rather than white (if only it was this easy….) but on the extra checks they have to go through to get the certificate – usually including some offline verification checks.

The green bar kind of validates that you are ‘speaking’ to who you think you are speaking to.  However if you don’t know ‘who’ is behind the website that you’re about to enter you personal details on, maybe you shouldn’t be entering them on the site at all (green bar or otherwise)?

In short, for 98% of websites – this isn’t a deal breaker.  Forget the green bar (and the extra setup pain that comes with it)!

Validity Period

This is the number of years you can buy the SSL certificate for in one go – i.e. how long you can choose to buy it before you have to renew it.  When applied to domains for example, the ‘Validity Period’ of a .co.uk domain would be between 1-10 years.

The validity period has absolutely zero impact on the security provided by the SSL certificate.

Discounts are usually given for ordering multiple years in advance – although you can of course buy 1 year and renew yearly if you like – whichever is more convenient.

In this example, the most expensive SSL certificate is actually the most inconvenient!  You can only order that one for up to 2 years in advance (most likely due to the rigorous – and largely irrelvant for most – security hoops that you have to jump through).

The first three are much of a much – all being able to be ordered for between 1 and 5 years.

Multi Year Savings

Savings – we all like savings!  As mentioned above, ordering for multiple years in one go produces a saving.

The most expensive SSL certificate actually puts you at a disadvantage here as it can only be ordered for a maximum of two years in advance, whereas the others can all be ordered for up to 5 years (see above).

Encryption Level

Prepare for the shocker!

Encryption level.  Probably – no wait definitely – the most important feature of your SSL certificate.  How strong is the encryption it provides.

As you can see above, paying more gets you 0% more security!  That’s it, not extra protection for your extra £240 a year!

This is what I mean when I say that paying more for an SSL certificate doesn’t get you more security – it just gets you a bigger brand name to stick on your site.  And if over a decade of web development has taught me anything its this:

99% of customers won’t care if your website is ‘Secured by’ VeriSign or ACME Ltd.

That statement is of course with the caveat that you pick a reputable company – not Card Fraud R Us Ltd etc.

Remember:

Big names just mean big price tags – nothing else.

Secures WWW and non-WWW sites

Standard feature – as evidenced by the fact that its available on all SSL certificates from the cheapest to the most expensive.

Using DPS Computing’s website as an example this means that using any of these certificates we could secure pages starting both www.dpscomputing.com and dpscomputing.com – i.e. with or without the www prefix.

Warranty

This is the biggie difference – without actually meaning a lot in reality.

Warranty – as described by 123-Reg is:

The more expensive GlobalSign certificates come with an insurance policy.  If the certificate is issued or used incorrectly (i.e. they cock up or an act of fraud is commited against you).

I’m not sure on the number of claims that there are on these warranties by the people that have cover from them, but it is likely a very small percentage.

Don’t forget the amount specified isn’t the amount you’d get paid out in the rare situation that the certificate is issued or used incorrectly.  It’s the maximum amount you would be entitled to.

The ‘value’ or a warranty – or lack there of – shouldn’t influence which SSL certificate you pick.  Spend the money on something else – something that will help your website or business more than this is ever likely to – and don’t forget, its not just a one off cost – its a recurring, and for most people, unnecessary cost.

Again there’s one key thing to remember:

The value (or lack of) a warranty has 0% impact on your security

It doesn’t make your site any safer.  And even if you were in a claimable situation (extremely unlikely!), its not just going to be a hand over of the maximum amount in a cheque to you – prepare for a drawn out process, potentially even a legal battle (at which point, is it worth it any way?).

Typical Issuance Speed

Again, on the issue of speed from purchase to being live and available for use on your site, cheaper is better.

Due to the, for many, unnecessary extra security checks you have to wait nearly an entire working work compared to just 10 minutes for the lower paid options.

Vetting

Vetting – here’s some of the extras that you get – kind of.

As the name implies, the increased levels of vetting available with more expensive SSL certificates basically mean that you’ve had more background checks done to ensure your website (and with the more expensive ones, your business) is who it says it is.

It does not, I repeat does not impact on the level of security offered by your SSL certificate.

Con men and fraudsters can successfully complete these checks on occasions just as they can with other systems designed to protect authenticity.

Reputable businesses usually have many ways for their customers to check their history, trading status, previous customer experiences etc through sites like Companies House, TrustPilot etc.

Coupled with the fact that most con and fraud websites are discovered relatively quickly and the people behind them stay in ‘business’ by setting up and closing down in a matter of weeks (or at most months), one of the biggest free security checks that can be done by anybody with an Internet connection is check the age of company.

