

GoDaddy SSL Cert Scam - dchest
http://rentzsch.tumblr.com/post/7471141866/godaddy-ssl-cert-scam

======
ilikepi
Timely...

At work we use RapidSSL (a division of GeoTrust) for a handful of certs. Last
night I received an email with a banner warning me, "Your certificate is ABOUT
TO EXPIRE". The email goes on to list the expiration date as "Oct 12, 2011".
Four months is certainly generous notice, but I've always taken this as a
simple marketing attempt to maintain customer loyalty.

Usually I take these emails as tickler reminders and delete the first couple.
When I eventually decide it's time to renew, I pull up the site by typing the
URL into the browser. Upon reading this article, I wondered whether following
the link in the email would result in a different pricing structure. As it
turns out, the answer is yes, though after playing around, it doesn't appear
to have anything to do with the email link.

The first page of RapidSSL's order form handles both new orders and renewals
with a pair of radio buttons. Another section of the form allows you to
specify the validity period from one to five years. The prices appear
alongside the choices, and are currently the same for both initial orders and
renewals.

First I visited "www.rapidssl.com" and clicked the "buy/renew" link for a
single domain cert. I got an order form with the following prices for 1-5
years:

49, 86, 122, 159, 196

Then I pasted the link from the email (which contains a fairly simple query
string that does not appear to have a unique identifier in it) into a
different browser. I clicked the "buy/renew" link for a single domain cert, I
get the same form with the following prices:

79, 138, 198, 257, 316

It's interesting to me that the difference in price actually increases as the
validity period increases:

30, 52, 76, 98, 120

Still more interesting, after resetting the browser and pulling up
"www.rapidssl.com" directly, the prices are completely different:

29, 51, 72, 94, 116

I tried the email link one more time and got the 49-86-122 pricing again. Then
I tried it one more time and got 19, 33, 48, 62, 76. So clearly RapidSSL is
varying their prices on the fly, presumably to gain insight as to what people
are willing to pay. I was ready to claim the link in the email yielded higher
prices, but that seems not to be the case. So I guess after all that, this
isn't particularly interesting. I'll definitely hit the site a few times when
it comes time to purchase though.

Unfortunately the pricing structure for a wildcard certificate never seemed to
vary.

~~~
dpapathanasiou
You might be interested to know they're even cheaper when purchased through a
reseller, e.g.: [http://www.namecheap.com/ssl-certificates/geotrust-ssl-
certi...](http://www.namecheap.com/ssl-certificates/geotrust-ssl-
certificates/rapidssl-certificate.aspx)

I suppose they think that since you're visiting their site directly, you
wouldn't think (or know) to visit one of their reseller partners instead.

~~~
SoftwareMaven
Most vendors who have channel partners don't want to compete with them, but
they don't want to leave sales on the table, either. For bigger ticket items,
the company generally sends you directly to a channel partners; for smaller
ticket items, the company will often sell the item at "list" price and let the
channel partners discount off of list.

Pretty standard operating procedure here and highly unlikely to be a comment
on their customer's web savvy. :)

------
fomojola
HAHAHAHA. Well, it actually gets worse. If you cancel the auto renewal, then
go into Google and search for "ssl certificate" you'll get a wonderful ad (at
the very top) that is for $12.99 (with the quote "why pay more"). You can then
buy that cert and it gives you the exact same thing as the renewal (admittedly
a bit more work, but is the convenience of auto-renewal really worth $37?).

Been doing this for the last 3 years: they are TRULY retarded for using such a
scheme but hey! It catches some people, so I guess tactics like that got them
the $2bn "investment" from the friends at Silver Lake.

~~~
keltex
Exactly. Disable auto-renew for all your GoDaddy products! Thankfully GoDaddy
explains how to do this:

<http://help.godaddy.com/article/1042>

------
gst
I never understood why GoDaddy has such a monopoly-like status - even in the
startup scene. I've only used their services once (because someone transfered
a domain to me and prefered to do this as GoDaddy-internal transfer), but the
first thing I did was transfering the domain to another registrar (the one
that I typically also use for my other domains).

Reasons why I wouldn't use GoDaddy:

GoDaddy is not really one of the cheapest registrars.

I find their pricing "tactics" (as also mentioned in the article) very
questionable.

Their whole website isn't just really appealing to me (I know, very
subjective).

