SSL Certificates and why your probably paying to much

Every once in a while I have a friend ask me about SSL certificates and which one they should buy. First let me start off with SSL is used to encrypt data and to some extent verify the authenticity of the site. There are a lot of options when it comes to SSL certificates and some come with some neat features

Extended Validation (EV)

This is a feature where the certificate athority makes the site owner jump through some hoops to validate the authenticity of the site. Sounds good right. I agree its a good thing, but these certs are generally pretty expensive. The big draw to these is that in modern browsers the URL bar has some green coloring when visiting sites that use these. I believe for most sites this is unnecessary, so unless your in the banking, finance or some other type of high security industry (or really like the color green) I would save your money. If google is not using it for gmail or checkout then you probably don't need it for your ecommerce site.

SSL Gurantee (or Warranty/Insurance)

First I will say this I have never heard of a case where anyone has ever been able to collect on that gurantee. Second if you read about what they really are saying is they will pay only if they were neglegant, just check out the exception clause. So that being said, If its free go ahead otherwise its pretty much giving money away.

2048-bit (or some crazy high bit encryption)

First, if you site uses a 128 bit cert and  your data is capture someone could given enough time break the key and steal the data. Now that being said by the time they break that key there is a pretty damn good chance the data will be out of date. Credit card will have expired, users will have changed passwords etc. If your still unsure check out distributed.net. Using a enormous cluster of pc's all over the world it too close to 5 years to break message in 56 bit encryption and each bit basically doubles the effort. They are currently working on breaking a message encrypted in 72 bit encryption. After 9 and half years they have only tested out a little over 2% of the possible keys.

Whats the difference?

So here is the deal what your really paying for is support, ease of use and browser accpetance. The 19 dollar ssl and the 149 dollar ssl do the same thing. The support from Comodo and Verisign is probably the same as DigiCert and GoDaddy. The browser acceptance is probably a non-issue these days unless its some brand new SSL vendor. I can't actually recommend a particular vendor, I've used geotrust, verisign, comodo and godaddy. These days I go with who ever is the cheapest and that includes resellers like namecheap.

One last note, during the writing of this I just now realized twitter and my favorite source code repository bitbucket use EV certs. If I just realized that do you think your customers are even going to notice?