Now, not all new companies are scammers, obviously.  But most scammers are, or appear to be, new companies, with little trading history and probably not a big online footprint.  This alone, evidently, doesn’t confirm devious intentions but it should raise a healthy level of suspicion – after all, if you were fully confident in their identity in the first place you wouldn’t be investigating who they are ;).

Also, things like checking addresses exist, ringing the office phone number, consulting previous customers can also yield important information.

All in all, despite the extra checks offered with the more expensive SSL certificates, there are probably more cost effective and beneficial ways to do these checks.  Unless you’re a big business, probably not much point in having any more checks than the basic 123-Reg SSL certificate offers.

Simple Set Up With AutoCSR

Again, on this one, it doesn’t matter how expensive you go, you get the same auto set up service which helps you install the SSL certificate on your website.

Easy to set up service if you are hosting elsewhere, even easier to set up service (it’s done for you) if you have 123-Reg hosting.

Secure Unlimited Sub Domains (Wildcard SSL)

Wildcard SSL – again something you are only likely to require if you’re a big business.  Only available as standard in the most expensive certificate.

Wildcard SSL lets not not only secure your main domain.com but also any subdomain.domain.com.

So without wildcard SSL you could have securely via https (using DPS Computing as an example):

  • www.dpscomputing.com/billing/
  • www.dpscomputing.com/customers/
  • www.dpscomputing.com/secure/
  • dpscomputing.com/billing
  • etc…..

What you couldn’t have would be:

  • secure.dpscomputing.com
  • billing.dpscomputing.com
  • customers.dpscomputing.com

With wildcard SSL you can have subdomain.domain.com as well as domain.com/subdomain.

The cheapest ‘optional’ extra wildcard SSL is on the 123-Reg variety – but that still increases the price from £9.99 to £79.99.

Again, if you’re not a big business, its not really likely to be of any use.  In fact would it really matter to a big business if it was domain.com/subdomain rather than subdomain.domain.com?  Possibly – there are some evidence that using subdomains can help with SEO but for individuals and small to medium sized businesses, there are probably many more (cheaper) things that you can do to improve your SEO.

Strong Security In Older Browsers With SGC

Strong security in older browsers – always a good thing as some of us don’t update (for free) our web browsers ;).

However, we can relax as its offered as standard on all the SSL certificates on offer.

Server Licenses

Unlimited things are nice, but largely unnecessary.

Most website run by individuals, small to medium sized companies will be hosted on one server.  Even if there not it will usually involve ‘only’ a main server, a backup server and a mirror server which would cater for a fairly busy website.

Even with 3 servers, the cheapest SSL certificate will still cater fully for your needs.  If you’re using 4+, then maybe consider the next one up (£49.99/year) – which is unlimited.  If you’re getting to the stage of needing 4 servers, you’re likely not to be as bothered about the extra £40/year.  But just remember, there’s no point spending it if you don’t need it.  3 servers or less – plump for the cheapest option.

Browser Support

 

Browser support – important for both the reasons given above regarding web users not always being the best at updating their browsers on a regular basis but also the fact that there are many different browsers being used by a significant proportion of web users now, examples being Internet Explorer, Firefox and Google Chrome, to mention a few.

Again, all the SSL certificates from the cheapest right up to the most expensive cover you in exactly the same way.

Mobile Device Support

With the ever increasing popularity of mobile devices, including smart phones and tablets and also the rise in m-commerce (mobile commerce) we need to consider security not just among desktops and laptops but also on mobile devices.

As you can see from the above, the cheapest SSL certificate covers you across mobile devices.

Use With Intranet

Building an Intranet?  No, then you don’t need it.

Again, even if you are building an Intranet, you’re only going to likely need this kind of security if you’re a big business – individuals and SMEs probably aren’t going to have extensive intranets – and even if you do have (and require security) you can always use some self signed certificates (issued by yourself but still just as secure).

Secured By Site Seal

A deal breaker of course – not!

It doesn’t matter whether it you have a site seal that says secured by MI5 or the Secret Service – its no more or less safe than the Secured By 123-Reg SSL seal!

We’re talking about being security here, not an fancy image ;).

Top Image: jeffanddayna.

All other images: DPS Computing.

You may also like...

4 Responses

  1. tomwilson says:

    Hello, thanks for a useful article. I hope you can answer a question I have related to this. On the page for the 9.99 certicate (https://www.123-reg.co.uk/ssl-certificates/123-ssl-certificates.shtml) they say this:

    “Perfect for small and personal website projects that experience low levels of traffic.”

    Is there are technical reason that this certificate would only be suitable for a site with low levels of traffic? What if it was used with a high-traffic site? What might happen?

