A big revenue generator is quickly declining.
But what Google giveth, Google can taketh away. And this is wreaking havoc on the business of selling SSL certificates.
Google is continually downgrading positive indicators of SSL certificates in Google Chrome. Other browser makers are, too.
Of course, Google also backs Let’s Encrypt, which lets the technically-minded get free SSL certificates.
It seems that companies profiting from SSL certificates have found two ways to stretch out this cash cow in the face of downgraded browser benefits and free SSL providers.
As far as the browser benefits are concerned, SSL sellers have promoted Extended Validation (EV) Certificates. These are the ones that show the company name in the address bar next to the URL.
Or rather, did show the company name. Even that’s coming to an end. Troy Hunt explains why EV is dead thanks to their own downgrades by browser makers.
On the hosting side, some companies force users to use their own SSL rather than a free certificate. For example, GoDaddy’s Managed WordPress only works with GoDaddy certificates. And they are pricey.
The GoDaddy managed WordPress starter plan is $9.99 per month. SSL is $79.99 per year, so $6.66 per month. This makes the cheapest WordPress package 66% more expensive than it appears.
To show how silly this is, consider that GoDaddy’s Website Builder plans all come with an SSL certificate and the cheapest plan is $5.99 per month. So you can get a website builder with SSL for less than GoDaddy charges for an SSL certificate. Only you can’t apply this SSL certificate to your WordPress site.
SSL is still a cash cow for many companies. But it’s dwindling.
The only reason Google cares about SSL certificates is because it helps Google and their one trick pony – advertising.
By forcing users to have an SSL Certificate , there is little chance a third party like an ISP or public WiFi from injecting ads onto your website, making sure Google is serving those ads.
That is why they are backing Lets Encrypt and do not care about type of SSL you have , as long as you have one , they are happy
Yeah but to be fair does anyone want an isp injecting content into their page?
ISPs want it.
We direct our clients to hosting that comes with free SSL and free site security that is better than most paid security systems.
Let’s Encrypt has definitely turned the SSL industry upside down.
Let’s Encrypt is a tool for the browser writers to maintain control of domain owners.
But look what Apple said in that linked article: “Org name is not tied to users intended destination the same way that the domain name is”.
So perhaps, now… finally… the browser makers can put their full support behind DNSSEC and DANE?
It’s very frustrating using those and having to instruct users on how to allow what the browser writers has deemed in their infinite wisdom a “security exception”.
Google distrusted Symantec Website Security Solutions which had the majority SSL market share. It then backs LetsEncrypt which offers free certs……free Domain Validated certificates only. One can only guess what direction this leads to. Certificate Authorities base their existence on other types of SSL certificates i.e. OV and EV which are supposedly less prone to phishing attacks a fact many fail to realize. Is it really a good approach to do away with third party trusted SSL certificate providers? I think of it this way, DV certs are like your University ID card, OV like your national ID card and EV your International passport. It all boils down to trust. For some if not all SSL consumers it makes a lot of sense to employ the use of cert solutions that make it easy to do business with clients or customers that do not necessarily know who you are. Who would one/customer trust? a merchant who identifies themselves with a university ID card or one that Identifies with an international passport. So LetsEncrypt issues student ID cards and are backed by Google and third party CA’s issue National ID’s and International Passports. The question one would ask “is Google considering the clients/online user security or is it considering saving a dollar for merchants yet compromising on the security of end user?” Google is big, yes BUT can it be taking a wrong direction?
You can spoof company names in EV just fine ( and this has been demonstrated several times in the past ). There is no use for these certs. This is why google and mozilla are removing them.
DV certificates should never had existed in the first place. Back in the days, all certificates verified what is EV nowadays… CAs only add real value when doing what is OV or EV. Either using LE or DANE, DV only value is to encrypt, not to certify to whom you are talking to.
