Time and time again on forums and on Twitter we see comments from people questioning why SSL certificates cost money and why brands like “Symantec” are much more valued than others that do the same thing.
I thought I’d take the liberty of writing this post so I have a go to resource each time I read this and don’t find myself writing a response out time and time again. I concede that you are correct, it probably does cost Certificate Authorities very little to generate a certificate, after all its just a file and it is probably all automated. That price you are paying though isn’t for the content of the certificate itself, it is question of security and trust.
Security
The major Certificate Authorities take their role very seriously. For example Symantec have built a security fortress in order to maintain the integrity of the public and private keys. They take all the security precautions you would expect but on top of this, both iris recognition and fingerprint scanners are in operation to protect the companies SSL Vault. Couple this with the fact that Symantec alone use 14 data centers and deal with a staggering 4.5 billion certificate lookups a day, you can start to understand why SSL certificates from such Certificate Authorities cost money, it isn’t about the file itself but the integrity, reliability and robustness of the whole process surrounding it. Remember “not all Certificate Authorities provide equal assurance, yet all are equally trusted by browsers.”
If you want to read more about the Symantec SSL vault, we have covered it before.
Trust
Moving on from the physical security of your certificate there are other things that mean that the Certificate Authority can’t turn them out for free or very little cost. For example the cost of a certificate can vary wildly. For example we sell RapidSSL certificates for $9 but equally we sell Symantec Secure Site Pro EV Certificates for $870 and many others in between. If they all encrypt traffic why the difference in price?
The answer is simple, if you want an EV certificate (You will have seen the ‘green bar’ on many bank websites) the amount of verification you have to go through far outweighs that of getting a RapidSSL certificate. This in turn takes up much more of the Certificate Authorities time which is where some of the costs are incurred.
Getting an EV certificate is likely to indicate that the owner is in it for the long haul as they have made a much bigger outlay in the first instance and have gone to the effort of creating a genuine business. It tells the customer that they are much more likely to be around in say a year and not gone tomorrow. The cheaper certs are adequate for many things but particularly if you are looking for someone to trust you with their bank or card details then I would consider an EV cert.
As for people going for certificates from companies they already know and trust rather than a cheaper unknown option isn’t necessarily a bad thing. As I’ve said trust is a big thing, you aren’t just getting a certificate for encryption. You are getting one so that your customers feel comfortable and subsequently buy from you.
In Summary
So in a nut-shell yes you can get SSL certificates at very low prices, even free, but the certificate isn’t what you are paying for its the security and trust of that certificate. If you have a certificate that isn’t secure, then there is no point in having one and if you have one that isn’t trusted you are missing out on conversions.