~~~
Shenglong
What's cheaper than GoDaddy? All my .com and .net domains end up costing me
$7.49. I'd love to know...

~~~
sjs
Cheap until you get roped into an auto-renewing thing with 3x the price you
first paid. Why support a company like that? It's so slimy. Your cheap domains
are effectively subsidized by GoDaddy preying on others.

~~~
Shenglong
Did you know the majority of car insurance firms (in the UK at least) will
ramp up renewal prices by a few % each year? I did sales for one such company
a few summers ago, and we were told this was intentional - and if someone
calls in, and complains, we just offer them to new sign-up price.

I use GoDaddy because I manually renew all my domains at the same price as I
signed up for. I agree their UX is awful, and they're not the most "good"
company in the world... but it serves me for what I want out of a domain
provider!

Renewal price hiking is a common practice... you just need to be a smart
shopper if you want to save money!

------
wccrawford
'Scam' is a really strong word and denotes an illegal action.

While these are shady practices, they are not illegal.

And the 1-month ahead renewal is not shorting you of a month. It's preventing
you from getting into a situation where your cert expires because your CC
details were invalid and it took to long to replace them. It also gives you
time to configure your server, etc.

They are hardly the first company to offer a different initial price than the
renewal, either. I hate that tactic, and watch for it, but it's not even
unethical unless they don't tell you about it.

~~~
dlikhten
I'm sorry I must disagree. Its not a scam in the classical sense but it is
one. Its like the real-estate sites that ask for a credit card and a free
trial, to cancel you must CALL between 3-4pm on a Wednesday when their lines
are busy AND they promptly close doors at 4pm or you will get charged
perpetually.

However GD can offer whatever they want. HOWEVER this is deceptive marketing
AND I am fairly sure you can take em to courts over this.

~~~
mnutt
If the real-estate sites really make it impossible to cancel, why not call
your credit card company and get them to issue a chargeback?

~~~
dchest
It was meant as an example of "scam"; your question is irrelevant to the
discussion.

------
onomojo
I had the exact same thing happen to me. One of many reasons why I've not only
stopped using GoDaddy for myself but also why I've decided to REFUSE to work
with them for my clients. If my clients use GoDaddy, they can either get off
GoDaddy or find another developer. Sometimes you have to force morality upon
those without. :P

------
CoffeeDregs
Okay, I use godaddy for domains and DNS. Never had a problem with them. But
these 'godaddy sucks' posts and the godaddy buyout are starting to worry me.
Who would you recommend as a replacement for registration and DNS?

~~~
jeffbozek
Shameless plug. My new startup Coffee & Domains does domain registration, free
private whois, and DNS control for $10 per year.

<https://www.coffeeanddomains.com>

~~~
MetallicCloud
Any plans to allow purchases from Non-US countries?

I just tried to buy a domain but can't fill out the form.

~~~
decadentcactus
Really? Damn. I was considering trying someone new for domain management and
put this on the list.

------
sandaru1
Any recommendations on where to buy a good ssl certificate?

~~~
pja
<http://www.startssl.com/> will give you a free ssl certificate for a single
domain (actually, they'll give you one that covers a domain plus a single
subdomain). Handy if you want to setup your own mailserver somewhere: the root
certs are in all the main browsers & mail clients. You'll need to have your
(web|mail)server serve up the intermediate cert as well as the leaf cert which
can be a slight pain to setup, but apart from that it all works just fine.

~~~
qjz
The root cert is not in early versions of Android, due to a bug. I'm not sure
when that was fixed. Unfortunately, you can't update root certificates in
these versions.

~~~
pja
Are there any phones out there that can't be at least updated to Froyo now,
whether officially or not?

If you're geeky enough to want your own ssl cert then you're geeky enough to
root your phone & install CyanogenMod.

~~~
qjz
I can't update my users' phones for them. Just pointing out that users stuck
on older versions of Android, for whatever reason, may run into problems with
the free cert. In the mail client, it will work if "TLS (if available)" is
checked, but that's a departure from what other mail clients mean by that
option.

~~~
pja
If you check that then won't those users using an unencrypted connection?

------
powertower
Domains are GoDaddy's loss-leader.

All profits come from cross-selling, up-selling, and shady tactics.

A registrar that has sold 1 million domains at $10/year price, and does
nothing else, is one that will make at most about $25,000/year in profit max
after various costs (reg fees, support, etc), but more likely will be in the
hole.

I stopped blaming GoDaddy a long time ago. This is just the nature of the
game.

------
jbyers
The author's first point is incorrect.

GoDaddy doesn't take a month off the length of the cert. They do start sending
you reminders 60 days ahead that say your cert needs to be renewed in 30 days,
but you get your full extra year. I've had the pleasure of doing this dozens
of times for our certificates, the last thing we buy from GoDaddy after moving
our domain business elsewhere.

------
vidyesh
Never liked GoDaddy's service. There are several reasons why. So moved to
namecheap.

But the point here is GoDaddy by default puts all your services on auto-
renewal. I am a bit paranoid over what goes on in my accounts ( especially
PayPal) so i had disabled the auto renew when i saw it.

Talking about price hike, thats a marketing strategy. You usually don't get
coupon codes for renewals ( if you do get, those are usually for bulk renewals
). These service providers always lure you to register at special prices so
you stick with them forever and in this case it auto renewed :\

About the cert. expiration, that seems a bit odd but better talk to GoDaddy
Support, they would help you out.

------
jonathanjaeger
Same thing would have happened to me but my credit card on file expired.
Talked to customer service and was never charged. Despite some of the obvious
disadvantages of using GoDaddy, I've always gotten great customer service from
them.

------
hughesdan
Was start date of the renewal term synced to the end date of the expiring
term? If so it doesn't sound so shady to me. It seems logical that they would
notify you and confirm your desire for a renewal prior to the end of the
previous term rather than wait until the absolute last moment, especially with
something like an SSL cert.

I'm not saying GoDaddy isn't shady. And they certainly are aggressive with
their auto-renew policies. Heck how do you think they afford Superbowl ads and
Danica Patrick at the prices they charge :) But the experience you described
doesn't sound like a scam to me.

------
winternett
The same thing happened with a Network Solutions hosting plan I had. They
auto-renewed me when I had over one month before renewal. Their service had
been horrible on Drupal sites. Just the DNS resolution to my hosting account
was taking 2-3 seconds. I enlisted an up-time monitoring service and found
that my site was down frequently even while I was paying for this renewal I
did not want. Shame such a dominant company in the 90s has basically laid the
road map for shady hosting.

~~~
wladimir
Yes, network solutions is also terrible. I still have a domain with them, and
it takes five clicks just to get to the DNS management interface. Every step
in the way they try to make as unclear as possible by flashing banners and
shiny buttons in your face to get you to buy more of their services.

------
plasma
Another "scam" I associate with GoDaddy is that when you pick to pay for the
Whois Privacy protection, you also get a 'Business Registration' fee added
(like $5/year or something trivial).

All this fee does is list your domain name or something similar in a GoDaddy
ran business directory -- useless.

It's an extra charge they hope you don't notice, and it's only added to your
cart when you add Whois Privacy protection.

You need to remove it from your cart afterwards.

------
jeromeparadis
I also use GoDady because they are cheap and it does the job. For DNS, I use
DNS Made Easy because it's never a good idea to have your DNSes at your
registrar (if you ever need to move).

The trick with GoDaddy, don't check the box to leave your credit card with
them. You'll then have to manually renew all services and you never run into
the risk of forgetting to uncheck some auto-renew option...

------
layzphil
I don't really see the problem here. GoDaddy products can be had very cheaply,
they are so cheap with coupon codes the probably potentially make very little
per sale.

All insurance companies work the same way, try hard to get a new customer,
milk them dry on the tail end because they are too lazy to search out a better
deal.

------
unreal37
This isn't really a scam. I have dozens of domains with GoDaddy, as well as
some of their other services. "How can I get the cheapest price" is a game we
all play with them. Revision3 has a handy page with GD discount codes, and
I've been referring to that page for years. I am helping keep Digg in business
from the affiliate fees.

Can we agree the "auto-renew" was not scammy? They didn't rip you off a year.
Just reminding you 60 days early as they should.

Can we agree its not shady or unethical to charge different prices for 1st
year versus a higher price for subsequent year renewals? Or different prices
for different people, in some type of A/B test? Everyone does that. Even
amazon.com shows different prices to different people.

Can we agree their customer support was really helpful to you?

