We're looking to purchase some SSL certificates to secure the login pages of ecommerce sites. It is not required to secure the actual payment process as this is protected by a third party with its own verisign certificate. rapidSSL looks like a good (and cheap) option but a salesperson has told me that they are only suitable for "test sites" and recommended that we use one that is 4 times the cost. Can anyone make any recommendations about what we should be looking for and what we should consider?
Thanks.
Best Answer
Certificates are, regardless of what sales people say, objectively pretty much all the same with regards to encryption. They all enable 'good enough' encryption, which really mostly depends on the configuration of the web servers, and somewhat on the capabilities of the browser. The US ban on exporting strong encryption was lifted some years ago, so today pretty much all browsers will support a 128-bit Twofish or AES encryption, if the server proposes this. (Surprisingly many servers still use 56bit DES, RC4 or other weaker schemes, due to ignorance of the sysadmin, or to lower CPU load on the server.)
The problem of long daisy-chained certificate trust relationships is also pretty much gone. Most browsers today have a fairly complete set of pre-installed trusted CAs. Open your browsers cert UI to see yours (Firefox 3: Tools > Options > Advanced > Encryption > View Certificates).
From time to time you can find promotions where resellers offer Comodo, Digicert or similar certificates for ~20 USD or so.
The level of 'trust' your site inspires in customers may be a consideration. Arguably, a Verisign site seal and the green Extended Validation bar in compliant browsers is better than a simple 128 bit encryption with a certificate from GoDaddy. It's hard to tell, it will depend a lot on your user demographics, age, computer literacy et cetera.
One thing: It can be beneficial to keep your DNS Whois information accurate, as it is a big part of how CAs verify you before issuing a certificate. I would imagine that getting your certificate from someone you're already doing business with, such as your web host / DNS registrar, is easier than getting verified by Comodo, Thawte etc.
So my proposal is to asses your users, and whether a more 'trustworthy' branding on the site seal will create more sales. And then do one of the following:
The "Extended Validation" certificates add some value IMHO, because the browsers visually assure users that everything is OK with the green address bar, prominent company name etc. Unfortunately, these certificates are also expensive, and more annoying to get validated for.