Question

How to choose the right SSL Certificate for the appropriate level of security (verses the money)

Asked by: John500

I want to move forward and purchase a server certificate but I'm not sure what the best option is.  If you take a look at the picture below, Versign offers all kinds of options.  Obviously the most expensive 1 year option would probably offer the best security (I'm guessing) but I'm just trying to gage when it becomes over-kill.

$ 1,500 dollars for one year would be an awfully high amount if it ends up we didn't even need anything more than the $ 400 dollar package.

I realize 128 bit would have to be better than 256 bit - but again, why?  What would be a few good examples of why I should choose something higher than 256 bit?

Thanks!!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-20 at 13:08:55ID24828328
Tags

Web security

,

SSL

,

certificates

Topics

Web Servers

,

Secure Socket Layer (SSL) & HTTPS

,

Encryption for Network Security

Participating Experts
1
Points
500
Comments
17

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. SSL Certificates - Client Certificates using 3rd Party SSL …
    I run an IIS 6 website which relies on Client SSL Certificates tied to specific user accounts for two-factor authentication. The process I use is similar to: http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html Currently, my Certificate Author...
  2. SSL Certificates
    Where can i get the SSL certificates for my website. Who is the best in providing the SSL Certificates. What are SSL Certificates and how it can be integarted. Early responses are appreciated.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: John500Posted on 2009-10-20 at 13:19:07ID: 25618105

The picture wouldn't take in the first post so here it is:

 

by: TolomirPosted on 2009-10-20 at 13:30:04ID: 25618216

take a look at this ssl vendor: geotrust

http://www.geotrust.com/ssl/compare-ssl-certificates.html

This is what we use in our company. Their public key certificate is included in all webbrowsers so there is no problem using them.

For a single site use either

QuickSSL® $249 or
True BusinessID $399

per year.

Tolomir


 

by: TolomirPosted on 2009-10-20 at 13:32:57ID: 25618252

More info about them:

GeoTrust® is the world's second largest digital certificate provider. More than 100,000 customers in over 150 countries trust GeoTrust to secure online transactions and conduct business over the Internet. Our range of digital certificate and trust products enable organizations of all sizes to maximize the security of their digital transactions cost-effectively.

 

by: John500Posted on 2009-10-20 at 13:37:58ID: 25618311

Tolomir:

You wrote:

>> Our range of digital certificate and trust products enable organizations of all sizes to maximize the security of their digital transactions cost-effectively.

I would love to understand some of the reasoning behind the price options.  Your suggestion raises even more concern/interest because why would GeoTrust be able to do for $400 what Verisign does at $1,500.

I'm not sure if GeoTrust offers 128 bit at $400 but I'm assuming it does based on what you said.  Either way, what is your take on price verses security?

Thanks!

 

by: John500Posted on 2009-10-20 at 13:46:09ID: 25618401

Am I correct that GeoTrust only offers 'up to 256-bit' encryption?  If so why would a company want to take a chance with 256 when they could purchase something higher?

Thanks

 

by: TolomirPosted on 2009-10-20 at 13:51:45ID: 25618455

Well verisign sells their name, ever looked for sportscars? There are cars that drive like Porsche, but buying a Porsche is still something special. With geotrust you can get their premium product for $899, so there is not such a big difference...

They offer 256 bit which is of cause more secure than 128 bit encryption.

The encryption is based on what a web browser has to offer - old browser support 40 bit, newer up to 1024 or more bits. SSL encryption means webserver and client exchange data over a secure channel, the ssl provider signs your public certificate with his private certificate, you pay for the name.

---

There are to basic certificates: Validation per site or validation per id card. A site validation can be ordered by someone from it staff, the validation per id card has to be signed the big boss. He signs with his name that the site is valid and speaks for the company.

SSL certificates are made to offer trust in the 1st place and the more you pay the more trust they spread (if a user ever(!!) checks the certificate behind a https connection...) In the 2nd place they provide security but for that you can take the cheapest with 256 bit encryption...

Tolomir


 

by: TolomirPosted on 2009-10-20 at 14:01:55ID: 25618572

Let verisign answer themself

http://www.verisign.com/ssl/ssl-information-center/strongest-ssl-encryption/index.html

Protect Customers with the Strongest Possible Encryption
Because Web site visitors cannot easily determine the encryption strength of a given session, they depend on the site owner to protect them. True 128-Bit SSL Certificates enable every site visitor to experience the strongest SSL encryption available to them. VeriSign is the leading SSL provider of SGC-enabled SSL Certificates, enabling 128- or 256-bit encryption to over 99.9% of Web site visitors.

 

by: John500Posted on 2009-10-21 at 06:21:47ID: 25623602

Tolomir,

I won't drag this out much longer.  I wasn't quite sure how to interpret your last post.  Can you clarify?  On the one hand I realize you were pointing out how we pay for a name and not necessarily a difference in product.  On the other hand, I wasn't sure how to interpret the 'bold' :

             enabling 128- or 256-bit encryption to over 99.9%

I contacted a sales rep from GeoTrust.  They referred me to someone whom I'm currently waiting on.  The first person I talked with asked how many domains I would be supporting and since I had more than one (about 5), they wanted to know if they were sub domains or separate.  We have both (subdomains and separate).

