Today we submitted the order to renew our SSL Certificates at Casper College from a different Certificate Authority (CA)than the institution has used in the past. Since, this purchase is a departure from the purchase of Verisign SSL certificates at Casper College and the question has come up more than once "is this as good as the others?" A very good question indeed.
First I must provide a little background and define a few acronyms. Lets start with CA , SSL, and PKI A certificate authority (CA) or certification authority is an entity that issues digital certificates. In theory this CA is a trusted third party that is trusted by both the owner of the certificate and the party relying on the certificate. SSL is a essentially a method of encrypting data as it travels across the Internet to ensure that private information such as credit card numbers remain secure. Netscape, creator of the popular browser, invented it in 1994 and it has been an widely accepted technology since that time. Public Key Infrastructure (PKI)s a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
I have been dealing with the stigma of how to value open source,cheap, and free technology for several years and it is true that in American society we have a difficult time separating cost from value and quality. We like a great deal, but still have a little skepticism about value. During our departmental discussions which included myself Dan, Stew, Dallen and Ana from distance learning, the consensus is that the extra cost of the certificates purchased from Verisign provided no greater value or protection than the certificates provided by other major SSL certificate authority. The savings will be roughly $10,000 annually. Additional discussion and links to resources justifying this are included in the following slideshow(created by Dan Straka as Dan was the research lead on this project):
Essential all SSL certificates do the following:
- Encrypt sensitive data like credit card numbers and personal information
- Provides some assurance to your clientele that you are trustworthy (the process of getting an SSL certificate can't guarantee this, but it can make it more likely which is part of the reason why visitors have this perception)
These are very important benefits and, while not all websites require an SSL certificate, it is essential if you are running an e-commerce site or transferring sensitive personal information
If you want to be sure that a web site provides this layer of security for you the first step when visiting certain websites is to look for a padlock icon to show up in your browser. You also may have seen the “https://” prefix in many URLs in your day-to-day Internet surfing especially evident when you’re entering credit card information, user identification, passwords or emails. You may have also noticed warnings that you are entering an insecure site — this should serve as notice that your information may be viewed by others.
Specifically for Casper College there was a consensus we should go one (1) year with Digicert. Based on their latest quote, for $3400.00 we can issue 15 new single-server SSL or EV certificates to replace our Verisign certificates as they expire. It would also give us an opportunity to try wildcard certificates for upcoming projects and see how their "Managed PKI" management system works. Although there is a little overlap as certificates expire throughout the year there is more than sufficient savings to justify the change. In summary, the initial question was With Technology, Do You Really Get What You Pay For? My answer is as usual "Maybe, Maybe Not"
Have a Good Day.
"LPKI - A Lightweight Public Key Infrastructure for the Mobile Envi...
, Proceedings of the 11th IEEE International Conference on Communication Systems (IEEE ICCS'08), pp.162-166, Guangzhou, China, Nov. 2008.