Some things in life are worth paying more for. Other things you can afford to go cheap on. So what does that mean for SSLs? How much should you spend? Should you be suspicious of the ultra-low SSL certificate price by Namecheap or other affordable stores? To that, the answer is no. Here’s why.
It’s all the same SSL
No matter what price you pay for your SSL, you’ll get the same end-product — a modern SSL with 256-bit encryption potential. No matter what an expensive store’s marketing says about having the best protection around, it’s basically all smoke and mirrors because they’re offering the same thing as a cheaper equivalent. Ultimately, the encryption strength of your SSL depends on your server settings, so be sure to check those to ensure your SSL can perform at its best.
This is not to say that you should get an SSL from the first store you find. As with any purchase you make, always do your research first. SSL certificates can be a little complicated, especially if you don’t have a lot of tech know-how. So you want to go for a store that offers excellent guidance and a supportive customer service team if you get lost along the way.
So instead of going by price alone, look around the vendor’s site. Do they have how-to guides for things like activation and installation? Do they have a glossary of terms to explain all the lingo? How often is their customer service available, and how long do they take to reply on average? And don’t forget to read the reviews. Check third-party review sites, so you know that they are genuine.
The importance of a trusted CA
One thing you’ll notice when searching for an SSL is that many stores will have a partner Certificate Authority (CA) or maybe even offer SSL certificates from several CAs. CAs are the organizations basically in charge of keeping the whole SSL ecosystem up and running. They issue and revoke SSL certificates, while validating any person or company who wants to get one for their site. It’s a big job, which is why choosing a trusted CA is paramount to getting an SSL that works.
A lot of software, including web browsers, features a list of CAs that they know to trust. If a CA has ever done anything shady, it won’t be on this list. So if you get an SSL from a shady CA, it likely won’t work correctly. If users try to visit your site, they’ll be warned that it is “not secure”. Having an SSL from an untrustworthy CA is basically like not having an SSL at all.
Securing your stack with a SSL/TLS doesn’t have to be costly or time consuming. There are two sides to TLS: Public Key Infrastructure (PKI) and Public Key/Asymmetric Cryptography. Hopefully your public network data is already encrypted with SSL/TLS (leveraging Public Key Cryptography), but you can also leverage a PKI to easily gain additional security wins for your internal network traffic.
SSL/TLS is most frequently used for encrypting data on the wire. You want to prevent the person next to you at Starbucks from being able to see your password as you submit a login form on the WiFi. It is used to verify the identity of a web server — peer verification. You want to know that data going to and from www.tinfoilsecurity.com actually is coming from our servers, and not from someone else’s. Early on in the TLS handshake your browser (and any underlying library like OpenSSL) does most of the heavy lifting for you: checking that the certificate’s CommonName or SubjectAltNames matches the hostname and verifying the chain of trust. However, a tragically rarely used feature of SSL/TLS is that the client also has the opportunity to present a certificate during the handshake and the server can use it to verify the client’s identity as well.
Why doesn’t every browser present a certificate to every SSLs website identifying the visitor as me? It certainly would make logins simple, but the rub comes with trust — any certificate could identify the user as Ben Sedat. Public Key Infrastructure tries to solve this, and if both the website and client trust an authority to sign the certificates and keep track of them then you can establish a trusted link and make it a lot harder to forge fake things into the system.
Conclusion
When choosing an SSL, there are way more important factors to think about besides money. To ensure you make the right choice, do your research.