Encryption without authentication is recipe for compromising security, that’s what DV certs are about. Anyone even criminals can get a domain and secure it or rather encrypt it with a DV cert. By getting DV certs criminal websites can look as secure as legit ones. It is a very cheap or rather free (LetsEncrypt) way of making clients believe that they are in a safe environment just because the web address shows https. The unsuspecting internet users will not see any difference. It now leaves the choice to the organizations which require SSL certificates for their online presence, do they see it fit to have the same sort of security as cybercriminals also have on their phishing websites. It’s difficult if not impossible for Cybercriminals to get an EV cert. Google is gliding in the same wave as organizations that want to cut down costs, it’s that simple cutting security cost lead to compromise. It’s a pity that most IT personnel don’t value the other strength of an SSL certificate which is Authentication hence they will go for free security which leaves their websites…..unsecure. It’s like sealing a water container with holes, sure looks good but eventually will drain its own water out. In a way a DV cert on a public facing website is the worst way of securing a website worse more after being compromised only to realize that the security was free
SSL doesn’t mean that the site is safe. It doesn’t mean that it’s operated by “good guys”. It doesn’t mean that the site operators won’t do bad things, deliberately or inadvertently, with your data. And it has never meant any of those things, despite decades of ignorant users thinking otherwise. All it has ever meant* is that (1) data hasn’t been read or altered in between your browser and the web site; (2) the site that you’re viewing matches the name you entered; and (3) if and only if the site has an EV cert, you bother to look for the indications, and the company name matches the “trade name” you’re expecting, the site is operated by a company whose name matches the company you expect.
The third point above is the problem–users simply don’t pay attention to the green bar. They don’t remember which sites “should” have a green bar, and they don’t change their behavior when a site that used to have a green bar doesn’t any more. Remember the outcry when Twitter stopped using EV certs? (there wasn’t any. That’s the point.) Remember the outcry about little sites like Google and Amazon not using EV certs? Yeah, that didn’t happen either.
* Well, it means these things assuming you don’t have a TLS-intercepting proxy in the middle that has a trusted CA on your machine.
I pay around $200 per year for my EV certificate. As a small business it is costly considering my site only provides company information and doesn’t conduct financial transactions or transmit sensitive information. I bought it for two reasons:
1. To make it distinguishable from knockoff sites via the green authentication in the address bar along with showing my company has been verified and is who we say we are and …
2. To keep my site ranking high and from being penalized for not having it.
As a online consumer I’ve come to value the importance of SSL EV. It lets me know that the business I’ve never heard of is an actual business that has been vetted. My vetting required my accounting firm to verify our details. I liked the green bar with EV as it added legitimacy to the site and gave me confidence.
Philosophically I do not agree with having to pay $200 a year to make my website valid to the consumer. The domain name should do that on its own. I understand the risks of phishing attacks and sites that appear to be what they are not, but you can’t fix stupid and the SSL is just another tax on site owners / businesses. Being told by Google that not having the certificate would result in my legitimate site, which has been operating for years made suffer in rank infuriated me. It was like mob shakedown…we will bust your windows if you don’t want to pay. Absolutely no difference. However I can deal with SSL being required.
What I can’t deal with is these jerks taking away the green highlighting on mobile and also destroying the domain name in the web address url bar. Their goal is for there to be a walled garden where the consumer is not even considering typing in domain names, but typing in search terms and feeding you their crappy results.
Maybe you guys don’t see it because you are in the forest amongst the trees, but in places like China where the walled garden is Wechat, a good percentage of the populace doesn’t even know what an address bar or url is. Google, Apple, Facebook all want to replicate this in the West. It is coming as reflected by the decline direct type-in traffic over the years, but yet internet users and use is up.
Do ‘Lets encrypt’ provide EV certificate. We have a small website on our real estate projects details. It is not a eCommerce website or no monetary transaction or login required. We have all the legal papers to do the business. We have seen that EV certificate is really costly for us. Our hosting provide only SSL (lets Encrypt). Any Idea.
No, Let’s Encrypt provide only DV certificates. If you think you need an EV cert, you should think hard about why—in most cases they aren’t worth the electrons they’re printed on.
The FREE “Let’s Encrypt” Certificate is sufficient for most cases.
Do not pay for any other expensive crap “certificates”. It is a SCAM.