How to choose a digital certificate? What to take into account?

Asked

Viewed 423 times

12

I’m working in a virtual store, and I need to know which is the best certificate Custo x Benefício, need to indicate a certificate to the client, but this is the first time I work with a.

Remembering that as it is a virtual store, it will work with some sensitive data like credit card number and etc. So it is vital that the communication transits in a secure channel and also that the user can recognize this security.

Some Digital Certificate Options:

 ____________________________________________________________________________________________________________________________________________________
| Certificadora     | Certificado           | Encriptação                   | Informações                                       | Preço              |
|-------------------------------------------|-------------------------------|---------------------------------------------------|--------------------|
| GeoTrust          | Rapid SSL             | 128 bits                      | Compatibilidade com 99% dos browsers              | R$ 74.00BRL /ano   |
|                   |                       |                               | Selo GeoTrust True Site                           |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Quick SSL             | SSL até 256-bits              | Compatibilidade com 99% dos browsers              | R$ 290.00BRL /ano  |
|                   |                       |                               | Emissão rápida e instalação fácil                 |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | QuickSSL Premium      | 256-bits                      | Compatibilidade com 99% dos browsers              | R$ 330.00BRL /ano  |
|                   |                       |                               | Selo GeoTrust True Site                           |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | True BusinessID       | SSL 256-bit                   | Compatibilidade com 99% dos browsers              | R$ 450.00BRL /ano  |
|                   |                       |                               | Fácil e rápido de instalar                        |                    |
|===================|=======================|===============================|===================================================|====================|
| VerySign          | Secure Site           | SSL até 256-bits              | Selo VerySign Secured®                            | R$1,100.00BRL /ano |
|                   |                       |                               | Verificador de instalação                         |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Secure Site Pro       | SSL de 128-bit até 256-bit    | Validação domínio e organização                   | R$2,400.00BRL /ano |
|                   |                       |                               | Selo VerySign Secured®                            |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Secure Site EV        | SSL até 256-bits              | Validação Avançada (EV): Barra de endereço verde  | R$2,600.00BRL /ano |
|                   |                       |                               | Selo VerySign Secured®                            |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Secure Site Pro EV    | SSL de 128-bit até 256-bit    | Validação Avançada (EV): Barra de endereço verde  | R$4,200.00BRL /ano |
|                   |                       |                               | Selo VerySign Secured®                            |                    |
|___________________|_______________________|_______________________________|___________________________________________________|____________________|

My doubts are as follows::

  • Geotrust certificates are lower than Verysign’s?

    • That’s why they’re cheaper?
    • Or just has "less name" on the market?

  • Why are the encryption until X-bits?

    • X-bits is the encryption key size?

  • Pays more for a "green bar"?

    • Why?
    • Has some influence behind the scenes?
security-guard ssl certified

  • Related: "How HTTPS (SSL) works?". The current answers are already very good, as for this key detail this other question can help you better understand the process (the certificate is only used for sign, a different key is used for encrypt, and that key is ephemeral - created solely for that session and thrown away at the end).

3 answers

8


Cheapest certificates:

  • has less name, it matters in some situations, in part there is a reason to have less name, in part it is marketing;
  • are accepted in fewer browsers and other software (in general operating systems) that seek certificates, but this is not usually a serious problem nowadays since all the main ones are accepted in browsers until very old and applications you have control can add certification entity, this is important but it was already more than today;
  • damages if any break occurs are higher in the most expensive, the cheapest maybe there is no such compensation;

Geotrust certificates are lower than Verysign’s?
- That’s why they’re cheaper?
- Or just has "less name" on the market?

Whether the free, Geotrust, Verisign or other brand are inferior goes from the need and purpose of each. For most cases, it makes little or no difference. So today the bulk of the use goes with Let’s Encrypt.

Why are the encryptions up to X-bits? - X-bits is the size of the encryption key?

The amount of bits indicates the strength of the key protection, how difficult it is to break key encryption. Not the data your application/site travels. Of course there is a higher processing cost with larger keys. But the cost is higher for commercial reasons and perhaps because it offers something more, has a more thorough and obviously more expensive verification process. This isn’t usually a problem these days.

But keep in mind that the certification only ensures who is on that side, it does not protect you from anything and does not protect the user beyond saying that the supplier they are accessing is the same.

Is it worth paying more for a "green bar"? - Why? - Has some influence behind the scenes?

Whether it pays more depends on the goal. Do you think users need to see such a green bar to feel safer? The same goes for other warranty stamps or bars of other colors. But it’s only psychological, marketing.

Each category has a different level of requirement. The more expensive ones require more proof from the certified organization and can make users safer. Again, you choose what level of security (in the same psychological sense) you want to give your user.

Of course, the more expensive ones can have a flow of verification that avoids some types of attacks like Man in the Middle. But you can’t solve it completely.

