This week I added an SSL certificate to WebKeyDesign, so that our clients could have encryption for some of the services they use and to assure new clients using our web hosting form that there information was secure. Needless to say if you have taken a look at the SSL market, the prices do seem to be out of line with the web hosting and domain registration markets. For example a small personal site for hosting and domain registration could cost as little as $60 for the year, but a basic one domain only SSL certificate costs you anywhere from $49 to $150 for the year! This does not even include the fee that most web hosts have to charge you for installing the certificate, which could be another $50.
The main reasoning for SSL certificates is that for ecommerce, you really need to offer encryption for credit card transactions, but also SSL certificates are suppose to convey some sort of validity to your site visitors. The encryption is easy to do, you could generate what is called a free SSL certificate, but no browser would recognize your certificate as being properly authorized, hence free certificates convey no such trust to your site visitors, and so are inadequate for ecommerce sites. This leaves you with only a proper authorized certificate, which come in many forms and which offer different features. The idea being that the more features a Certificate Authority offers you, the more trusted your site will seem.
As a webmaster then, it would seem that if you just pick the most expensive SSL certificate, then this would equate into more transactions, but this is not always the case. The problem is that many internet users do not know the difference between an expensive SSL certificate and an inexpensive one, most site users end up just looking for the little padlock icon that shows up somewhere in the corner of their browser. No padlock, means no security in the mind of most site visitors. The case is only slightly different with more adapt internet users, but it still comes down to just secure or not secure. An avid internet user may just look for the url to start with https and view that as being secure. For the most part both of these conclusions are correct, that the padlock and https urls indicate secure encryption, or at the very least some sort of secured connection between the browser and the web site. However that is far as it goes, you cannot really know how any SSL certificate or feature will really be viewed by site vistors. Trust level is something that may be very hard if not impossible to properly quantify. Yet all the Certificate Authorities, try to sell their certificates on the idea that they do in fact make your site more trustworthy.
This is why the news that browser developers agreeing on new security features is big news for webmasters and the certificate authorities. It could mean that there will be more diversity in the SSL Certificate market, and that perhaps more webmasters will be able to afford recognized SSL certificates for their smaller web sites, while at the same time the market can expand and grow beyond the limited number of sites today. After all everything else in the internet market has come down in price, why not SSL certificates.
Mozilla’s Frank Hecker offers his own thoughts on where Mozilla’s Policy on CA Certificates is going, and then discusses the business of Certificate Authorities and why the market has been stagnant. It’s a rather interesting read as to why SSL certificates are still rather expensive and why security means different things to different people.