Why is godaddy HTTPS/SSL certification so much cheaper than digicert, thawte, and verisign?

https godaddy security-certificate

46,289

Solution 1

Apart from unserious offerings, you can distinguish between cheaper domain-validated SSL certificates and the more expensive extended-validation SSL certificates (EV).

Both certificates are technically the same (the connection is encrypted), but domain-validated certificates are cheaper, because the seller only have to check the domain. The EV-certificates also require information about the owner of the domain, and the seller should check, if this information is correct (more administrative effort).

Normally you can see the difference when you visit the site with a browser. Firefox for example will highlight the domain in blue for domain-validated SSL, and green for extended-validation SSL.

Two examples:

https://accounts.google.com/ (domain-validated)
https://www.postfinance.ch/ (extended-validated)

In most cases the domain-validated certificate is fine, the user will have no disadvantages and the EV-certificates are really (too) expensive.

Solution 2

To be quite honest. there is absolutely NO difference when it comes to SSL certificates. The only contributing factor is the EV / non EV / Wildcard tags.

EV == Extended Validation: This means the site is actively " pinged " by the Certificate Authority on the provided IP of the domain, then a server-side script compares the IP address of the ping response from the CA, and the IP address YOU are visiting. This does NOT guarentee that there isn't a man-in-the-middle attack, or net-wide DNS poisoning. This just ensures that the site you are viewing is the same one the CA sees.

Non-EV == no one is actively checking the domain's IP against a logged / provided IP for security purposes.

Wildcard == *.domain.com based Certificates are often used when people have a multitude of subdomains, or a set of subdomains that are ever-changing, but still need valid SSL encryption.

The truth behind SSL Certificates.

You can make your own. They are no less secure than any other certificate. The difference being a " self-signed " certificate is not " vouched for " by any third party.

The problem with SSL Certificates is they are extremely over-priced for what they are. There is absolutely NO garentee that the site you are visiting belongs to whomever is listed on the certificate as owner / location etc. This defeats the purpose of the third-party-trust-chain model SSL was developed to use.

ALL Certificate Authorities known as CA's that sell their certificates, wants the user to believe that their certificate is somehow better. When in fact, they never check the information provided for the certificate unless there is an issue that may cost them revenue. This practice also defeats the purpose of the SSL trust-chain model.

I know of only ONE CA that indeed validates it's certificates. This is CACert.org.

For them to issue a " complete " certificate (business name, name, addres, phone etc..) you must meet one of their assurer's FACE-TO-FACE!.

However. most browsers do not use CACert.org due to pressures added to them by mega corporations like Thawte, Comodo, and Verisign.

So.. to sum it all up.

The only differences between certificates is the behavior of the CA. Certificates can't really be trusted to verify anything other than the connection to the site is useing encryption.

At the end of the day, people think paying $100 - $1000 somehow equates to trustworthiness. This is NOT the case. It just means you deal with less sophisticated or less established crooks.

Solution 3

From the GoDaddy website:

Enjoy the backing of established industry standards. There is NO TECHNICAL DIFFERENCE between our certificates and any other major Certification Authority.

Source: http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039

Pricing is a funny thing sometimes. While I have no idea why GoDaddy prices their products the way they do some companies go for more customers at a cheaper rate, whereas others go for a higher price and attract less customers.

As a simple comparison, Company 1 can attract more customers by offering their products at a cheaper price. However Company 2 can offer their products at a higher cost, which could offset a lower number of customers.

Company 1: 100 customers paying $20/month = $24,000/year

Company 2: 200 customers paying $10/month = $24,000/year

So as you can see in this VERY SIMPLE comparison, both models ended up with the same annual revenue, however one company offered their product for twice as much as the other.

Solution 4

Which is worth more, a reference from me or a reference from Bill gates? You have to remember that certs are more than a technical solution, they are someone vouching for you and companies can set whatever price they think their reputation is worth.

Solution 5

I had just found that GoDaddy doesn't allow "duplicates" certificate for your wildcards SSL. (as opposed to say, GlobalSign, DigiCert, which do allow them, and unlimited number of them)

That's a pity since this is often used when you manage a farm of server and each one has its own private key / csr.

View more solutions

46,289

DJ Mosca

Updated on September 18, 2022

Comments

DJ Mosca over 1 year

I am a novice on HTTPS/SSL but GoDaddy charges $12.99 and Digicert, thawte, and Verisign charge $100-1000+ for SSL certificates.

