65

Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, marketing claims, and price range. I created a list to help me see past the marketing gimmicks that the greater majority of the Certificate Authorities (CAs) and resellers plaster all over their sites. In the end my personal conclusion is that pretty much the only things that matter are the price and the pleasantness of the CA's website.

Question: Besides price and a nice website, is there anything worthy of my consideration in deciding where to purchase a wildcard SSL certificate?

user664833
  • 1,277
  • 1
  • 11
  • 13
  • 3
    One criteria that should *not* drive your decision is security of the CA. And it is important to understand why. The reason is that any CA you are not doing business with could compromise your security just as easily as one that you are doing business with. There are two ways poor security of a CA could harm you. If they get your credit card number, they could leak it (this is not different from any other online transaction). And if they do something so bad that browsers stop trusting them, you need to get a new certificate from a different CA on short notice. – kasperd Sep 02 '14 at 11:21

4 Answers4

49

I believe that with respect to deciding where to purchase a wildcard SSL certificate, the only factors that matter are the first year's cost of an SSL certificate, and the pleasantness of the seller's website (i.e. user experience) for the purchase and setup of the certificate.

I am aware of the following:

  • Claims about warranties (e.g. $10K, $1.25M) are marketing gimmicks - these warranties protect the users of a given website against the possibility that the CA issues a certificate to a fraudster (e.g. phishing site) and the user loses money as a result (but, ask yourself: is someone spending/losing $10K or more on your fraudulent site? oh wait, you are not a fraudster? no point.)

  • It is necessary to generate a 2048-bit CSR (certificate signing request) private key to activate your SSL certificate. According to modern security standards using CSR codes with private key size less than 2048 bits is not allowed. Learn more here and here.

  • Claims of 99+%, 99.3%, or 99.9% browser/device compatibility.

  • Claims of fast issuance and easy install.

  • It is nice to have a money-back satisfaction guarantee (15 and 30 days are common).

The following list of wildcard SSL certificate base prices (not sales) and issuing authorities and resellers was updated on May 30th, 2018:

 price |
/ year | Certificate Authority (CA) or Reseller
($USD) |
-------+---------------------------------------
    $0 | DNSimple / Let's Encrypt *
   $49 | SSL2BUY / AlphaSSL (GlobalSign) *
   $68 | CheapSSLSecurity / PositiveSSL (Comodo) *
   $69 | CheapSSLShop / PositiveSSL (Comodo) *
   $94 | Namecheap / PositiveSSL (Comodo) * (Can$122)
   $95 | sslpoint / AlphaSSL (GlobalSign) *
  $100 | DNSimple / EssentialSSL (Comodo) *
       |
  $150 | AlphaSSL (GlobalSign) *
  $208 | Gandi
  $250 | RapidSSL
  $450 | Comodo
       |
  $500 | GeoTrust
  $600 | Thawte
  $600 | DigiCert
  $609 | Entrust
  $650 | Network Solutions
  $850 | GlobalSign
       |
$2,000 | Symantec

* Note that DNSimple, sslpoint, Namecheap, CheapSSLShop, CheapSSLSecurity, and SSL2BUY, are resellers, not Certificate Authorities.

Namecheap offers a choice of Comodo/PostiveSSL and Comodo/EssentialSSL (though there is no technical difference between the two, just branding/marketing - I asked both Namecheap and Comodo about this - whereas EssentialSSL costs a few dollars more (USD$100 vs $94)). DNSimple resells Comodo's EssentialSSL, which, again, is technically identical to Comodo's PositiveSSL.

