SSL Certificates from Godaddy

[wallsfd949]

I've never purchased a SSL certificate before and Godaddy's options were quite daunting.

They have two types - Turbo and High-Assurnace, plus to compound that, they have Wildcard SSL. Apparently if I go for a Wildcard SSL, I can use the cert for all subdomains (which is a big advantage for us).

What is the difference between Godaddy's SSL cert and ones that are 3 and 4x's the cost from Verisign and Thawte? I've read in an old post from 2004 that Godaddy's SSL certs are not installed on most Mac browsers.

 

[dphantom]

I can't tell you what the real difference is if any but I have used the Wildcard SSL certificates from GoDaddy for awhile now with no problems.

I do not run an ecommerce site, but I do have secure email and a couple other web based apps that need SSL.

 

[n0cmonkey]

Verisign/thawte (didn't verisign buy thawte a couple of years ago?) is evil. Avoid them.

Other than that, they're all the same. It's a racket I tell ya, a racket.

 

[JackMDS]

The SSL connection is encrypted No matter what Certificate you are using.

A good certificate is mainly important when you connect to a site and going to transfer sensitive information. If you are Not familiar with the Site the Certification is like certifying the Site is OK you can trust it, they are known and it is Ok to conduct secure business with.

If you install a certificate on your own site and you are Not selling any thing to the public, it does not matter so much which certificate you are using.

In other words if you need the SSL for your own use while you exchange information between your Servers and computers. Or you need to provide secure connection to friends, and or other people that connect to your servers, and know who you are and what is the nature of what is that you are providing. It does not matter much which certification you are using, they all will provide Secure Socket Transfer.

A free basic certificate for Apache and IIS can be found here: http://cert.startcom.org/

:sun:

 

[NogginBoink]

Jack is correct.

ANY certificate, even a self-signed certificate, on the web server will provide encrypted transmission of data.

The purpose of a certificate is not encryption. The purpose of a certificate is to provide trust.

You go to www.somedomain.com. We all know that the Internet can be fragile, and though things usually work fine, there's really no absolute guarantee that the website that answers your browser really is, in fact, www.somedomain.com. It could be www.hackers-r-us.com pretending to be www.somedomain.com.

A certificate can solve this problem.

There are companies out there (Verisign, Thawte, etc) that issue certificates to clients based on their own internal policies. In order to get a cert from, say, Verisign that says you're www.somedomain.com, Verisign has internal policies that require you to prove that you really do own www.somedomain.com before they'll issue you a certificate. What you're paying for is the level of trust that those companies provide through their screening processes.

The certificate, when your browser gets it from the web server, says, "this web server is www.somedomain.com, and Verisign says so!" Your browser can verify that the cert actually was issued by Verisign, and that the cert was issued to www.somedomain.com. That provides a high level of trust to your clients.

With a self-signed certificate, your browser gets a cert that says, "this web server is www.somedomain.com, and Joe Schmoe says so!" Your browser probably doesn't have Joe Schmoe's certificatation authority as a trusted certification authority. Your browser will then display a dialog saying that the site has a certificate, but that the certificate issuer is not trusted.

At that point, it's up to the user to determine whether or not to trust a site backed by a certificate from Joe Schmoe.

Note that a certificate from Verisign doesn't mean the website is trusted or trust-able. It just means that you can trust that they are who they say they are, because Verisign verified that before issuing the cert. (Even then, mistakes happened. Verisign once issued a cert with Microsoft's name on it to a non-Microsoft entity with criminal intent.)

So, all the cert does is say, "the entity that owns the web server passed the certificate issuer's requirements for being who they say they are." Some certificate issuers have a very low bar for that test.

 

[wallsfd949]

Thanks for all the replies. I may have come across as too ignorant in my OP. Internally we are already using self signed SSL certs. What I was really looking for is how 'trustable' are Godaddy's SSL sigs and more importanly, I know some certs like Verisign and Thawte are included in most avl. browsers therefore when a customer hits a site signed w/a cert from Verisign they don't get any messages, it works without them saying 'OK'. I wanted to make sure Godaddy's are on that type of a level.

 

[wallsfd949]

meant to hit edit instead of quoting myself

 

[stash]

I'm pretty sure Godaddy's CA is chained to valicert's root, which is in the trusted root store in Windows.