Created on by .

Categorised under:

Anyone administrator of a web server knows that SSL (Secure Sockey Layer) certificates are an evil reality in the world of the web. SSL certificates are required on our servers to provide secure communication between the server and the web browser. But to obtain a certificate, an administrator must often pay in excess of $100 per domain. Why is this so expensive?

Fundamentally, a certificate serves two purposes. First, and most obviously, it secures the data being transmitted between the two computers in the conversation. Secondly, it can be used to verify that a server using that certificate is the server to which the certificate was issued.

The first issue is easily done with any geneic certificate. An encryption tunnel between the browser and the server prevents evesdroppers from intercepting the information that is sent between them. A certificate authority is not necessary to create this tunnel. But for obtaining the identity of the certificate provider, you need to rely on a third party to verify the identity of that server. And that's where these certificate authorities are catching on and giving us admis the shaft.

But what can we do? If the technology is so simple, why are certificate authorities charging so much? I'm not sure why they're so expensive. There are some places you can get cheaper SSL certificates, like GoDaddy. But to use the big guys, you're going to pay through the nose.

So why aren't there any issuers of free SSL certificates? Well, there are.

StartCom and CAcert offer free SSL certificates that work exactly the same as any certificate that you would find on any other site. The trouble is that because your browser does not recognize them as a certificate authority, the certificates they issue are also not trusted by your browser. Their certificate has to come with your browser in order for your browser to trust them. Because this is no the case, your browser will always treat certificates authenticated against these services as suspect, unless you explicitly instruct your browser to trust them.

Microsoft and the Mozilla team would have you believe that these free issuing agencies cannot be trusted, but I can't imagine why. Both services have issued thousands of free certificates to users who can't or won't afford the big name certs. All of these certificates work as soon as you trust the provider, which is often as simple as visiting a web site and confirming the addition of a new certificate authority into the browser's certificate store.

Is there some kind of conspiracy against free authorities to keep the rates up for all the other providers? Maybe I'm paranoid, but that's how it sounds to me.

Until the browsers start to support these root certificates, though, I think I'm out of luck. I'll end up paying $29/year at GoDaddy for something that I barely use, just like everyone else.

Comments

Comment by skippy on .
skippy
http://asymptomatic.net/2005/08/11/828/is-free-ssl-a-myth#comment-3416
If you truly barely use it, CACert's certificates should be fine, and free. I'm an assuror in my area, and I could assure you whenever I make a road trip out your way. =) Or you can be your own CA. It's not hard. What you're paying for is the infrastructure to keep the CA root keys safe, so that no one can issue false certificates under that CA. GoDaddy, from what I understand, uses chained certificates, which means that you'll need to jump through a few extra hoops when establishing SSL services.
Comment by Owen on .
Owen
http://asymptomatic.net/2005/08/11/828/is-free-ssl-a-myth#comment-3417
How did I know that you would be involved in something like this? ;) I'm just getting tired of seeing that stinking Plesk screen nagging me all the time that I don't have a good cert. It's not a big deal, but it's not worth $30, either. On the other hand, I don't want to just accept the bogus cert that it produces. Assuming I ever wanted anyone else to look at my Plesk interface, a real cert would make things look a little more professional. Good points all around.
Comment by Pat on .
Pat
http://asymptomatic.net/2005/08/11/828/is-free-ssl-a-myth#comment-3421

There are lots of interesting issues related to certs... What they prove isn't what most people think they do. Bruce Schneier had a post about this a while back (which I haven't the time to find).

When you add random joe-schmoe's cert to your trusted authorities, you're opening yourself up to a potential world of pain. The concept of "trust" is something one can't take lightly. If you add a cert to your trusted cert authorities, you're making a BIG security decision. You're essentially saying that you trust everything that that company does with its cert. If one day it's leaked or the company gets bought by another company or they just decide to release it, you could be hurt.

When you pay for a certificate, you're paying for alot of different things... that company is accountable for their actions. I imagine there are licensing/contracts signed and/or agreements made. Along with some processing costs (wouldn't you like them to do at least some minimal verification to prove that people are who they say they are, or would you like other people to publish things claiming to be from asymptomatic.net?), you're paying for their security measures (for you can't be more secure than they are), legal issues, storage, transportation, billing, and other overhead, and that's just what I can imagine (besides profit, of course).

Does that justify the prices they charge? I don't know, but it's an easily competitive market... Anyone can get in on it. While there's certainly a large amount of name-brand recognition there, if you do a good job, you can easily jump in and be successful. If there were big profits to be made, I'm sure lots of people would be trying to get into it.

Comment by senthil on .
senthil
http://asymptomatic.net/2005/08/11/828/is-free-ssl-a-myth#comment-3428
Here is my 2 cents. Certificate serves two purposes as we all know. So we have 3 levels of security on the web, say 0, 1 & 2. http is level 0 (no security of any kind). https has levels 1 and 2, 1 being encryted transmission and 2 being trusted as well. What I don't like about the ssl certificates is the ugly message box that comes up saying that things are really bad with the website when they are NOT. If you use http, you don't even get a warning. If you have a self-signed certificate which is so much better you get all kinds of warnings! If browsers can tone down their messages to indicate what the real deal is that is all that I ask for. 99% of the users have no idea what that warning message really means. Most users think they should close their browsers at the point they get that ugly warning message box.