Note that SSL2BUY, CheapSSLShop, CheapSSLSecurity, Namecheap, and DNSimple provide not only the cheapest wildcard SSL certs, but they also have the least marketing gimmicks of all the sites I reviewed; and DNSimple seems to have no gimmicky stuff whatsoever. Here are links to the cheapest 1-year certificates (as I can't link to them in the table above):

As of March 2018 Let’s Encrypt supports wildcard certificates. DNSimple supports Let's Encrypt certificates.

user664833
  • 1,277
  • 1
  • 11
  • 13
  • 1
    Look at the price per instance - e.g. I can have 100000000000000 servers and pay to my CA only 1 price. Many CA's want money for every server! – Arek B. May 28 '14 at 21:55
  • 1
    Maybe I missed it, but I did not see any reference to *price per instance* on the CA sites I looked at. I am hosting on Heroku, where my app is running on multiple dynos (*virtualized Unix containers*), and [Heroku's SSL endpoint documentation](https://devcenter.heroku.com/articles/ssl-endpoint) does not mention anything about instances or dynos - so I suppose *per instance pricing* is not pertinent to my particular needs.. though of course others may find your comment insightful. Thanks anyway! – user664833 May 28 '14 at 22:16
  • 2
    Per-server pricing just doesn't make any sense. Once you have a certificate, you are absolutely free to export it from a computer and import it on any other one. – Massimo Sep 01 '14 at 21:22
  • @Massimo Per-server licenses used to be fairly common. Enforced just like you'd enforce an older Windows license - contracts and the honor system. – ceejayoz Sep 03 '14 at 13:50
  • @ceejayoz Ok, I was meaning there are no *technical* restrictions on installing the same certificate on multiple servers (and there are indeed scenarios where this is a requirement, f.e. load-balanced web servers). Of course, contracts can say otherwise. – Massimo Sep 03 '14 at 16:17
  • There are places to get AlphaSSL and PositiveSSL wildcard much cheaper than what you listed. AlphaSSL is particularly cheap. –  Apr 08 '15 at 23:34
  • A bit late but here you can get Comodo Positive Wildcard for $79.99 https://www.hostedo.com/comodo-positive-wildcard-ssl.php I've used Hostedo before and Namecheap. Either option is great but some are cheaper than the other. In my opinion price is the leading factor. – Pancho Oct 19 '15 at 22:25
  • @Pancho, thanks for your comment, but I just want to clarify that that price is for the upfront purchase of 3 years; a single year costs $90. As an aside, personally, I am not a fan of `.99`-style pricing, as it is nothing but psychological trickery and hence a point of dishonesty. – user664833 Oct 21 '15 at 23:37
11

Another point to consider is the reissue of certificates.

I didn't really understand what this meant until the heartbleed bug came along. I'd assumed that meant they'd give you a second copy of your original certificate, and I wondered how disorganized one had to be to need that service. But it transpires that it doesn't mean that: at least some vendors will happily stamp a new public key as long as it happens during the duration of validity of the original certificate. I presume they then add your original certificate to some CRL, but that's a good thing.

Reasons you would want to do this are that you've corrupted or lost your original private key, or via some means have lost exclusive control of that key, and of course the discovery of a worldwide bug in OpenSSL that makes it likely that your private key was extracted by a hostile party.

Post-heartbleed, I regard this as a definite good thing, and now keep an eye out for it in future certificate purchases.

user664833
  • 1,277
  • 1
  • 11
  • 13
MadHatter
  • 78,442
  • 20
  • 178
  • 229
2

While price is probably a key issue, the other issues are the credibility of the provider, browser acceptance and, depending on your competence level, support for the installation process (a bigger issue than it appears, especially when stuff goes wrong).

It is worth noting that a number of providers are owned by the same top-end players - for example Thawte and Geotrust and I believe Verisign are all owned by Symantec - Thawte certs are, however, much, much more expensive than Geotrust for no compelling reason.

On the other extreme, a certificate issued by StartSSL (who I'm not knocking, I think their model is cool), is not as well supported in the browser and does not have the same level of credibility as the big players. If you are wanting to plaster "security placebos" across your site, it's sometimes worth going to a bigger player - although this probably matters a lot less for wildcard certs then it does for EV Certs.