The more you pay, the more you’re telling people who understand these things that you want to show themselves as a secure provider. Of course the fraudster will do the same to deceive the unwary.

Even in the most expensive certifiers there are serious cases of fraud.

The term security used here was more in the sense of reliability of the person behind the software (probably a website) the user is using. Yet it says very little.

The only thing the certificate helps with security is having a reliable public verification key to use. nothing prevents you from providing this public key yourself. The problem is that your users will have to trust you 100%, there will be no one claiming that you are even remotely trustworthy. This works in some cases. But rarely on public websites.

  • mustache a certificação só garante quem é que está daquele lado, ele não te protege de nada e não protege o usuário How so? Traffic is not encrypted by certificate key?

  • Not directly. It uses a public key to indicate who you are, so the traffic is more complicated to be forged, but this alone does not guarantee safety. The data encryption will still have to be done with other keys. If you use only the public verification key (there may be another public crypto key, it is the same as not encrypt, after all the key is public, it is known to all.

  • Right, so I have to perform this encryption? Providing the public key and decrypting on the server with a private key?

  • 2

    That’s it. Of course the HTTP server does it for you if it is properly configured. It is possible to encrypt without certificate. Only it’ll let you know you can’t trust whosoever is encrypting.

  • The Certifying Company provides these keys, public and private?

  • It provides the public and private verification keys. Obviously the private never leaves your server under penalty of someone not authorized to impersonate you.

  • @Kaduamaral The Certification Authority can provide the private key, or (ideally) you must create it yourself and not reveal it to anyone, including to AC. This is done through a "certificate signature application" (Certificate Signing request - CSR), where you only prove to AC that you actually own the private key corresponding to the public key that goes to the certificate. How to do this, all AC must have specific instructions, and Openssl helps as well.

Show 2 more comments

6

Overall, the more expensive the certificate, the more "reliable" it is -- from the customer’s point of view.

The key size also influences this reliability, but it is not the main factor. Any new certificate has sufficiently strong key. The key is "up to x bits" because an older browser can trade a smaller key (I think).

"Reliable" means that the certification authority has taken steps to verify that the applicant is indeed the entity claiming to be.

A certificate of the cheapest, which costs only $5 per year, only checks that you control the domain. If you have an email @Foobar.com.br, CA assumes that you control Foobar.com.br.

Cheap certificates are also issued by "sub-certifiers", i.e., the certifying authority that the browser trusts (A) signs certificate B, which signs certificate C, and entity C is the one who will sign its certificate D. So the chain gets A-B-C-D, and you probably have to include Certs. intermediaries B and C along with their D certificate, as the browser only knows A and not all download the intermediate certificates. (Testing the site with www.sslabs.com is a good one to catch this kind of problem.)

The most expensive certificate is signed directly by entity A, so the chain of trust is very short. It is not a technical advantage, but decreases the chance of problems if one of the intermediate certificates is falsified...

Certificates "green bar" has EV (Extended Validation), where the identity verification process is more rigorous, and most importantly, standardized. This type of certificate is desirable for banks, e-commerce, etc. Any hacker can get an SSL certificate for itauu.com.br, but only Itaú will get an EV certificate "Itaú", and the bar will only be green for Itaú.com.br.

In any case, the reliability of the certificate depends on the quality of the certifying authority, and then a Verisign of life has more name than others.

  • Cool this example of itauu! Another interesting thing is that you only get the "green bar" if your company has already existed for at least X years (this is verified), making this type of fraud more difficult. In the end, the difference of this type of certificate to "common" certificates is mainly in the fact that the verification of their identity followed a more rigorous process.

3

The basic point is to check for browser compatibility.

In fact no one needs to buy SSL certificates as they can be generated for free.

The problem is that popular browsers do not recognize such certificates unless the user installs it in the browser itself and this is impracticable for the general public. This happens for security reasons as it would be chaos if browsers allowed any certificate issuer.

The difference between the approved certifiers is in the features offered. Data volume, insurance ranging between 100k USD and 20m USD (that’s right.. 20 million dollars), types of cripotography, among others.

Usually offer more expensive price to the green bar, where the URL bar is completely green.

inserir a descrição da imagem aqui

Visually it gives a better impression, as if it were safer. But for me, it is nothing but ostentation. But anyway, it’s just one more resource that the certificate companies have come up with to monetize more services.

I recommend cheap providers for small and medium-sized websites. If the site does not pass 15 or 30 thousand unique accesses / day, can use these cheaper. But do not recommend one that is called "Namecheap". Not bad, the problem is the name that appears in the browser url as "name Cheap", causing a bad impression as if the site was cheap.

Of those cheap I can recommend is the "Globessl". Good reputation, excellent service and conveniently cheap.

Anyway, no matter which type you choose, from the cheapest to the most expensive, always be aware of security because SSL is not a guarantee of security, as already mentioned in other comments.

Browser other questions tagged security-guard ssl certified

You are not signed in. Login or sign up in order to post.