47

I want to buy a 128bit SSL certificate for a website selling services. I checked http://www.rapidssl.com/ssl-certificate-products/ssl-certificate.htm and http://www.geotrust.com/ssl/compare-ssl-certificates.html. Why are the prices for QuickSSL (Geotrust, $249) and RapidSSL (rapidSSL, $69) so different? Is there any particular reason for this or it's just marketing?

RapidSSL says the following:

However it is our opinion that sites conducting more than 50 transactions will require a Professional Level SSL certificate due to the increased likelihood that the website's customers will expect SSL from a highly credible and established SSL provider and well known internationally accepted SSL brand.

(by "professional level SSL" they mean Geotrust certs)

P.S. will users really pay attention to the SSL issuing authority brand name?

Adam Bellaire
  • 108,003
  • 19
  • 148
  • 163
Vitaly Sharovatov
  • 922
  • 1
  • 8
  • 12
  • 6
    "*Customers will expect SSL from a highly credible and established SSL provider*" - Ha! Sounds like sales talk. I've actually never heard of anyone inspecting an SSL certificate to determine the root provider before purchasing something, and being a web developer myself do mix with a lot of technical people. – Simon East Sep 28 '12 at 00:00
  • I can't believe this question has been marked as 'off-topic.' I came here today to ask this very question. – S. Imp May 01 '18 at 18:46

7 Answers7

54

The job of the SSL certificate authority(CA)/provider is to validate your organizational identity so that when customers access your web site, they not only get the padlock for security, but they know that your identity as the fully qualified hostname are authentic and not some phishing scam.

True, most all users look no further than the padlock indicating secure connection to their bank web site, email, etc. However, if any CA were to become compromised, all browsers who trust that CA would be vulnerable, because an attacker could forge a certificate for any domain, including yours. Your choice of certificate provider has no bearing on this. I have yet to hear about this actually happening. MITM attacks are a big deal now with wireless hotspots becoming more and more prevalent.

One more thing is browser compatibility. You would expect that your newly purchased cert be compatible with every modern browser. This is because they are all loaded with a list of root CA certs that trust a select list of SSL certificate authorities. If you buy from a CA that is not on that list, all your client browsers will get a security warning that the site's cert is not trusted. Just doublecheck that RapidSSL, Geotrust, or whoever you go with is in the list of all the browsers you care about. (e.g. for Firefox, it's at Tools/Options/Advanced/Encryption/View Certificates/Authorities tab)

In the end, just get the cheapest one that gives you the level of encryption you want. It'll get the job done. Check with your web host provider. They may have discounts.

Paul Fisher
  • 9,618
  • 5
  • 37
  • 53
spoulson
  • 21,335
  • 15
  • 77
  • 102
19

To clarify, both are owned by Geotrust(R) . One difference is that Geotrust certificates use "Geotrust" root, and RapidSSL certificates use "Equifax" root, which will be shown in the certificate info "Issued by".

lepe
  • 24,677
  • 9
  • 99
  • 108
  • 8
    I've not met any user who even remotely cares which root has issued an SSL certificate. (...Unless, I guess, it was to ever become compromised as noted by @spoulson, but until then I doubt it matters.) – Simon East Sep 28 '12 at 00:03
13

I know this has an accepted answer already, but there is another aspect.

The more expensive SSL certificates usually have a better warranty when it comes to fraud. A lower cost SSL cert may cover $10,000 worth of fraud whereas a higher cost SSL cert may cover you for $100,000, for example.

Robert Rouse
  • 4,801
  • 1
  • 19
  • 19
  • 33
    Has anyone ever claimed one of these payouts? – Steven Soroka Mar 28 '14 at 18:57
  • 8
    THAT is a good question. – rcd Apr 06 '14 at 20:45
  • 1
    That is a good question. I wonder what the procedure is for making such a claim? – Sherwin Flight Feb 14 '15 at 06:53
  • 4
    Quoting https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1398 section "What is the Warranty?" -- "The warranty protects the end user if we mis-issue a certificate. It is worth noting that other SSL Providers use warranty as a means of adding perceived value to their offerings, as such will offer the same certificate with higher warranties and then charge more for the certificate! **We want to make it clear that warranty has not been collected on any SSL Certificate, ever!**" So at least for rapidSSL the number of claims is quite low ;) – Christopher Lörken Aug 18 '15 at 16:22
6

they both do the same job, just brand perception i guess

honestly i don't think the end user would even notice. as long as they see the little padlock they will be happy

ps. godaddy certs are cheaper

  • thanks a lot for your reply, I was also thinking that clients wouldn't even check who issued the certificate if their browsers trust the CA. – Vitaly Sharovatov Oct 01 '08 at 13:02
1

This has a good overview of the RapidSSL faqs.

This will give you the same for the QuickSSL.

The main difference in these certificates is the amount of verification during purchase. The encryption is basically the same for both.

Girish Nair
  • 5,148
  • 5
  • 40
  • 61
Mellisa
  • 11
  • 1
  • 6
    So you pay more to jump through more hoops, while the amount of protection is the same? That sounds crazy. – Simon East Sep 27 '12 at 23:52
-1

As for the warranty mentioned above, as far as I understand this is a warranty to the "end user" in case the certificate authority issues a certificate to a fraudulent person/domain. It is not a warranty to the website owner.

user1583209
  • 1,637
  • 3
  • 24
  • 42
-1

Pretty late to the game but there is one other detail worth noting here--RapidSSL is not on IE8's list of trusted authorities.

user2700545
  • 7
  • 1