: Why is godaddy HTTPS/SSL certification so much cheaper than digicert, thawte, and verisign? I am a novice on HTTPS/SSL but GoDaddy charges .99 and Digicert, thawte, and Verisign charge 0-1000+

@Jennifer507

Technically there is no difference. Most of the certification authorities offer similar products, standard validation or extended validation where owner's organisation / company and domain is checked and wildcards.

What makes the price different is:


Branding
Warranty
Quality of service
Quantity


For branding, best example would be Digicert - they issued certificates to brands like Twitter, Facebook, even StackExchange. To land this kind of clients it takes some persuasion and branding budget, there is no proof they have better technology than anybody else.

Warranty is something like insurance. It is usually an amount between 0 and millions of dollars, it basically tells you how high is CA insured when selling you the certificate, if something like fraudulent credit card transaction happens and it will be their mistake, they will cover the costs up to the warranty height. With standard SSL certificates its mostly up sell for the CA company so they can charge owner more, because the encryption technology and security is the same, with EV certificates warranty may have some use, but usually when you read terms and conditions, you will laugh and see the irony of it all.

Quality of service is something that is usually very subjective dependent on the paying client. Some CAs have systems for their big clients that can help you keep track of your purchased certificates, if own or manage more than hundred of certificates, you may actually rather pay little more and have better managing software, dashboard, wider credit card billing options, tools for certificate maintenance, reporting tools, some CA's even offer security tips for server implementation.

Quantity makes prices go down. As CA if you sell more, your prices are lower, as a client when you buy more, you may ask for better prices.

Vote Up Vote Down

@Cugini213

I was working for a third party company on a web project for a large tech corporation. We used a GoDaddy SSL certificate and found that this CA was rejected on internal company networks.

The corporation at that time (2 years ago) did not automatically accept GoDaddy as a trusted authority. It was only with much persuasion that our certificate was accepted.

If we'd have used a premium brand such as Thawte there would have been no problem. I'm not sure why the corporation had this policy but maybe the price point of the certificate made them seem less trusted.

This is the only real world difference between certificates from GoDaddy and other large CAs I have come across.

Vote Up Vote Down

@Heady270

I had just found that GoDaddy doesn't allow "duplicates" certificate for your wildcards SSL. (as opposed to say, GlobalSign, DigiCert, which do allow them, and unlimited number of them)

That's a pity since this is often used when you manage a farm of server and each one has its own private key / csr.

Vote Up Vote Down

@Tiffany637

To be quite honest. there is absolutely NO difference when it comes to SSL certificates. The only contributing factor is the EV / non EV / Wildcard tags.

EV == Extended Validation: This means the site is actively " pinged " by the Certificate Authority on the provided IP of the domain, then a server-side script compares the IP address of the ping response from the CA, and the IP address YOU are visiting. This does NOT guarentee that there isn't a man-in-the-middle attack, or net-wide DNS poisoning. This just ensures that the site you are viewing is the same one the CA sees.

Non-EV == no one is actively checking the domain's IP against a logged / provided IP for security purposes.

Wildcard == *.domain.com based Certificates are often used when people have a multitude of subdomains, or a set of subdomains that are ever-changing, but still need valid SSL encryption.

The truth behind SSL Certificates.

You can make your own. They are no less secure than any other certificate. The difference being a " self-signed " certificate is not " vouched for " by any third party.

The problem with SSL Certificates is they are extremely over-priced for what they are. There is absolutely NO garentee that the site you are visiting belongs to whomever is listed on the certificate as owner / location etc. This defeats the purpose of the third-party-trust-chain model SSL was developed to use.

ALL Certificate Authorities known as CA's that sell their certificates, wants the user to believe that their certificate is somehow better. When in fact, they never check the information provided for the certificate unless there is an issue that may cost them revenue. This practice also defeats the purpose of the SSL trust-chain model.

I know of only ONE CA that indeed validates it's certificates. This is CACert.org.

For them to issue a " complete " certificate (business name, name, addres, phone etc..) you must meet one of their assurer's FACE-TO-FACE!.

However. most browsers do not use CACert.org due to pressures added to them by mega corporations like Thawte, Comodo, and Verisign.

So.. to sum it all up.

The only differences between certificates is the behavior of the CA.
Certificates can't really be trusted to verify anything other than the connection to the site is useing encryption.

At the end of the day, people think paying 0 - 00 somehow equates to trustworthiness. This is NOT the case. It just means you deal with less sophisticated or less established crooks.

Vote Up Vote Down

@Tiffany637

Which is worth more, a reference from me or a reference from Bill gates? You have to remember that certs are more than a technical solution, they are someone vouching for you and companies can set whatever price they think their reputation is worth.

Vote Up Vote Down

@Reiling115

Apart from unserious offerings, you can distinguish between cheaper domain-validated SSL certificates and the more expensive extended-validation SSL certificates (EV).

Both certificates are technically the same (the connection is encrypted), but domain-validated certificates are cheaper, because the seller only have to check the domain. The EV-certificates also require information about the owner of the domain, and the seller should check, if this information is correct (more administrative effort).

Normally you can see the difference when you visit the site with a browser. Firefox for example will highlight the domain in blue for domain-validated SSL, and green for extended-validation SSL.

Two examples:

accounts.google.com/ (domain-validated) www.postfinance.ch/ (extended-validated)


In most cases the domain-validated certificate is fine, the user will have no disadvantages and the EV-certificates are really (too) expensive.

Vote Up Vote Down

@Murphy175

From the GoDaddy website:


Enjoy the backing of established
industry standards. There is
NO TECHNICAL DIFFERENCE
between our certificates and any
other major Certification Authority.


Source: www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039

Pricing is a funny thing sometimes. While I have no idea why GoDaddy prices their products the way they do some companies go for more customers at a cheaper rate, whereas others go for a higher price and attract less customers.

As a simple comparison, Company 1 can attract more customers by offering their products at a cheaper price. However Company 2 can offer their products at a higher cost, which could offset a lower number of customers.

Company 1: 100 customers paying /month = ,000/year

Company 2: 200 customers paying /month = ,000/year

So as you can see in this VERY SIMPLE comparison, both models ended up with the same annual revenue, however one company offered their product for twice as much as the other.

Vote Up Vote Down