  2. DPS says:

    Hello Tom,

    Apologies for the big delay in my reply – just noticed your comment was in the moderation queue and I hadn’t been notified.

    No problem, glad you found the article useful :).

    In short, there is no technical reasons that this certificate would only be suitable for a site with low levels of traffic. This statement can be confidently made on a purely technical basis.

    Now, what they are hinting at with the more expensive, supposed ‘suitable for high traffic / business sites’ is that there are more additional features which may, and I stress, may be beneficial from a purely business stand point rather than a technical stand point.

    For example, the higher priced ( ‘business/high traffic’ ) friendly certificates normally offer a bigger warranty in the case of failure. A real world analogy for this would be the equivalent of buying an extended warranty on a new TV or computer for a yearly fee. A business, especially a larger business may want to pay more for this increased warranty – which is basically an insurance policy. It is important to note however that this insurance doesn’t cover you just because, for example, your site gets hacked. It covers the claims and assurances made by the certificate provider when they issue you the certificate.

    Consequently, for a successful claim in the event of a hack, you not only have to prove that there was actually an incident (i.e. your site was hacked and it wasn’t, for example, technical failure), that the hack was successful based on the failure of the certificate and claims made by the company (i.e. a failure of the insured product), that there was no negligence on the site administrators part (i.e. misuse or incorrect use of the certificate) and most likely that you have suffered some form of tangible loss (i.e. an ‘insurable loss’ ) due to the hack – for example loss of income / profit.

    In my own personal opinion this is more of a ‘feel better’ benefit in the vast majority of cases as opposed to something which is realistically likely to benefit you. The chances of a valid claimable incident are negligible at best to virtually impossible at worst (again, in my opinion) and I see this more of a business reassurance rather than an actual protection. Some people will disagree I’m sure, but definitely makes no difference of the low/high traffic margin.

    Interestingly, I’ve not heard of any incidents where these warranties have been claimed on successfully, although I’d be interested to hear from anyone who has any evidence of these.

    Secondly, the more expensive certificates come with ever increasingly shiny ‘protected by’ or ‘secured by’ badges. Your basically paying for brand, and nothing more in this regard.

    The 123-Reg certificate is just as secure as GlobalSign ones – and any other certificate with the same encryption level.

    GlobalSign is a more established and recognised brand in SSL certificates than 123-Reg so it may make less technical visitors to your website feel more ‘secure’ – however, there is no difference.

    It’s the difference between buying an expensive brands t-shirt and a supermarkets own brand t-shirt – the expensive one has more street cred and looks more cool but in reality, they were probably both made in the same factory and had a different label stuck on them.

    Actual tangible benefits to the more expensive certificates likely benefit businesses only. More checks are done on the more expensive certificates than on the cheaper ones – more domain, ownership, business checks etc which it could be argued increase buyer / visitor confidence that they have more assurance they know who they are dealing with.

    In reality a determined scammer could probably get hold of one of these as well – and would likely go to the difficulty of it – but that’s another debate.

    However, this authenticity benefit is probably not noticed much outside of the highly technical community. When was the last time you checked, asked or were told the type of SSL certificate a site uses? Probably not often, and you’d probably only notice the difference between certificates without extended validation and those with (i.e. the most expensive ones). Again, could be a benefit for business and increase visitor trust – for the relatively small number of people that would notice the difference between extended validation and no extended validation. Definitely no difference between high and low traffic sites though.

    Finally, the more expensive certificates will allow multiple / wildcard domains on a varying basis. So the basic will cover domain.com, the more expensive might cover subdomain.domain.com and domain.com and the most expensive might cover all subdomains of a domain. Whether this is beneficial to you depends on if you use subdomains, how many you use and how many require a secure connection.

    All in all, to conclude, there is no such thing as a ‘low’ or ‘high’ level traffic SSL certificate. An SSL certificate is an SSL certificate. Put a ‘low traffic certificate’ on a high traffic site or a ‘high traffic certificate’ on a low traffic site – there’s no pros and no cons in this regard.

    Hope that helps answer your question and apologies for my delayed reply.

    David.

    • tomwilson says:

      Hi David,

      Many thanks for a very detailed reply. I had actually forgotten about this but your reply came just at the right time!

      I was puzzled by the idea of an SSL certificate that is only suitable for low traffic sites, but your explanation of it being a business benefit rather than a technical one makes perfect sense.

      Tom.

  3. DPS David says:

    Hi Tom,

    Apologies for my late reply on this one – I did think I had responded to your latest comment but evidently not!

    No problem, it’s my please. I’m glad that my reply reached you in time.

    Im glad that my reply answered your queries – if you have any more please feel free to comment again – I promise to be more prompt with my reply!

    Kind regards,
    David.

%d bloggers like this: