Buying Digital Certificates — Protecting Confidential Data With SSL, Page 1

With prices for the most expensive digital certificates coming in at over 300 times more than the least expensive, it pays to be sure of what you’re buying when you cough up the cash for a server certificate. Here’s what the SSL certificate companies would rather you didn’t know.

What is SSL?

SSL stands for ‘Secure Sockets Layer’; it’s the encryption protocol at work when your browser displays a little padlock icon after visiting a site which supports connections made with a URL starting with ‘https:’ rather than ‘http:’. SSL uses public key cryptography, much like PGP (described in the section on encryption software options). SSL protects the transmission of data between a visitor’s browser and a server. Contrary to the marketing spiels of some consumer sites, the installation of a digital certificate (SSL certificate) does not make for a ‘secure server’; it can only secure data in transit to and from the server, and it does nothing for the security of data once it reaches the server.

(In most cases, when you read the phrase ‘secure server’ in connection with SSL, you can conclude that either the company referring to their ‘secure server’ doesn’t really know what the term means, or they are hoping that you don’t.)

The Truth About SSL Certificates

Here’s the little ‘secret’ that companies selling SSL certificates don’t want you to know: all 128-bit standard digital certificates are mathematically equivalent in capability. From the standpoint of technical strength, all 128-bit certificates which you buy from any company are created equal.

Why?

A digital certificate is nothing but a cryptographically significant string of numbers, generated from a public key supplied by the site itself, indicating that a certificate authority has endorsed that site’s key (after checking on the site’s legitimacy). It’s exactly analogous to someone’s signing my personal PGP key and acting as an ‘introducer’, warranting to a third party that I am really me. In other words, the server owner produces a key pair (exactly like a PGP user would generate a key pair on a desktop computer), sends the public key off to a company that sells SSL certificates, and that company digitally signs the public key.

That’s all there is to it.

The Role of Recognized Certificate Authorities

OK…that’s not quite all there is to it.

Every web browser which supports SSL includes a built-in list of certificate authorities (sometimes called ‘certification authorities’) which it will automatically recognize — in effect, a list of companies whose signatures on digital certificates will automatically be trusted. (If there weren’t such a list, if just anyone could sign a certificate and have it accepted by a web browser, then browsers could more easily be duped into making encrypted connections with illegitimate sites, and the strength of the system could be put at risk.)

Talk to a Psychiatrist or Therapist Online

SSL certificates which have been signed by one of these companies already ‘trusted’ by popular browsers are called single root certificates. Some certificate authorities, however, do not have their own trusted root certificates already included in browsers; instead, these authorities have a chained certificate issued by one of the main ‘trusted’ companies, which inherits the trust relationship and browser recognition of the trusted root certificate. The resulting SSL certificates are called chained root certificates.

Installing a chained root certificate is slightly more complicated, and not all servers support chained certificates, but when correctly installed they work every bit as well as a single root certificate. (Remember, all such certificates are mathematically identical in terms of encryption strength!) The main advantage of single root certificates is that the issuing authority has full control over its own certificate, rather than being at the mercy of another company. (It has happened that the owner of a root certificate has decided to sell the rights to its certificate, subjecting companies which issue chained certificates from that root certificate to some business uncertainty.)

There are also some super-cheap SSL certificates where the root certificate itself is owned by someone other than a recognized certificate authority. These can often be had for around $5 or so, but while they will permit SSL to function perfectly well, visitors making SSL connections to sites using this type of certificate will see a warning message from their browser stating that the certificate has been issued by an unrecognized authority.

So Why Do Some Digital Certificates Cost So Much?

Even given the behind-the-scenes differences between single root certificates and chained root certificates, on the surface there doesn’t appear to be anything of substance to justify the truly massive price differential between certificates issued by different companies.

Some certificate authorities include spiffy real-time graphics or little pop-up windows which provide free advertising for the certificate issuer — oops, I mean “which provide additional reassurance for your users that their data will be handled securely”. To my mind, these gimmicks probably appeal primarily to the very technically-oriented, like the system administrators who may be asked to purchase them, rather than to real end users.

Likewise, many certificate authorities also include within their certificate prices an “insurance policy” against the possibility of an end user making a claim for loss due to faulty encryption, and they will try to convince you of the value of paying for higher and higher levels of insurance.

But hold on… As far as cryptologists are aware, 128-bit SSL is, for all practical purposes, unbreakable anyway! Even with government-level computing resources thrown at the problem, mathematicians agree that 128-bit encryption will be unbreakable for a very long time. So the certificate authorities are actually selling insurance against the virtually impossible.

Business is full of ventures making profit purely on the basis of clever marketing, but this particular area — the issuing of digital certificates — seems to me to be one of the most obscene examples of profiteering around. Certificate authorities sometimes charge $1500 or more to issue a string of numbers, justifying it on the grounds that it comes with a strong brand (irrelevant to encryption effectiveness), or that it comes with a large insurance policy (irrelevant in the real world), or that it has spiffy graphics or pop-ups (free advertising for the certificate authority).

All clinical material on this site is peer reviewed by one or more clinical psychologists or other qualified mental health professionals. This specific article was originally published by on and was last reviewed or updated by Dr Greg Mulhauser, Managing Editor on .

Overseen by an international advisory board of distinguished academic faculty and mental health professionals with decades of clinical and research experience in the US, UK and Europe, CounsellingResource.com provides peer-reviewed mental health information you can trust. Our material is not intended as a substitute for direct consultation with a qualified mental health professional. CounsellingResource.com is accredited by the Health on the Net Foundation.

Copyright © 2002-2024. All Rights Reserved.