15

I am about to launch an online shopping site (currently running http) and I was thinking heavily of moving to SSL which includes a green bar, because this is very important.

However, when I first checked it out, I found it was very expensive at first. But then I found a unbelievable price, for which I can't find the reason behind it.

Verisign (now called Symantec) offers the SSL I want (Symantec Secure Site Pro with EV SSL Certificates) for $1499 per year, which I find quite expensive.

But

I saw that the same thing could be obtained from Comodo (EV SSL - Extended Validation SSL Certificates) for just $99 per year.

There is a really large difference between these two prices, and I don't understand why. I am really attracted to the Comodo certificate, because it's very inexpensive, but I am not sure, because my mind says there has got to be a CATCH here.

What is the actual difference? Is there a big catch? OR is it just branding? (I really don't think it is, because of the huge gap in price)

Mrtn
  • 1,274
  • 10
  • 18
The Artist
  • 277
  • 1
  • 2
  • 6
  • @Xander Thank you very much :) Let me check it out. – The Artist Jul 10 '15 at 20:08
  • @Xander After reading this , some say to go with the cheapest one while other answers say no because of some vendors have been hacked,etc. Does this mean that in terms of features that I am getting, since another hack in the future is very unlikely, does it mean it is the same? – The Artist Jul 10 '15 at 20:25
  • @Xander will I face any other problems assumed that there Comodo won't get compromised? – The Artist Jul 10 '15 at 20:26
  • Well i think it don't make any difference since if any CA get hacked you will be affected too ( i.e any hacked CA can issue a certificate for your website and no browser will reject if they are in the trusted store) – Freedo Jul 10 '15 at 21:40
  • Funny. I don't see $2490 on *any* of the various options on your linked Symantec page. Nor does it appear to be any of the multiple year prices divided down to a single year. Nor does it appear to be any of the prices at the bottom plus warranty. Where are you getting that number? – jpmc26 Jul 11 '15 at 02:01
  • @jpmc26 oops its in Australian dollars $2490 which is equivalent to USD $1854 for per year. – The Artist Jul 11 '15 at 02:31
  • It would be nice if you told us exactly which one you are considering for purchase instead of making us try to hunt down based on price. Then we could compare features exactly without doing any guesswork. – jpmc26 Jul 11 '15 at 02:33
  • 1
    @jpmc26 Symantec Secure Site Pro with EV SSL Certificates – The Artist Jul 11 '15 at 02:38
  • FYI: If you go through Namecheap (a reseller of Symantec, Comodo, and others' certificates), you can get a Symantec EV certificate for $666/yr or a Comodo EV certificate for $145/yr. See https://www.namecheap.com/security/ssl-certificates/extended-validation.aspx – mti2935 Jul 11 '15 at 21:40

4 Answers4

16

SSL certificate price depends basically on how much the vendor feels he can charge for it. The per-certificate issuing cost is extremely small; most of it is about the manual operations to verify the identity of the requester, but that is still a lot less than what CA typically charge. Like with software, CA charge money to cover their development cost, and/or to get filthy rich.

There can be some sub-clauses about insurances. When you buy an EV certificate, you also pay for some insurance that will cover some cases of fraud related to certificates. You have to read all the fine print of the insurance contract to know exactly what you are buying. It is plausible that a 2000$ certificate comes with a more comprehensive insurance policy than a 99$ certificate.

It is also entirely possible that some CA think that by making their prices 10 times higher, they will have less customers, but not 10 times less customers, thus making the operation worthwhile. Customers are people; they tend to think about certificates as some magic things, and are not very rational about them.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Could you educate me on what you exactly mean by "Customers are people; they tend to think about certificates as some magic things, and are not very **rational** about them." – The Artist Jul 10 '15 at 22:30
  • @TheArtist You'd be surprised at how many people make this kind of decision without really consulting someone first. I've done web admin and development as a *side job*, and I've already seen 4 instances of saying "You're going to need an SSL certificate if we want to run a proper online shop", only to have them come back to me with a super-expensive wildcard certificate costing several thousands. These are all people who I met in person, and can say that they don't really know jack-shit about general computers besides how to use a web browser. –  Jul 11 '15 at 02:08
7

While prices differ they don't differ that much. You are comparing certificates from Symantec with support for multiple domains with single-domain certificates from Comodo. Once you try to use multiple domains with Comodo the price will be much higher. While Symantec is still more expensive Comodo is with around $2000 for 2 years not that much cheaper compared to the numbers you give in your question.

These prices don't reflect much of the operating costs, but with the EV certificates you have chosen there will be more strict checking of identification before the certificate is issued. This involves more information requested from the customer and probably also actual people looking at the provided information. Also OCSP servers need to be working all the time even on higher load because all current browsers will check for revocation before connecting to EV protected sites and refuse if the revocation status can not be determined. Also there will probably staff available 24/7 in case an emergency revocation (which probably also involves issuing a new certificate) is needed. 24/7 is at least advertised by Symantec but I cannot find it for Comodo, so this might explain some difference in price.

In any case - if you run a business which needs EV certificates both prices are probably cheap compared to the costs of server administration.

Xander
  • 35,525
  • 27
  • 113
  • 141
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • +1 "In any case - if you run a business which needs EV certificates both prices are probably cheap compared to the costs of server administration." and the value of the data and business that you're trying to protect. – Mike Ounsworth Jul 10 '15 at 21:58
  • What do you mean by multiple domains from symantec? :O Does this mean I could use it for any amount of domains I like? I dont see this feature on their website. – The Artist Jul 10 '15 at 22:26
5

In my experience, the top CAs - like in any industry - charge more for a reputation of good service.

If your goal is to get your server up and running as cheap as possible, then get something cheap.

But if you want things like fast turn-around times on your certificate requests, fast ping times on revocation requests (OCSP), early adoption of new protocols (I'm looking at you CMP and Certificate Transparency), personable customer service, included tech support, etc, then it could be worth looking at the more expensive options.

Mrtn
  • 1,274
  • 10
  • 18
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
0

Creating a new SSL certificate has no cost for Certificate Authorities (If we don't consider the cost of staffs, electricity, keeping servers secure, etc).

But, other services that they offer like insurance can make difference on prices.

So, they can charge you as much as they want, $1 or $10000, it's their own kindness :)

Masoud
  • 45
  • 2
  • 1
    This answer may be true for DV certs, but the question is asking about EV certs which require many hours of humans doing background checks on the applicant organization. These people are expensive. – Mike Ounsworth Jul 10 '15 at 20:27
  • @MikeOunsworth, I wrote that on my answer too, in the first line. I don't know why my answer gets down vote while others get up votes?!! – Masoud Jul 10 '15 at 22:05
  • 'No cost if we don't consider the cost of staff, electricity, keeping servers secure etc' is a contradiction in terms and it also omits many other costs. It is a meaningless statement. – user207421 Jul 11 '15 at 00:31