Is there a difference for the end-user? Do most people even check? Common-sense tells me (most based upon my own buying habits) that people only look for the lock. Thoughts?

Betsy

Is there a difference for the end-user? Do most people even check? Common-sense tells me (most based upon my own buying habits) that people only look for the lock. Thoughts?

Betsy
I'm not so sure that the average surfer even looks for the lock. :)

I've had a GeoTrust cert for over a year now with no trouble at all.

Tom

Most users don't look and don't care.

The primary difference between low-cost and high-cost certs is the amount of time and effort spent to confirm the cert owners identity. High cost certs undergo underwriting steps that attempt to confirm that the applicant is who he or she claims to be AND that this applicant is the legal owner of the domain name. Low cost certs only confirm that the applicant's information match the domain record.

Low cost certs are at greater risk of having an applicant who is not the legal owner of a domain name actually obtain a cert. However, to my knowledge, this practice has not actually been attempted by anyone.

The bottom line is that until the day that someone actually perpetrates fraud using the lighter qualification standards of low-cost certs no one will actually care.

Thanks Rich and Tom...those were the answers I was hoping to hear.

Since we are not selling, there's little chance of us being defrauded in many aspects--such as by people ordering stuff, having it delivered and then initiating a charge-back. Our biggest issue (since stopped with a gateway chance) was some jerk who would attempt to run numbers until he (she?) got lucky which cost us a charge-back. Our old gateway wasn't rejecting automatically based upon bad AVS replies whereas our new one does.

Betsy

Since we are not selling, there's little chance of us being defrauded in many aspects--such as by people ordering stuff, having it delivered and then initiating a charge-back.
Well, that's not the kind of fraud that would occur with a fraudulent cert. It would actually be a form of identity theft. In this scenario, I first hijack your domain name and reset the contact info to me (or some alias of me) and then I apply for a low-cost cert. I then setup my own website and point all your domain traffic to it. Visitors would think it is your website because the cert says everything is o.k. and I collect all the payment transactions.

Hi Rich,

Thanks for clarifying that. I have a question though...wouldn't someone notice (like the person responsible for the site) that it had been redirected?

Betsy

Thanks for clarifying that. I have a question though...wouldn't someone notice (like the person responsible for the site) that it had been redirected?
Yes, but by the time you figure it out and get it stopped, the damage would already be done. If this is a highly profitable site, the theives could already have taken off with tens or hundreds of thousands of dollars.

The other important point here regarding the use of low-cost certs is that it really doesn't matter which ones you use as a DOMAIN OWNER. This is because the real vulnerbility of low-cost certs is that these are the ones that the THEIVES would use. This is true even if YOU purchased a high-cost cert.

The critical point of vulnerability here is the domain name records. So, make sure you keep your email addresses up-to-date on all of your domains and make sure you keep your domains locked. Check with your domain name provider if you have any questions about this.

By the way, the link to Equifax in Rich's CSR emails isn't applicable anymore, since Equifax's certificate business was bought by Geotrust. The new link is Geotrust. (http://www.geotrust.com/web_security/index.htm)

Also, Thawte is offering a quick-turn around certificate (SSL123) for $149, while Geotrust's is $169 for the first year and $149 thereafter.

FYI

Snarpy

By the way, the link to Equifax in Rich's CSR emails isn't applicable anymore...
Thanks for pointing this out. I have updated the confirmation email and the website.

I just saw this article regarding "website identity theft:"

http://www.theregister.co.uk/2005/02/17/scary_web_scam/

If this trend continues, the use of certificates for validating sites (as opposed to just protecting data in-transit) will become more important.