[Pugged] SSL options and providers

Steve Langasek ciapug@ciapug.org
Mon, 23 Sep 2002 16:11:01 -0500 

--76DTJ5CE0DCVQemd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Sep 23, 2002 at 03:45:27PM -0500, Angie Tollerson wrote:
> Hmmmm..I'm wary of the instantssl.com site. For this reason: they brag
> that verisign's certificate for one year with 128 bit encryption is
> $895..what they don't mention is for that price you don't just get the
> certificate..you also get your entire online merchant capabilities
> package for a year.  With a manager keeping track of all your
> transactions.  The certificate is a "bonus" thrown in.  But not the
> price of just the cert. Misleading..and makes me wonder.

Er... http://www.verisign.com/products/site/secure/index.html

Which of the components listed under that $895 price tag is an "online
merchant capabilities package"?  Sure looks to me like they're charging
$895 for a one-year 128-bit cert.

VeriSign's certificates are by no means "a bonus thrown in"; on the
contrary, most of the other stuff listed on that page is stuff thrown in
to justify the cost of the certificate, which is the only thing most
people need.  (Or when was the last time that YOU paid attention to a
VeriSign logo on an eCommerce site, instead of looking at the browser
security icon itself?)  They charge dearly for their brand name, just as
you pay dearly for using them as a domain registrar.

Perhaps you were looking at
http://www.verisign.com/products/site/commerce/index.html instead -- note
that if you buy their commerce services, $895 only gets you *40*-bit
encryption.  Sufficient proof for me of their shadiness, encouraging
people to use 40-bit encryption on eCommerce sites...

If you want an SSL cert that costs what it's worth, I recommend Thawte
(now a VeriSign subsidiary) or GlobalSign.  I've never heard of
InstantSSL, though the pricing looks good.  The way I check out SSL CAs
is by making sure they use their own CA to issue the cert for *their*
eCommerce site.  Anyone who doesn't probably either doesn't have enough
capital to ensure they'll be included in future browsers, or is simply
scamming you.

Steve Langasek
postmodern programmer

--76DTJ5CE0DCVQemd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9j4NlKN6ufymYLloRAiRgAKDJYFTxwldWbhYv/OdmUrhX8HjT6ACdFSdv
5EvqRRhHux9vM6jZOlG8IWI=
=7/yQ
-----END PGP SIGNATURE-----

--76DTJ5CE0DCVQemd--