

Why are we charging extra for SSL? - nfm
http://streaming.nfm.id.au/why-are-we-charging-extra-for-ssl

======
RKearney
Let's see...

* IPv4 addresses are NOT free by any means.

* Having an SSL certificate requires extra configuration on the server.

* Legitimate SSL certificates are not free (VeriSign, etc, if your site uses StartCom then you're doing it wrong)

That's just a few points.

~~~
spindritf
> * IPv4 addresses are NOT free by any means.

You can use SNI but you probably have one website and one certificate for all
customers anyway.

> if your site uses StartCom then you're doing it wrong

Why? (honest question)

~~~
RKearney
>Why? (honest question)

I meant to say StartSSL, which is the free SSL certificate provider. As far as
I'm aware, their free certificated come with no warranty of any kind (although
I could be wrong). Depending on how large your business is, you would more
than likely go with a trusted brand such as VariSign/GeoTrust/Thawte.

Although for small projects, they're more than fine if all you care about is
quickly and cheaply securing transmissions.

~~~
RyanGWU82
I brought StartSSL to my last 2 employers for internal sites, like development
sites and internal apps, and it's been wonderful. We haven't found any
problems with StartSSL certificates in browsers, from IE6 up through the
newest browsers. We've considered using StartSSL for our public sites too, but
haven't done so yet.

Do customers really care about the name brand or "warranty" of the SSL
certificate? What percentage of customers are even aware of who issued your
certificate, and do those customers really have concerns about StartCom?

This sounds like the argument we heard from DynDNS salespeople last year,
about how our customers expect us to be using "enterprise" vendors, rather
than "consumer-grade" vendors like Amazon Web Services. Even our savviest
customers have never asked us who our DNS provider was.

------
mixonic
For serious cloud/SaaS products, especially B2B stuff, this really shouldn't
be a question. When I was at Harvest we sent SSL-for-all in 2009:

[http://www.getharvest.com/blog/2009/06/unlimited-clients-
pro...](http://www.getharvest.com/blog/2009/06/unlimited-clients-projects-and-
ssl-for-all-plans/)

Sure, it costs a little bit of money. But it makes our users little safer when
they log into our service. There aren't many levers you have a SaaS product
that you can pull to really make user data secure once it leaves your servers.

As pwim said, if you can't recover the cost per user then your company must
have some big problems. I always frown at a pricing page that says SSL is an
add-on, it demonstrates that whomever is running things behind the curtain
isn't really concerned about the safety of user data in their app.

~~~
ceejayoz
I was baffled by Heroku's $20/month fee for SSL until I found out that SSL on
EC2 means you have to have a dedicated Elastic Load Balancer for each domain.

------
sdfjkl
Computational cost is not negligible when you scale up. It is very manageable,
but it does end up costing extra.

Using SSL for all private data is an absolute must though.

------
nirrrrrr
SSL as a feature usually differentiate between sites that accept online
payments (need to use SSL on their site payment form) and those that don't.
Those that accept online payments seem to be able to pay more for a service
than sites that don't accept online payments.

tl;dr sites that need ssl usually can pay more for same service.

------
pwim
I don't see cost as being a counterargument for a SaaS. I paid about $20 for
my certificate, took an hour or so to jump through the signing hoops, serving
assets through cloudfront which charges me pennies, and heroku has $20/month
SSL support. If you can't recover that cost per user through your SaaS, you
have bigger problems.

------
cbs
_Sometimes, we invent buzzword laden “features”_ _SLA_

SLAs are buzzword nothings? Man, the naiveity is simply oozing out of this
post.

------
petercooper
_Imagine a service that offered you ‘hashed passwords’, ‘encrypted credit card
storage’, ‘backed up data’ or ‘up to date libraries’ if you pay for their
advanced plan. Not cool, right?_

All of those things relate to the security of the _provider_ so you expect
them as standard. SSL, as a customer facing feature, secures data when it's
out on the wilds of the Internet or on the _customer's_ network. It's a bit
like charging extra to offer signed courier delivery instead of USPS.

~~~
rodion_89
I don't quite see "hashed passwords" relating as much to the security of the
provider as it would to that of the customer.

~~~
petercooper
The hashes passwords are stored at the provider, no?

Everything he listed relates to security _at_ the provider, which you'd expect
as standard. SSL merely secures the connection across the Web _to_ the
provider, but not within their system.

~~~
rodion_89
Hashes are stored at the provider but the fact that they hashed is what I am
referring to. Hashing itself only protects the user, there is little benefit
to the providers security.

------
robinduckett
Because certificates cost a lot?

~~~
hahaiamatwork
Because IP addresses are hard to get? Because SSL adds computational overhead?
Because it requires extra staff time to renew certificates? Because storing
keys and even CSRs adds to the security budget and staff training?

Is it just me or is anyone else tired of these blogs on Hacker News? It seems
that anyone who has a website and some time can get their opinion to the top
of the list.

I should try it.

~~~
CJefferson
I think the problem (with Hacker News) is that the front page cycles too
quickly. There just aren't that many informative bits of news, or blog posts,
every day.

~~~
sdfjkl
There is the inexplicably unadvertised news.ycombinator.com/best for a slower
cycle. I prefer it.

~~~
nik_0_0
I was also unnerved by the fast cycling, and looking for something just like
this. Inexplicably unadvertised indeed, thanks!

