SSL Certificates and Wild Pricing

As part of a project of work I’m looking into currently, we are planning a move from Exchange 2007 to Exchange 2010. As those of you who’ve done this before will know, you need to setup the environment with two namespaces for a period of the migration which Microsoft refer to as the Exchange 2010 namespace and the legacy namespace (the Exchange 2007 namespace). As part of this, we need to get a new SSL certificate.

Normally we buy our certificates from VeriSign as a standard rule of thumb however after looking at the costs today, I’m starting to wonder how VeriSign do so well in the SSL certificate business? I’m not going to go into exact specifics, but the overall cost for the certificate I was looking to purchase was £69,000 which is frankly unbelievable for a certificate to secure a messaging platform. The cost of the certificate is over double what we paid for a pair of HP DL380p servers fully loaded with 900GB SAS disk for local storage to host the DAG Mailbox roles. To make it worse than just the price on it’s own, that’s just for one year validity on the certificates too.

Out of curiosity and because they are starting to develop a bit of a name for themselves, I decided to compare the cost of this to GoDaddy. That very same certificate, offering me the same number of SAN names for the Exchange features with GoDaddy is a mere £165 a year.

How I wonder, when you compare £69,000 to £165, do VeriSign actually sell any certificates? Sure VeriSign offer more in the way of commercial compensation that GoDaddy ($1,500,000 for VeriSign and $160,000 for GoDaddy) but commercial compensation really only applies to transactional or commerce websites. When you are talking about a messaging platform, coupled with a two factor authentication system, the compensation loses it’s value quickly. GoDaddy offer a Malware inspection service for secured sites, something which VeriSign also offer. VeriSign have some value add propositions that GoDaddy don’t, I will grant them that. Features such as Norton Secured Seal and a Symantec Search Seal are on offer but both of those things are dependant on people having Norton software and browser plugins installed to show the seal. Installing browser plugins which really aren’t needed and adding a true sense of value is something which I don’t recommend and nor do Microsoft hence the popups that modern versions of Internet Explorer have asking you to disable addons.

With GoDaddy being so popular these days, their Trusted Root CA certificate is valid on a claimed 99.9% of devices therefore gone are the days of use the likes GoDaddy or Comodo SSL at your peril due to the possibility of getting certificate invalid warnings on the clients.

I haven’t taken a decision on the purchase just yet as it needs some consultation within the company, but one or two people I spoke to today agreed with me in so much as why shouldn’t we use GoDaddy and frankly, I’m not seeing a lot of reasons why currently?