3

I'm just about to buy a SSL certificate from Comodo, I've doing a research in many CAs, many of them have this kinda premium certificate, and another like positiveSSL, rapidSSL, and instantSSL.

The final price for the same type of certificate is a huge difference, is there any reason for that?

The certificate are the same? for example, a wildcard certificate Comodo Premium costs USD 404/Year the same in PositiveSSL Wildcard page costs USD 149/Year.

Does anyone know if the cert issued are the same, chained and what is different, is it only the warranty?

Adriano Rosa
  • 131
  • 5
  • 4
    Related: 2012-08-14: [*Is there any technical security reason not to buy the cheapest SSL certificate you can find?*](https://security.stackexchange.com/questions/18666/is-there-any-technical-security-reason-not-to-buy-the-cheapest-ssl-certificate-y) – StackzOfZtuff Dec 01 '15 at 13:36

2 Answers2

3

The $149 Positive SSL is a Domain Validated certificate.

It's a shame that the $404 Comodo Premium Wildcard product page doesn't say the certificate validation type, but according to SSL Shopper, it seems to be an Organization Validated certificate.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Huh. Intersting. But Comodo also writes: *Issued online in minutes – automated validation means - No paperwork - No faxes - No delay* -- I wonder what validation other than DV would actually be done. – StackzOfZtuff Dec 01 '15 at 14:14
  • Typically they might call you, ask for proof that you are a specific company, ask for business records, etc. – Ohnana Dec 01 '15 at 14:15
  • I think for OV they will check incorporation documents and other public records for the company against the info you typed in. Still automated, and we can debate whether that's actually any harder to spoof. – Mike Ounsworth Dec 01 '15 at 14:25
  • @StackzOfZtuff: I was wondering about that as well, but that claim can still be somewhat true with OV since most parts of OV can be automated. It can be quite fast as long as you've entered your organization details correctly when ordering the certificate, your domain registration details matches, and you're in a country with a business database or QIIS API that the CA has integrated their automated checking process. Even phone validation is usually by a robot caller. The slowest part of OV is usually the customer themselves, for CAs that have automated a lot of their processes. – Lie Ryan Dec 01 '15 at 14:59
  • As far as I can see, the main difference for the certificates prices are, in this case, for a $404 you can get your Company Details in the certificate which gives a little impression of trusty, but Comodo validates the Company name based on your registrar, that's why is fast, no paper, no delay. The cheapest cert you will only get your domain name in it, this is the only difference I could find in the type of certificates, but in question of encryption they are all the same thing, bottom line is: all cheap certs are DV you don't get your name in it. – Adriano Rosa Dec 01 '15 at 17:06
  • @LieRyan Comodo has a page where it says the certificate is Organization Validate https://www.instantssl.com/compare-ssl-certificates.html – Adriano Rosa Dec 07 '15 at 14:13
1

As far as technology is concerned, a certificate is a certificate is a certificate. Any cert will authenticate your webserver and establish SSL / TLS sessions. Even a $5 cert will do the trick.

Generally speaking, what you get for the extra money is a higher level of background checking by a human. These are codified in the cert itself by the tags Domain Validated (DV) - the lowest level, Organization Validated (OV) - medium, and Extended Validation (EV) - highest level of background checking, often requiring face-to-face meetings, much paperwork to be signed, many records checked, etc.

Where this matters is that a discerning customer might notice if, for example, www.bankofamerica.com had a $5 certificate from godaddy. You might be suspicious that this is not the real www.bankofamerica.com, but rather someone who managed to fool godaddy's automated issuing system. On the other hand, if I inspect the cert in my browser and see that it's an EV cert from one of the highly-trusted CAs like Comodo, Verisign, or Entrust then I'll be much more confident that I'm talking to the right person.

Each Certificate Authority will try to throw in extra bells and whistles like warrenty, renewal services, sometimes insurance, etc. Those are really just gimmicks to make them stand out.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • You mean like how [Symantec was very careful](https://googleonlinesecurity.blogspot.com/2015/09/improved-digital-certificate-security.html) when they issued [a few thousand certificates](https://googleonlinesecurity.blogspot.se/2015/10/sustaining-digital-certificate-security.html), including at least some EV certificates, which should never have been issued? Including at least some for google.com domain names. – user Dec 01 '15 at 14:39
  • Yeah, exactly -_- I mean, breaches, bribery, whatever, happens even in the security industry. I still trust them *more* than a fully automated DV CA. – Mike Ounsworth Dec 01 '15 at 14:43
  • My comment was in response to what you wrote about the validation process of EV certs. I realize now that I didn't make that particularly clear; sorry about that. – user Dec 01 '15 at 14:57
  • Maybe I should clarify; yes, sometimes false certs (even EV certs) get issued. Sometimes this is due to root key compromise, or insider-bribery, or other reasons. Does it mean the whole certificate system is broken? Maybe. Does it mean it's useless? Definitely not. Are EV certs safer *on average* than DV certs? Yes. TLS with EV certs is the best security that the human race has come up with so far, eventually we'll invent something better, but for now it's the best we have. – Mike Ounsworth Dec 01 '15 at 15:08