SSL certificate vendors are selling a commodity

May 8, 2010

Here is something important to understand about SSL certificates in practice: regardless of what SSL vendors tell you and how they try to market themselves, they are fundamentally selling a commodity, namely SSL certificates that work in all significant environments and browsers.

(If they are not selling this commodity you don't want anything to do with them unless you have very specialized needs.)

Some vendors will present themselves as more trustworthy, but this is hogwash. No user actually notices what vendor you use; you are lucky if they notice that you are using SSL (or that a phisher is not using SSL). What you have to worry about with vendors is basic competence issues and terrible business practices, not 'trust' as such.

Thus, when you are picking a SSL certificate vendor you can approach it just like buying any other commodity. Pick the one that actually works, has the lowest combination of price and irritation level of dealing with them, and that you can stand giving money to (or dealing with at all). There's no point in paying extra; you're just getting marketing.

(It is worth paying extra for less hassle. Hassle costs time and energy, and your time and energy has a real monetary cost (well, usually), so you can easily come out ahead overall.)

At the same time, a typical organization is not exactly spending large sums of money on SSL certificates in general. So if you find a SSL vendor that you actually like or that is (especially) easy to get people to pay for, you might as well use them even if they're more expensive than others. When you are talking about less money than the typical office coffee budget, well, why not?

One important corollary of SSL certificates being commodities is that you should expect SSL vendors to behave like commodity sellers. In particular, expect no customer support no matter what you're promised.

(As you can tell, I do not have a very flattering view of SSL certificate vendors so I do not expect very much from them and I certainly don't expect to find one that I actually like.)

Sidebar: on SSL CA security (or lack thereof)

In theory you have to worry about a vendor's security, but in practice SSL certificate vendors can fall down on the job fairly badly and still not be removed by browsers. In fact, I don't think any significant SSL CA has ever been de-certified by any browser. And the general marvels of the SSL certificate system means that the effective security of your SSL certificate itself mostly rests on the security and good business practices of every SSL certificate vendor, since a certificate from any of them will let an attacker impersonate you. You can guess what this means in practice.

Written on 08 May 2010.
« Oracle's future for Sun's hardware and OS business is now clear
Why diskless Unix machines lost out »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat May 8 00:52:11 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.