Jun 12, 2020

An SSL Certificate is An SSL Certificate is An SSL Certificate

You are probably looking at the title of this post and scratching your head right about now. Allow me to try to explain my thought process here. Many moons ago I worked as a Systems Engineer for a SharePoint consulting company. It was the first place I started messing with SSL certificates for encryption. Granted, I didn't know as much about them as I do now, but I had the basics down.

One thing we did there was purchase GoDaddy SSL certificates because at the time, they were probably the cheapest 3rd party certificates out there. Shortly after I started buying them, I found the now defunct StartSSL which issued free 3rd party SSL certificates that were trusted by browsers.

It was around this time I realized that as long as a browser trusted a certificate, it really didn't matter which 3rd party certificate company you went with. I mean, the technology is the same. A certificate really is just a text file with random characters in it that is matched by another key file that is also just a text file with random characters in it. There is really nothing inherently special about a Verisign certificate vs a DigiCert certificate vs a Sectigo certificate... Basically an SSL certificate is an SSL certificate is an SSL certificate. Do you follow me?

One might have argued back then that an EV, or Extended Validation certificate is a little more special, but even then all certificate authorities offer those. Some cheaper than others, and again my point is proven.

Well I just stumbled on an article that backs my original thought on this, and goes a little bit further by arguing that even EV certificates are kind of unnecessary now, and you might as well just go with a free 3rd party certificate authority like Lets Encrypt!

...as of Autumn 2018 browsers are increasingly hiding the only information that distinguishes between these two types of certificates. It is fully possible some users will never know a site has an EV certificate in use. Google and Apple have already shown that they can and will stop showing the added benefits of higher cost security certificates, and most others will surely follow. Moreover, most users do not care or know the difference between a DV or EV certificate. To most people a site either has the padlock, or it does not, and if an EV certificate is visible, they often find the additional information confusing.

So then, why pay for these fancy certificates? Some certificate providers will offer a “warranty” on a certificate purchase. Cutting to the chase, it is not clear what value these warranties provide. There is no record of anyone using a certificate warranty, and there may not ever be. As the benefits of the higher end certificates continue to dwindle into irrelevance, all that remains is the normal, trusted, DV certificates that throw up the padlock and say it has a secure connection. This lock could be green, or grey, or whatever color the browser chooses to display. The fact of the matter is that the browser controls how the certificate displays to the user, not the certificate.

What do you think about this? Do you agree with Paradox Labs? Let us know what you think in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam