Verisign vs. Thawte? Looking for advice


7

Our SSL certificate with Thawte is about to expire and I was wondering if this is still the best route.

Any recommendations?

Security

asked Oct 6 '10 at 07:24
Blank
Chris
4,214 points
  • Verisign used to own thawte. They recently sold it to symantec. I'll try to dig up some JoS threads that had cheaper alternatives. (I used thawte for code signing this past year) – Tim J 13 years ago

5 Answers


8

This question is an old one. Here is one little contribution, also look at the SSL tags at ServerFault. I see no reason to focus on Verisign and Thawte, unless you strongly believe that their site seals improve your conversion rate. And if that is the case, then go the whole way, and get a Verisign Extended Validation certificate. My take, in short form, is that your choices are:

  1. A name-brand SSL certificate with clear root chain, but purchased from one of the cheap resellers at < 50USD. By name-brand, I mean a certificate with the same signing root as the big players use -- Comodo from a cheap reseller, RapidSSL (cheaper GeoTrust), InstantSSL (cheaper Comodo), et cetera.
  2. A name-brand SSL certificate with a nice logo / "trustmark" to put on your shopping cart ("Secure by ..."), purchased directly from the issuer (I like DigiCert).
  3. A name-brand Extended Validation certificate. So far, you need to work directly with the issuer to get approved for these, there is a fair amount of paperwork required to prove identity, and the prices are high often > 250 USD/year.

I would personally either get a cheap Comodo or similar certificate from:

OR, I would get an Extended validation certificate. (In other words, of my options 1, 2 & 3, I personally think that 1 & 3 are the good choices.)

I'm still on the fence with regards to Extended Validation. What they're trying to do is a good thing, and the extra consumer confidence they can provide is a good thing, possibly lowering abandonment rate. All the big names (Microsoft etc) use EV certs now. On the other hand, I have not seen a definitive usability study showing that the really work, that end users really grok the difference.

The more expensive non-Extended Validation certificates are a bit of a scam, really. They don't add any authentication or encryption beyond what the really cheap ones provide. Don't overbuy, i.e. don't think that the 200 USD non-EV certificate is necessarily better than the 50 USD non-EV cert with the same root.

Last bit of advice: If you take the cheap route, then look at your current domain registrar, DNS host, and web hosts. Sometimes they can sell you a cheap certificate with the same trust root as everyone else, and a streamlined buying process because they already have your domain information.

answered Oct 6 '10 at 18:42
Blank
Jesper Mortensen
15,292 points

4

You would do well to compare the prices of the exact same certificate from Verisign, Thawte, and Comodo. They all offer virtually the exact same service. But their prices vary rather dramatically.

Every current version of Windows (XP, Vista, Win 7, etc) comes with equal built in recognition for certificates from all three provders.

answered Oct 6 '10 at 11:51
Blank
Gary E
12,510 points

2

I plan on buying a Godaddy certificate. Not nearly as expensive and the name is there.

answered Oct 7 '10 at 02:23
Blank
Sk24iam
344 points

1

+1 for taking a look at Comodo certificates. We've been using them for years.

answered Oct 7 '10 at 02:05
Blank
Keith De Long
5,091 points

0

Most of the other answers here deal mainly with the price.

Another aspect is the security the certificate provides - see this question on ITSecurity for a discussion on that.

Though the bottom line is pretty much "any of the well-known CAs can do the job well enough" (though in some situations there might be some benefit to some).

answered Nov 25 '10 at 16:37
Blank
Avi D
140 points

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Security