After considering the cost, hassles, and other factors (and keeping in mind my dislike of big bloated companies), I settled on one of two options. There's a lot of small and startup SSL third party verification companies. Let's start off with a clear explanation of what an SSL certificate is, what it does, and why you would (or wouldn't) pay someone for it.

1. First, an SSL certificate doesn't require a third party, a purchase, or anything other than the technology standards set forth for the protocol.
2. The SSL protocol is simply a set of parameters to connect a public key with a private key to secure a connection from point A to point B (usually a PC to a website) for the purpose of encrypting the data passed from point A to point B and visa versa. You can sign it yourself or have a third party verify it so the person at the PC feels more confident that the SSL connection is legit - but the third party doesn't make the server or the company that owns the server more legitimate, nor does it mean the data is more secure or safe.
3. Since browsers have error messages that are designed to scare people when the website's SSL certificate isn't verified or "signed" by an approved third party SSL issuer, it's smart for the business owner to pay the trust tax and use some big third party verifier's certificate regardless of its meaninglessness.
4. The FUD is cranking up with different colors in Internet Explorer (Microsoft's browser) to force commercial websites to use the more expensive "more trusted" certificates where the third party issuer claims to investigate the validity of the website owners, whatever that is worth is yet to be seen.
5. For now, the cheaper entry level SSL certificates issued by third party issuers seem to do the trick for most users, since they cause no scary messages in the major web browsers.
6. Not all SSL certificate issuers are created equal, and big expense doesn't equal easy interfacing, just big money.

Thawte vs. RapidSSL

If you have less than 3 days to launch an SSL cert, using Thawte can be a problem. I've had certs take as long as 4 days to show up using Thawte. RapidSSL gives me a cert in 10 minutes.

SSL certs are not meant to be rush installations. Thawte seldom responds to me within 24 hours, lest I get on the phone and demand attention. Typically, that doesn't bother me. The company appears solid (I mean they are selling one of the oldest web-alchemy products ever, are trusted in that business, and managed to survive some rather turbulent government changes during South Africa's growing pangs). As you may presume from my language, I consider this entire business of third party SSL certificates a bit of a scheme, since they don't really prove or verify anything of any real hard value. An SSL certificate doesn't mean the techs are more trained, or that the servers are run with any modicum of proficiency. It just means the website owner paid some company some money to say the cert is OK - but, since users like that, and you need users to buy your stuff with comfort, let's move forward with buying your cert.

If you want your certificate to work on "all browsers" what you mean is you don't want any error message or scary "this certificate is not signed by a trusted... blah blah," to pop up even if your web traveler is using a ten year old browser. If that's the case, then Thawte is your company. Skip any further reading - you've made your decision.

However, most likely this term "all browsers" means something a tad bit bigger than reasonable. Very few of your websites work on "ALL" web browsers anyway. The goal should be "All major browsers released in the past 3 years." And, Geotrust, Thawte, and Verisign each support those browsers. IE5 doesn't even have trouble with Geotrust. IE3.2, for example, won't support any modern incarnation of flash and may hiccup on the latest Geotrust or RapidSSL cert (which I like because it's fast and easy). If you're paranoid (and there's nothing wrong with that), then Thawte is still the company for you.

Right now, the two companies describe their browser compatibility for Thawte (on their site) and RapidSSL (on their site).

Insert legal mumbo jumbo here - you know, I'm not a representative and I may have an error, so don't sue me :) But, here's a basic breakdown in where these two certs support the commonly known browsers.

Rapid SSL: IE 5.01, AOL 5, Netscape 4.7, Opera 7, Safari, Mozilla 1, Firefox 1.

Thawte: IE 3, Netscape 2, Opera 3, Mozilla, Safari, Konqueror.

Posted in business | security | tech jasonn's blog