Shopping for the right SSL: What are the options?
Justin Fielding posted about the different SSL certificate options including Extended Validation, SGC, standard SSL, and domain-validated SSL and the advantages and disadvantages of each. After going over the differences, he recommends an EV SGC certificate to give the best security.
Deciding which certificate fulfills your requirements is a personal choice and very much depends on why you are using SSL in the first place. If you’re using the certificate to protect a public Web site that takes online payments, then an SGC-enabled certificate with Extended Validation will be the best option. This will verify your identity giving potential customers peace of mind; it will also ensure that they have the highest level of confidence in the authenticity of your digital certificate. It is, unfortunately, still a little too expensive for the majority of smaller online businesses and too new for a lot of larger businesses to have adopted.
If an Extended Validation equipped certificate is a little too expensive but you still want to make sure that users are fully protected, then an SGC certificate will probably be a good compromise. An SGC certificate is also desirable if you know that some users will be connecting with old software, which will default to weak encryption ciphers.
Given the fact that the number of users who use old web browsers (requiring an SGC certificate to encrypt at 128-bit) is practically non-existent, the recommendation of an SGC SSL certificate seems antiquated for all but the most popular websites. Justin does mention:
Standard SSL certificates are still quite adequate for the majority of uses. Most visitors will have recent browser versions capable of high encryption, and the standard certificate still verifies that your business is legitimately registered.
He also mentions how the use of domain validated certificates can be useful for non-ecommerce sites that have already established trust with their users.
Domain validated certificates are fine when there is no e-commerce involved and all of your visitors are ‘known;’ that is to say, that they are known by you and you are known by them. While the domain validated certificate does not give the general public any guarantee that you are who you claim to be, it does verify that the server being connected to is the one authorised to serve that domain and not a third party. Encryption of up to 256-bits is available with 128-bits being the norm under most modern browsers. I think a domain validated certificate would be quite acceptable for securing access to corporate resources where visitors would be company employees with a known minimum level of browser security (which can be enforced via embedded browser checks). A domain validated certificate can be particularly useful in situations where a fast deployment is required. The certificate can be requested/installed within minutes and can always be replaced with a full SSL certificate later on.
Shopping for the right SSL: What are the options? - [TechRepublic]
Originally posted on Sun Dec 9, 2007