Can you say anything about how those last two questions impacts our decision making or purchasing options?

Thanks!

 

by: TolomirPosted on 2009-10-21 at 06:30:27ID: 25623675

I just wanted to point out, that even verisign considers 128 bit (or even 256 bit) encryption as safe. There is no need to have a higher security.

---

Well they can offer you a wildcard certificate then.

SSL Certificates: True BusinessID Multi-Domain Secure up to 25 domains on a single server. $599 for each server.


 

by: John500Posted on 2009-10-21 at 13:06:04ID: 25627756

>> I  just wanted to point out, that even verisign considers 128 bit (or even 256 bit) encryption as safe. There is no need to have a higher security.

This was my mistake.  My mind was twisting numbers.  I saw the 256 as being lower than the 128 - go figure.

Anyway, appreciate all the input!

 

by: TolomirPosted on 2009-10-21 at 13:14:21ID: 25627832

Ok, now I understand:

"I realize 128 bit would have to be better than 256 bit - but again, why?  What would be a few good examples of why I should choose something higher than 256 bit?"




 

by: John500Posted on 2009-10-21 at 13:15:47ID: 25627844

Do you agree:

1)  That standard SSL certificates rely on end user browsers to determine the encryption level that our SSL Certificate will offer?

2)   SSL certificates are made for 'intranet' purposes only and were not created for public websites?

3)  Server Gated Cryptography certificates will take older browsers with 40bit & 56bit encryption and step them up to true 128bit encryption?

 

by: TolomirPosted on 2009-10-21 at 13:28:37ID: 25628011

1) Yes - this could be even 40 bit (that is lower than 128 ;-) - I think IE 5 came with it due to export restrictions...
2) No this is wrong. Take amazon, I insist that any of my orders are encrypted to possible traffic sniffers: Data privacy protection is the keyword here
3) Interesting, take a look at wikipedia: http://en.wikipedia.org/wiki/Server_gated_cryptography - so your assumption is wrong.
If you are concerned about security I suggest you use a switch in the html code to block all webbrowsers (that are not a a whitelist) that cannot deal with 128+ SSL security


 

by: John500Posted on 2009-10-23 at 08:42:47ID: 25645511

>> 3) Interesting, take a look at wikipedia: http://en.wikipedia.org/wiki/Server_gated_cryptography - so your assumption is wrong.

Actually the article is not saying that SGC technology is weaker.  What it's saying is that legislation was inacted to accomodate the weaker browsers.  The SGC technology apparently brings the weaker browsers up to a higher potential or longer key.  Without the SGC technolgoy those weaker browsers would simply be cut off - according to the article.  In otherwords, first the US enforced very strong encryption, but institutions outside the US could not do transactions with the US.

Thus, through US legislation, SGC was created for banks outside the US.  Now you know and I know the US government was NOT  saying, " let's lower our standard and make it more risky to do transactions with *banks* outside the US because it's better to lower our security than to lose money."

Not no, a thousand times no!!  What the article is trying to say (but was poorly worded), that the US went out of their way to find a solution that would make bank transactions feasible for banks outside the US.  Nobody else was included in on this extra effort.  Nobody else could get in on this solution which brought lower bit browser up to the highest bit possible.  However, in time the US opened up the SGC technology to anyone.....

Now, back to my last question, how does GeoTrust offer the SGC technology, or does it?  The answer is no, they don't offer it.  They offer the highest encryption but leave the *server configuration*  (for low handshake scenarios) to the company.  By server configuration, this is the point you were making by including a switch to block all web browsers not on the whitelist.


 

by: TolomirPosted on 2009-10-23 at 17:08:26ID: 25650004

Seems like this is a little twisted.

A browser from the us (export version) will communicate with a website, hey I just offer 40 bit encryption...
"Although the weaker exported browsers would only include weaker ciphers in its SSL handshake"
even though it could offer also 128 bit encryption
" the browser did also contain stronger cryptography algorithms"

Now the user gets to a server with a SGC certificate, negotiating the highest encryption if can offer:
"To comply with the legislation, the browser would only renegotiate the handshake to use the stronger ciphers if the browser detected that the server has an SGC certificate"

---
how does GeoTrust offer the SGC technology, or does it?  The answer is no, they don't offer it.  They offer the highest encryption but leave the *server configuration*  (for low handshake scenarios) to the company.  By server configuration, this is the point you were making by including a switch to block all web browsers not on the whitelist.
Yes, this should do it. But I think today there are not that many browsers around not able to deal with 128 bit, so this is rather negligible.


 

by: John500Posted on 2009-10-28 at 05:25:23ID: 31643607

Thanks for all the feed-back!

 

by: TolomirPosted on 2009-10-28 at 05:28:09ID: 25682431

thank you,

how did it end what kind of SSL certificates did you buy then?


20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...