I must be missing something on the quality of the encryption or something. Can someone explain some of the basic differences that lead to these dramatically different prices?

Update $12.99 is a sale price. Typically SSL certificates cost $89.99 on GoDaddy. Here's a link on Godaddy which makes the very comparison this question asks about: http://www.godaddy.com/Compare/gdcompare_ssl.aspx?isc=sslqgo002c

thanks,

tim
- Sherwin Flight about 12 years
  
  I just checked the GoDaddy site and they were listing certs for $69.99 CAD.
- Rana Prathap over 10 years
  
  startssl even offer one for free!
LazyOne about 12 years

Don't forget the "Brand" factor -- some products simply have extra in prices just because they are labeled with widely known and recognized company name.
DJ Mosca about 12 years

thanks, didn't know about the difference between domain vs. extended validation, thanks for that clarification!
ZippyV about 12 years

A person needs to check the physical address of the company for a certificate with extended validation.
DJ Mosca about 12 years

reference from Bill gates is lame, though I'm happy for Khan Academy.
Bruno about 12 years

I think some CAs also offer some form of insurance, should something go wrong (but it's not clear what is covered exactly). (I've written as relatively long answer about the differences between these types of certs if that's of interest.) The main point is that the choice of CA and type of cert only matters as far as the client is concerned. Provided the cert is trusted by default, it depends only on how far the user is willing to check further details (visually, via the UI).
DJ Mosca over 10 years

This seems pretty critical information. It would seem to correct for any price difference if you have to buy multiple certificates from GoDaddy and only one from Verisign, etc. Can you provide GoDaddy link references in your answer?
Mike Scott almost 10 years

No, GoDaddy won't let you buy multiple certs for the same wildcard either. They'll only let you have one, which you therefore have to use on all of your servers.
user2428118 over 9 years

CACert inclusion in at least Mozilla was cancelled by CACert itself: bugzilla.mozilla.org/show_bug.cgi?id=215243#c158
Pacerier about 8 years

@LazyOne, It's the same with universities...
Pacerier about 8 years

@timpeterson, He's referring to the fallacy of en.wikipedia.org/wiki/Argument_from_authority
Pacerier about 8 years

Hmm, is Godaddy the only cert which they reject?
Pacerier about 8 years

@user34262, Yea, money is a big factor in this entire (semi-corrupted) CA market. Related threads: 1) on webmasters.SE, 2) on security.SE , 3) on security.SE
Pacerier about 8 years

@user2428118, That post is from 10 years ago. What's the update?
Pacerier about 8 years

@user34262, Btw what are some of these CA "pressures" you're talking about?
JamesRyan about 8 years

@Pacerier no, i'm not. That has nothing to do with people literally vouching for organisations identity.
daredev about 8 years

There are generally three levels of certificates: Domain validated, Organization validated, and Extended validated certificates. There is very little checking done with DV certificates (generally only automated email and domain control check), but the latter two types are required to comply to audits and issuance practices guidelines published by CA/B Forum. CAs that doesn't pass the requirements set in the guideline is not trusted by browsers to issue certificate of the respective type.
user2428118 about 8 years

@Pacerier Nothing, as far as I know. CACert cancelled the application process and apparently hasn't applied for inclusion again since.
Pacerier about 8 years

@LieRyan, I mean what are some of the "CA pressures on Google's Chrome team"?
Pacerier about 8 years

@user2428118, Guess we'll just have to rely on letsencrypt.org for now, though I'll prefer someone with a longer "track record" for stability sake.
Pacerier about 8 years

@JamesRyan, How is it not? What does "a reference from me or a reference from Bill gates" mean? Does "Bill gates" mean "authority" here?
daredev about 8 years

@Pacerier: I don't know what user34262 had specifically meant by "pressure", but in my view, broadly speaking, there are two pressures acting between CAs, browser makers, and users: 1) the pressure by users and cheaper CAs to make it easier and cheaper to automate issuing basic DV certificates for the masses, which ended up as LetsEncrypt, 2) the pressure by higher margin/expensive CAs to promote stricter standard procedures and audits, which ends up as CA/Browser Forum guideline for OV/EV certificate, which essentially prevents non compliant CA from issuing these higher trust certificates.