As someone else pointed out, another difference may be the "crock of junk" that is associate with the cert - I know the Thawte EV Certs I was previously instructed to get only allowed for use on a single server, while the Geotrust certs I later persuaded management to replace them with were not only cheaper but did not have this limitation - an entirely arbitrary limitation imposed by Thawte.

user664833
  • 1,277
  • 1
  • 11
  • 13
davidgo
  • 5,964
  • 2
  • 21
  • 38
  • 4
    Provider credibility is pretty much meaningless. If it's got the padlock icon users don't care. If you're working with a Fortune 500 company with a security team they may require a particular vendor, but otherwise... who cares? As for StartSSL, they appear to be widely supported: "all major browsers include support for StartSSL" - http://en.wikipedia.org/wiki/StartCom – ceejayoz Jun 03 '14 at 18:15
  • 1
    If a provider that does charges for revokation in light of heartbleed and them being hacked don't make a difference, and hours of downtime to regenerate certs don't damage a companies credibility then Startssl you are correct about credibility (I like startssl, but thats a different topic). While their browser acceptance is very high it is lower then other providers - see https://forum.startcom.org/viewtopic.php?f=15&t=1802 – davidgo Jun 04 '14 at 01:43
  • 3
    How many end-users do you think a) check to see who issued a certificate and b) know about StartSSL charging for Heartbleed revocations? Hell, *I* don't check who issued an SSL. What they did *sucks*. The number of people you'd lose by using their certificates probably numbers in the single digits is all I'm saying. – ceejayoz Jun 04 '14 at 01:46
  • Note that StartSSL will no longer be trusted by Google Chrome. See https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html – sbrattla Nov 18 '16 at 10:01
  • @sbrattla yup - of-course, startssl is no longer the company it was when I wrote this comment. Wosign acquired it - stealthily - in November 2015. – davidgo Nov 18 '16 at 18:34
  • Run a few sites off a StartSSL wildcard cert - ceased working for Chrome yesterday. Had this reply from them: <> That's Months with an M. Geeze – justSteve Mar 23 '17 at 10:33
1

You must select Wildcard SSL certificate based on your security needs.

Before Purchasing Wildcard SSL Certificate you must aware about a few factors mentioned below

  1. Brand's Reputation & Trust Level: As per recent survey of W3Techs on SSL certificate authorities, Comodo overtook Symantec and become most trusted CA with 35.4% market share.

  2. Types Features or Wildcard SSL: SSL Certificate authorities such as Symantec, GeoTrust and Thawte are offering Wildcard SSL Certificate with business validation. The attracts more visitors and increases customer's trust factor as well. Whereas other CA, Comodo and RapidSSL are offering Wildcard SSL with domain validation only.

Symantec's Wildcard SSL also comes up with daily vulnerability assessment which scans each single sub-domain against malicious threats.

Wildcard with Business validation displays organization name in URL field.

  1. SSL Price: As Symantec offering multiple features along with wildcard, its price is high compared with Comodo and RapidSSL.

So, If you wish to secure your website and sub-domains with business validation you have to choose either Symantec, GeoTrust or Thawte and for domain validation you can go with Comodo or RapidSSL. And if you wish to install multi layer security with daily vulnerability assessment you can go with Symantec's Wildcard Solution.

Jake Adley
  • 137
  • 4
  • 5
    Thanks for your answer, however I do not agree that market share implies trust. Comodo may have the largest market share because website owners prefer cheaper certificates, not because they trust Comodo any more than Symantec. It is quite a jump to conclude that Comodo is most trusted when its market share is a mere `3.3%` ahead of Symantec; also, if a person sees that a site is using a Verizon certificate, will their trust correspond to Verizon's SSL certificate market share of `0.7%`? - No. Business validation is a nice touch, however I question what difference it makes to the common person. – user664833 May 07 '15 at 23:17
  • I agree with the above comment. Comodo has been hacked more than once and their signing keys pilfered. The transcripts from the hackers are still floating around the web to this day (look for ZF0 and Comodo). They were very sloppy in the handling of their signing certs. – Aaron Nov 30 '16 at 21:35