How to choose a digital certificate? What to take into account?

12

I'm working in a virtual store, and I need to know the best certificate regarding Cost x Benefit , I need to indicate a certificate for the client, but this is the first time I work with a

Remembering that because it is a virtual store, it will work with some sensitive data such as credit card number and so on. So it is vital that communication crosses a secure channel and also that the user can recognize that security.

Some Digital Certificate options:

 ____________________________________________________________________________________________________________________________________________________
| Certificadora     | Certificado           | Encriptação                   | Informações                                       | Preço              |
|-------------------------------------------|-------------------------------|---------------------------------------------------|--------------------|
| GeoTrust          | Rapid SSL             | 128 bits                      | Compatibilidade com 99% dos browsers              | R$ 74.00BRL /ano   |
|                   |                       |                               | Selo GeoTrust True Site                           |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Quick SSL             | SSL até 256-bits              | Compatibilidade com 99% dos browsers              | R$ 290.00BRL /ano  |
|                   |                       |                               | Emissão rápida e instalação fácil                 |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | QuickSSL Premium      | 256-bits                      | Compatibilidade com 99% dos browsers              | R$ 330.00BRL /ano  |
|                   |                       |                               | Selo GeoTrust True Site                           |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | True BusinessID       | SSL 256-bit                   | Compatibilidade com 99% dos browsers              | R$ 450.00BRL /ano  |
|                   |                       |                               | Fácil e rápido de instalar                        |                    |
|===================|=======================|===============================|===================================================|====================|
| VerySign          | Secure Site           | SSL até 256-bits              | Selo VerySign Secured®                            | R$1,100.00BRL /ano |
|                   |                       |                               | Verificador de instalação                         |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Secure Site Pro       | SSL de 128-bit até 256-bit    | Validação domínio e organização                   | R$2,400.00BRL /ano |
|                   |                       |                               | Selo VerySign Secured®                            |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Secure Site EV        | SSL até 256-bits              | Validação Avançada (EV): Barra de endereço verde  | R$2,600.00BRL /ano |
|                   |                       |                               | Selo VerySign Secured®                            |                    |
|                   |-----------------------|-------------------------------|---------------------------------------------------|--------------------|
|                   | Secure Site Pro EV    | SSL de 128-bit até 256-bit    | Validação Avançada (EV): Barra de endereço verde  | R$4,200.00BRL /ano |
|                   |                       |                               | Selo VerySign Secured®                            |                    |
|___________________|_______________________|_______________________________|___________________________________________________|____________________|

The questions I have are the following:

  • Are GeoTrust certificates lower than VerySign's?

    • Why are they cheaper?
    • Or just have "less name" on the market?
  • Why are the encryptions up X-bits ?

    • X-bits is the encryption key size?
  • Does it pay to pay more for a "green bar"?

    • Why?
    • Do you have any influence underneath the cloth?
asked by anonymous 27.07.2015 / 20:05

3 answers

8

Cheaper Certificates:

  • has less name, this matters in some situations, in part there is a reason to have less name, in part it is marketing;
  • are accepted in less browsers and other software (usually operating systems) that are looking for certificates, but this is not usually a serious problem nowadays since all the major ones are accepted in browsers until well old and applications that you have control can add certification entity, this is important but it has been more than today;
  • If there are any breakages, the higher the more expensive ones, the cheaper ones may not even be compensated;

Whether the free, GeoTrust, Verisign or other brand are inferior goes from the need and purpose of each. For most cases, it makes little or no difference.

The amount of bits indicates the strength of the key protection, how hard it is to break key cryptography. Not from the data that your application / site travels. Of course there is a higher processing cost with larger keys. But the cost is higher for commercial reasons and perhaps because it offers something more, have a more accurate and obviously more expensive verification process. This is not usually a problem these days.

But keep in mind that certification only guarantees who is on that side, it does not protect you from anything and does not protect the user apart from saying that the vendor they are accessing is just the same.

