Why Are SSL Certificates So Expensive?

hip2b2 asks: "SSL over HTTP is becoming a very popular way of securing websites for eCommerce and other forms of secure transactions. A vital ingredient of a SSL protected website is an SSL certificate. In the Philippines, most of the secure website here buy their certificates from Verisign. Why should we trust a certification authority that is located in a different country and charges and arm and a leg for a certificate instead of a local one? I can pay 349USD for a Verisign or 125USD for one from Thawte, which is not cheap here. With an exchange rate of around 48.50PHP per USD, this amount is beyond the reach of most local sites who just want to setup secure sites to try out the technology or use it for some charitable purpose. How do we expect to promote the use of SSL in our websites locally with these prohibitive costs? This problem is not limited to the Philippines, I presume that other countries could also relate to this issue." Right now, the cost of an SSL certificate is one of the prices for doing business on the internet (in addition to bandwitdh costs), but what would it take to start up another company that issues CAs, especially if you want to do it outside of the US?

"Is it a question of trust? Do local ecommerce and secure sites trust verisign more that say a local company that provides secure certificates? What confuses me is why is there no proliferation of trusted local institutional CAs? In the future, Verisign might end up being another Network Solutions.

Oh wait! Network Solutions is a Verisign company!

What are the barriers for setting up local country CAs? Right now, I presume that browser makers are the ones listing the trusted root CAs on their browsers by default. If my university were to setup a root CA how would we get netscape and the other browser makers to recognize us? or is there some sort of governing body for assigning root CAs like ICANN is supposed to be for name resolution? or could this be one of ICANN's eventual functions?"

Re:Pay for trust

[sjames]

The reason for having these expensive certs from these companies is that you are paying for that level of trust. If i was giving out certs for free there would be no reason at all to trust me. However having a big name like verisign as the provider of your cert is like wearing brand name cloths, its a status symbol and it brings with it a level of trust, which is very important for ecommerce sites to have.

Form what I've seen, it's not at all hard to get a bogus cert. You're basically paying for a rubber stamp. The primary reason certs are used is simply to convince the browser to open an ssl session without popping open 6 dialog boxes worth of FUD.

The certs themselves are simple enough to create (including a CA cert).

What is really needed is various levels of cert from self generated ones that simply allow encryped connections all the way up to one that represents careful auditing and controls to surely verify the identity of the server on the other end.

I notice that it costs a lot more to get a wildcard cert (*.my-domain) than a single one (www.my-domain) even though the level of verification is the same.

Re:Open Source to the rescue?

[the+red+pen]

• A CA will just have to convince the open source projects (possibly by donating money and/or servers and/or people contributing to the browser code) to get their cert in the default setup.

This is a Bad Thing(tm). By allowing an open-source project to include the CA's they want, I anticipate a veritable fuckload of weird CA certs embedded in Mozilla. (Maybe the Powers That Be on Mozilla or other OSS browsers will be hyperclued, but I, for one, don't want to take that risk.)

Instead, OSS browsers should contain no CAs. Upon install, the browser may bring up instructions on how to find the most popular CA root certs. Then Joe Six-Pack will have to get them, or find himself constantly nagged on SSL sights. The upshot will be that the browser is not quitely trusting anyone, and Joe Six-Pack now has an awareness of CA certs and how to load them.

Re:What About Equifax?

[sharkey]

Trouble is, you probably have to run the server on an MS-DOS machine, using M-LINK to communicate. Even after 2-3 months of talking to them, I couldn't get them to understand that our modems were not attached to the PCs, were not on COM2 and did not work with DOS. Their answer? Buy more phone lines, and a modem for each PC. It's 1999, you should have a modem for each PC.

--

Re:What About Equifax?

[pchown]

Equifax certificates derive trust from the Thawte roots.

Equifax marked my cert as suitable for use as a CA. Fortunately Thawte set the maximum chain length to one so I can't actually sign other certs. If they hadn't done this I would be able to set up my own CA, and the browsers would give it the same trust they give Thawte. Scary.

I found Equifax fine for customer service. Installing the cert was a bit of a nuisance because there was an extra step in the chain compared to a Thawte or Verisign cert. However once that was overcome everything worked fine.

FreeCert

[rjbrown99]

You guys need to check out http://www.freecert.org. The project is designed to provide free or low-cost SSL certificates to individuals and qualifying organizations. It's a great project - and it would get a big boost with some more people. So go check it out and volunteer!

The SSL scam

[deran9ed]

Certificates provide an attractive business model. They cost almost nothing to make, and if you can convince someone to buy a certificate each year for $5, that times the population of the Internet is a big yearly income. If you can convince someone to purchase a private CA and pay you a fee for every certificate he issues, you're also in good shape. It's no wonder so many companies are trying to cash in on this potential market. With that much money at stake, it is also no wonder that almost all the literature and lobbying on the subject is produced by PKI vendors. And this literature leaves some pretty basic questions unanswered: What good are certificates anyway? Are they secure? For what? In this essay, we hope to explore some of those questions.

Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Very informative (mirrored) document explaining this question and others in detail.

Swedishporn

Root CA's

[Unpossible]

Root CA's are not just added to the browser's by default. The companies representing the CA must PAY Netscape and Microsoft to have them in there. And trust me, it is ALOT of money. I worked for a company that has a CA, and when we wanted to put it in the browsers, it cost us on the order of $200,000 US$ to get it in both. And if you don't have your CA in the browser's, and you try to setup SSL with the browser using a certificate issued by your unlisted CA, the browser freaks out, basically telling the user the site is NOT TRUSTED. This is a good mechanism in theory, but when the browsers charge this kind of money, it borders on holding a company hostage.

Of course, you can always manually import a root CA, but this is generally beyond the scope of Joe Six-Pack just trying to login to check his stock quotes.

.
....