Previously we talked about why you and your site visitors should have a strong preference for secure sites. Here we will address which certificate you should choose.
It’s all about establishing trust. The decision is subjective. Evaluate who your visitors are, why they are at your site and what you want them to do. If your objective is publish a blog while showing people that you respect and value their privacy, the least expensive certificate will do just fine. If you are trying to sell products worth hundreds of dollars using credit cards, convincing people that your site can be trusted is both more important and more difficult.
It’s worth noting that in more advanced hosting setups, using a certificate will make a site load faster. There is a relatively new protocol which requires a secure connection, SPDY – pronounced “speedy”. It can improve page load times by as much as 30%. Also, Google rewards secure sites with slightly higher page rankings.
Be aware that attitudes are changing. Frequent news about the latest hacked site or company is gradually making people more cautious.
There are 2 important visual cues to your site visitor that they are at a secure site: a site seal and a green address bar. Also, in Google Chrome you may see a green padlock. Other browsers generally give some indication you are at a secure site, but it’s less obvious.
Site Seals
Virtually all certificate purchases include a site seal to display on your web site.
 |
 |
 |
 |
 |
 |
 |
 |
The more recognizable the seal, the more it will engender some degree of trust. But you need to weigh this against cost. The Norton / Symantic seal comes with certificates which cost $500 and more. The Comodo Positive SSL seal comes with a $9 certificate.
The Green Bar
If you go to Deerfield Hosting, you will notice that the company name is written in the address bar in green. Deerfield Hosting uses an extended validation certificate. The certificate authority (CA) took additional steps to verify the identity of Deerfield Hosting, Inc. They are willing to be held accountable for certifying that deerfieldhosting.com is run by Deerfield Hosting, Inc. up to a liability limit of $500,000. The liability limit for the certificate on this site is $10,000. All the CA did before issuing the certificate used here is make sure that the domain name registration is controlled by the same people who were trying to buy the certificate.
Attributes of authority signed SSL certificates
- Validation – How the CA checked up on the company or individual who ordered the certificate.
- Domain Validated – verify that the domain is owned by the person or entity ordering the certificate
- Organization Validation – verify domain ownership and that supplied company information is accurate (but no green bar)
- Extended Validation – verify domain ownership and that supplied company information is accurate
The benefit of extended validation is the company name in green in the address bar, signaling that the identity has been more rigorously established.
- Number of Domain Names – The certificate may work for one site or more than one.
- Single site: generally example.com and www.example.com, but might be others like store.example.com
- Wildcard: a single certificate which works with sub-domains of a single domain. For example, blog.example.com, store.example.com, www.example.com
- Multiple Domains: a single certificate which works with domains which (in general) have the same ownership. For example, deerfieldhosting.com and deerfieldhosting.net
- Warranty – CA liability limit. Ranges from none to $1.75 Million. Note that this is NOT in any sense insurance. Many sources imply or incorrectly state that it is.
Anyone can create a certificate and self sign it. This will work fine for encryption, but web browsers will pop up a warning to let you know that no identity validation is in place. When a site does not need to provide identity assurance because no visitors are total strangers, a self signed certificate is adequate. On the other hand, few people fully understand the warning. Not having to bother with explanations may be worth the low cost of a basic certificate.
The encryption provided by any brand or type of certificate is as good as any other brand or type. While it is possible to generate a too weak certificate, no vendor will provide you with a certificate which is too weak.
In modern browsers, the certificate is only used to establish identity and begin a secure session. The browser and the server together decide how to go about encrypting the session and then generate new keys to use it. At this point the work of the certificate is complete and it’s no longer a part of the encryption process. What we are talking about is called perfect forward secrecy. Every session getting encrypted separately. This is up to the browser and the web server configuration, not the certificate.
As an aside, you can test the safety of supposedly secure sites at SSL Labs. You may be surprised as I was to discover that your online banking pages get low marks. Until I complained, my bank was getting an F.
Recommendations
- Selling products and taking credit cards – Get the green bar with an extended validation certificate. Your visitor to customer conversion rate will justify this unless your volume is very low.
- Selling products using Paypal – If you can afford it, get the green bar. It will improve sales on most sites more than enough to pay for itself.
- Multiple Domains or Sub Domains – Do the math. Break even on cost with a wildcard certificate is about 10 sub domains.
- Warranty – This is only relevant if money is changing hands or the site relates to that in important ways. Organization validated certificates get you a better warranty, but for slightly more money you get the green bar.
- Informational or Promotional Sites– Showing your visitors that you respect their privacy and getting the rankings boost is almost certainly worth the cost of a basic certificate