If it pays to pay more depends on the goal. Do you think users need to see such a green bar to feel more secure? The same goes for the other seals of guarantee or bars of other colors. But it's just psychological, marketing.

Each category has a different requirement level. The more expensive ones require more certifications from the certified organization and can make users safer. Again, you choose what level of security (in the psychological sense) you want to give your user.

Of course, the more expensive ones can have a check flow that prevents some types of attacks like the Man in the Middle. But you can not completely resolve it.

The more you pay, the more you are saying to anyone who understands these things you want to be a safe provider. Of course the fraudster will do the same to deceive the unwary.

Even in the most expensive certifiers there are serious cases of fraud.

The term security used here was more in the sense of reliability of the person behind the software (probably a website) that the user is using. Even so says very little.

The only thing the certificate helps with security is having a trusted public key to use. nothing prevents you from providing this public key yourself. The problem is that your users will have to rely 100% on you, there will be no one attesting that you are minimally reliable. This works in some cases. But rarely on public websites.

    
27.07.2015 / 21:08
6

In general, the more expensive the certificate, the more "trusted" it is - from the customer's point of view.

The size of the key also influences this reliability, but it is not the main factor. Any new certificate has strong enough key. The key is "up to x bits" because an older browser can trade a smaller key (I think).

"Reliable" means that the certifying authority has taken steps to verify that the person who requested the certificate is actually the entity it claims to be.

A cheap certificate, which costs only $ 5 per year, only verifies that you control the domain. If you have an e-mail @ foobar.com.br, CA assumes that you control foobar.com.br.

Cheap certificates are also usually issued by "sub-certifiers", that is, the certifying authority that the browser trusts (A) signs the certificate B, which signs the certificate C, and entity C is who will sign its certificate D. Then the string is ABCD, and you will probably have to include the certs. intermediaries B and C together with their D certificate, because the browser only knows A and not all download intermediate certificates. (Testing the site with www.sslabs.com is a good way to get this kind of problem.)

The most expensive certificate is signed directly by entity A, so the trust chain is very short. It is not a technical advantage, but it reduces the chance of problems if one of the intermediate certificates is falsified ...

Certificates "green bar" has EV (Extended Validation), where the process of identity verification is stricter, and more importantly, standardized . This type of certificate is desirable for banks, e-commerce, etc. Any hacker can get an SSL certificate for itauu.com.br, but only Itaú will get an "Itaú" EV certificate, and the bar will only go green for itau.com.br.

In any case, the reliability of the certificate depends on the quality of the certification authority, and then a Verisign of life has more name than others.

    
27.07.2015 / 21:04
3

The basic point is to check compatibility with browsers.

No one really needs to buy SSL certificates because they can be generated for free.

The problem is that popular browsers do not recognize such certificates unless the user installs them in the browser itself and is not feasible for the general public. This happens for security reasons because it would be chaos if browsers would allow any certificate issuer.

The difference between the approved certifiers is in the resources offered. Volume of data, insurance that varies between 100k USD and 20m USD (that's right .. 20 million dollars), types of cryptography, among others.

They usually offer a more expensive price for the green bar, where the URL bar turns completely green.

Visuallygivesabetterimpression,asifitweremoresecure.Butforme,it'sjustostentation.Butultimately,it'sjustonemoreresourcethatcertifiedcompanieshavearrangedtomonetizemoreservices.

Irecommendthecheapprovidersforsmallandmedium-sizedwebsites.Ifthesitedoesnotexceed15or30thousanduniquehits/day,youcanusethesecheaperones.ButIwouldnotrecommendonethatiscalled"namecheap". Not bad, the problem is the name that appears in the browser url as "name cheap", causing a bad impression as if the site was cheap.

Of these cheap I can recommend is the "GlobeSSL". Good reputation, excellent service and conveniently cheap.

However, it does not matter which type to choose, from the cheapest to the most expensive, always be aware of security because SSL is not a security guarantee, as already mentioned in other comments.

    
28.07.2015 / 15:51