You may already know that Google is using a carrot-and-stick policy to force all websites to use encryption.
Starting in January 2017, if your website is not secure — meaning it’s not using the encrypted HTTPS protocol and doesn’t have a green padlock symbol — your pages will eventually marked with red warning symbol.
Google online help says this about the warning:
“We suggest you don’t enter any private or personal information on this page. If possible, don’t use the site.”
From a marketing perspective, it’s a fiasco, an awesome way to drive away business. But in the long run, it’s truly best for everyone. We support the change.
Here’s the key: to enable your secure website, you MUST have an SSL Certificate.
It’s simply a digital “signature” that ensures visitors that your website indeed belongs to you, and it encrypts the connection between your visitors and your website. Result: privacy and assurance that sensitive data like credit card numbers and passwords are not being intercepted by the dark side.
If you haven’t converted already, we offer a secure HTTPS website conversion service that gets it done quickly and affordably.
Welcome to the world of SSL Certificates, where distinctions are tough to discern, and prices cover an enormous range — from zero to hundreds of dollars per year. Yet, all certificates provide similar features and meet baseline security requirements.
So, what’s the difference between certs and how much should you pay?
Let’s dive-in to quickly find out why it’s “what the market will bear” environment and how to tips things in your favor.
Firstly, be aware they SSL certificate industry is a confusing labyrinth of brands and cross-marketing partnerships. A small number of official Certificate Authorities issue the certificates. The top five — Comodo, Symantec, GoDaddy, GlobalSign, and DigiCert — control 90%+ of the market. If you buy a certificate, you’ll probably be buying directly or indirectly from one of them.
Nice business right? Scalable, recurring, mostly automated, high margin. This cash cow has been milked for 20 years. And that’s where it gets interesting . . .
Certificates are sold directly at retail prices by the certificate authorities, but they are also marketed downstream by hosting companies as well as thousands of independent re-sellers and affiliates.
Re-sellers often market brand-name certficates at a fraction of retail price — 80% off in some cases. Yet, the product is identical. How is that possible? Because the incremental cost of issuing a new, basic certificate approaches zero. It’s a fully automated process and can be scaled to meet demand. A strong re-seller can negotiate in bulk, driving the price way down.
The primary difference between certificates is the level of validation — how thoroughly the organization that wants the certificate is vetted by the certificate authority. If you want a convey a high-level of assurance to your customers that your website does indeed belong to your organization, you can pay the certificate authority review more documentation about your business. These are the
- Domain Verification: Simple, fast, cheap. This is what most businesses need — a green padlock symbol and an encrypted connection. The CA simply checks that the organization owns the domain. The certificate assures the consumer that they are visiting the intended domain.
- Organization Verification: A deeper verification process, at a mid-tier price. This is for businesses that conduct a significant amount of e-commerce. The CA checks documents to confirm the business identity and location. Consumers are reasonably assured of the company’s identity and location.
- Extended Verification: Extreme verification at a top-tier price. Only the CA does in-depth research on your business identity, location,
For practical purposes though, there’s very little difference. If a
For small business sites that are not deep into e-commerce, I’m not seeing any compelling reason to pay more than necessary. That’s my working theory for the moment.
By the way, Google will be nullifying all Symantec, Verisign, GeoTrust, Thawte, RapidSSL for security policy violations. You may