Web and Ecommerce 7.11. Ecommerce: SSL Certificates

Ecommerce: SSL Certificates

Secure, encrypted transactions are a vital part of your e-commerce success. Your customers are sending you confidential credit card and billing information. If that information were intercepted―which is extremely easy to do―then it could fall into the hands of people who would use it to rack up thousands of dollars in fraudulent charges.

Encryption scrambles that crucial information at the source―the user’s Web browser―and unscrambles it on your server before dumping it into a database. Secure sockets layer (SSL) certificates are the tools that do the scrambling and unscrambling.

Certificates are issued by certifying authorities. You apply for a certificate and the certifying authority verifies that you are who you are and that you are a legitimate business. They then issue a certificate that is installed on your server.

When a user enters important information on your checkout pages, the server sends one-half of an encryption key to the Web browser, which uses that key to encrypt the data. When the data arrives at your server, the other half of the encryption key unscrambles the data. If the data were intercepted by some knave during the transmission, all he’d get is mushed-up nonsense that would take decades to decode using the most powerful computer in the world.

In addition to scrambling and unscrambling data, users can actually view your certificate. Remember: a certificate not only encodes data, it also represents that the certifying authority has checked you out thoroughly and decided you’re a legitimate business.

If you have a page that is secured by a certificate, a padlock icon appears in the bottom left corner of the Web browser. If the user clicks that padlock, they can view all the details of the certificate. These details tell the user who the certificate was issued to, what server it applies to, and so on. Since it’s easy for thieves and rogues to set up “dummy” checkout pages that look like someone else’s checkout pages, the certificate information tells the user that they’re sending their payment to the actual owner of the Web site. For instance, if you’re on the Amazon checkout page and you click the padlock, you will find the certificate was issued to Amazon. If, instead, it says that it was issued to Pendergrast Construction Company, then you know these checkout pages are not Amazon checkout pages! Often, when an e-commerce merchant is using a well-known certifying authority, they’ll put the CA’s logo on their payment information pages. These logos, particularly the Verisign logo, carry great weight with online consumers because they are strict and thorough in authenticating your business.

Extended validation (EV) is a new technological feature that many certificate issuers provide for a considerably higher fee. If you have extended validation added to your certificate, Internet Explorer 7 and above, as well as the newer versions of Firefox and Opera, will turn the browser address bar green and display the name of the certificate owner in the address bar. Users no longer have to click the lock icon to find out who owns the certificate.

You can get two kinds of certificates: a dedicated certificate and a shared certificate (some hosting services call shared certificates “generated” certificates). A dedicated certificate is issued only to you. Only you can use it and only you and your company name appear on the certificate. A shared certificate, on the other hand, is shared among many users. For instance, most hosting services offer shared certificates. The hosting service buys a certificate, pays the annual fee, and lets its customers use the one certificate. While shared certificates have the benefit of lower fees―indeed, some of them are offered free―they don’t actually have your name on it. Instead, when a user is on your site views the certificate, they will find your hosting service as the owner of the certificate rather than your company. This does lower sales. How much is subject to debate.

Most certificates come in 256 bit encryption. The only thing you need to know about 256 bit encryption is that is impossible to crack the code. 128-bit encryption is next to impossible to crack. Anything less than 128 bits (low-priced SSL certificates) can be cracked with a powerful enough computer and enough time.

Finally, there is a real difference between certifying authorities (CAs). Verisign is the highest cost certificate, but they spend an enormous amount of time and resources verifying that you are who you say you are. They require a lot of documentation and reject many applicants. As a result, Verisign is the most trusted brand name among consumers―you will probably see the Verisign logo on more major e-commerce sites than any other certifying authority. Thawte and GoDaddy spend less time verifying your identity, but they do a fair job of it.

Other CAs really slouch on the verification process―they just want to issue as many certificates as they can. As a result, if you have a certificate issued by anybody else, such as DigiCert, you are going to lose sales because the brand does not carry much weight with consumers in the know. In our opinion, even though you can save mucho money by going with one of the low-priced certifying authorities, you really should stick to the three majors: Verisign, Thawte, and GoDaddy.

7.11.1. Verisign

http://www.verisign.com

Verisign is the gold standard in SSL certificates. It is the oldest and most widely recognized secure transaction brand in the world and the reputation is well-deserved. While all SSL certificates essentially do the same thing, Verisign devotes significant resources in the application process to verify that you are a legitimate business (other companies sometimes do not even make this effort―they just hand you a certificate). This strict business verification process makes Verisign by far the most expensive and most time-consuming certificate to get for your site. You can expect to wait days or weeks for approval to come through. Many prospective customers have to appeal a rejection a few times before they can get Verisign approval.

Verisign offers the following certificate products.

  • SSL Certificate, business authentication, $100,000 warranty, Verisign seal

$399 for one year

$699 for two years

  • 128- or 256-bit SSL certificate, business authentication, $250,000 warranty, Verisign seal

$995 for one year

$1,790 for two years

  • 128- or 256-bit SSL certificate with extended validation, business authentication, $250,000 warranty, Verisign seal

$1,499 for one year

$2,695 for two years

7.11.2. Thawte

http://www.thawte.com

Thawte is the second major certifying authority and enjoys broad brand recognition. While not as well-known as Verisign, Thawte does represent significant cost-savings over the industry leader. Thawte, like Verisign, subjects applicants to a screening process to determine the authenticity of their business. Unlike Verisign, however, Thawte does issues certificates (SSL 123 Certificates) without business authentication. Only the domain name is authenticated, that is, Thawte confirms that the domain name belongs to the applicant.

  • Domain validated 256-bit SSL Certificate, no business authentication, domain authentication, Thawte seal

$149 for one year

$259 for two years

  • Domain validated 256-bit SSL Certificate, business authentication, Thawte seal

$399 for one year

$699 for two years

  • Web server 256-bit SSL certificate, business authentication, Thawte seal

$249 for one year

$449 for two years

  • 128- or 256-bit SSL certificate with extended validation, business authentication, Thawte seal

$899 for one year

$1,495 for two years

7.11.3. GoDaddy

http://www.godaddy.com

GoDaddy offers significant discounts on certificates and even provides a non-authenticated certificate, the Turbo SSL certificate. Because this certificate is made available without authenticating your business, the yearly price is considerably lower than a business-authenticated certificate. Whether you opt for a non-authenticated certificate or not, GoDaddy can provide significant relief to your shoestring budget.

  • Domain validated 128- to 256-bit SSL Certificate, no business authentication, domain authentication, GoDaddy seal

$20 for one year; $200 to include all subdomains

$36 for two years; $360 to include all subdomains

  • Domain validated 128- to 256-bit SSL certificate, business authentication, GoDaddy seal

$90 for one year; $250 to include all subdomains

$150 for two years; $540 to include all subdomains

  • 128- or 256-bit SSL certificate with extended validation, business authentication, GoDaddy seal

$500 for one year

$800 for two years

Be Sociable, Share!

Leave a Reply

Shoestring Book Reviews

Shoestring Venture Reviews
Richard Hooker on Jim Blasingame

Shoestring Fans and Followers


Categories

Archives

Business Book: How to Start a Business

Shoestring Book

Shoestring Venture in iTunes Store

Shoestring Venture - Steve Monas & Richard Hooker

Shoestring Kindle Version # 1 for e-Commerce, # 1 for Small Business, # 1 for Startup 99 cents

Business Book – Shoestring Venture: The Startup Bible

Shoestring Book Reviews

Shoestring Venture Reviews

Invesp landing page optimization
Powered By Invesp
Wikio - Top Blogs - Business