So what's the problem exactly?

~~~
lukeschlather
It's unethical to charge someone one price for a recurring service and then
more than triple the price, in an opt-out fashion.

If you raise prices, you need to do your due diligence to make sure your
customers are aware they're paying more. This kind of a price increase should
really be opt-in rather than opt-out.

~~~
BlazingFrog
I totally agree with you. The same thing happened to me with another
registrar/hosting company (ipage). Hosting for a year went from around $50 to
over $100 with auto-renew. I did receive an email notifying me of the upcoming
renewal but no price was included in the email. When I confronted them after
the fact they told me that the information was on their home page where it
says something to the effect of "Hosting only $50/year" and then right
underneath in small print "(save 50%)". Maybe I should have assumed that
saving 50% now meant I would be charged twice as much the next time but I
guess I'm not that bright. Also, when asked for an explicit price list in a
chat session, they gave me a link to a page buried in the FAQ to which, they
acknowledged, you couldn't get directly in any easy way.

I guess they're all the same.

~~~
msbarnett
> I guess they're all the same.

Gandi has been nothing but ethical in my dealings with them.

You don't have to deal with the abuses of the godaddys of the world, you just
have to be willing to pay a bit more to support companies that aren't out to
fuck you over.

------
jivejones
I had the same problem, signed up last year, set it up a month later and now
I'm getting time to renew emails. Also although its 'easy' to disable the
auto-renew I've had products that still renewed after disabling the auto-
renew.

------
hippich
For anyone who needs SSL certificate without perks, consider free one from
<http://www.startssl.com/>

It do not offer strong encryption and do not do personal identification
(obviously - it is free), but it is very cost-effective solution to have
<https://> on your website to prevent eyes droppers sniff traffic.

(not sure if it is enough for e-commerce, like google checkout tho)

Now you have no excuse to not have <https://> in your website where people
enter their passwords =)

------
apedley
The $12.99 price is a special price and always has been. You can still find
discount codes and apply it to them when you renew to get it at the same
price.

Godaddy can be insanely cheap if you never auto renew and always manually
renew with discount codes.

Though yes you need to get off Godaddy. As do I. Just waiting for a little
more revenue from my site to move to Rackspace Cloud :)

~~~
cosgroveb
Sale prices that are always in effect are not "special" prices.

------
WettowelReactor
This makes me happy that we decided to go with Digicert. Although not the
cheapest their customer service is above par. We just got a renew (not auto-
renew) notice 60 days from expiration. Not only where they offering a 15%
discount on renewal but for every day early we renew we get 2 days added to
the new cert. I.E. renew 60 days early on a 12 month cert and they give us 14
months.

------
mancjew
Thanks you just saved me $70 bucks, I got charged extra for one year already
and they didn't refund me after I complained.

------
phil
So obviously they should disable auto-renew by default and start emailing you
the day before expiry, right?

Except that's nuts -- many of their customer's certs would lapse before they
renewed. That's so bad that most sites should even put up with the extra 30
bucks to reduce their risk.

------
frankdenbow
They auto-renewed some auction service for $75 that I have never used or heard
of. Really sick of Godaddy

------
lamnk
It's well known that domain/hosting companies often offer great discount for
first year/payment, then charge for full price later. For example, Godaddy's
$1.99 .info or Namecheap's free first year Privacy Guard or Gandi offers a
free domain with their SSL cert.

------
asciilifeform
All SSL certs are a rent-seeking scam.

Pay the protection money, get a string of bits which cost the vendor _nothing_
to produce. Or choose between zero security or users' browsers whining about
"self-signed certificate" every time they visit your site.

------
Metapony
I know people who work for GoDaddy and the confusing website is part of the
upsell. That GoDaddy would screw people with SSL certificates is no surprise.

My requirements for hosting are always 'Anyone but godaddy."

~~~
po
I used to have an 'Anyone but godaddy" policy. Then I ended up with some names
at eNom and they just emailed me my password. Now I'm shopping around to move.

------
richcollins
Same thing happened to me for a $200 dollar cert. I complained through their
support ticket system and they issued me a refund.

------
follownicholas
Luckily if you pay via credit card then you are always protected, if you file
a credit card chargeback.

------
desaiguddu
Screw you GoDaddy !

------
RyanKearney
>I called GoDaddy Support this Sunday afternoon. While it was a long distance
call, I only had to wait about a minute to reach a person in their Billing
Department. They were happy to refund me the $49.99 after I deleted the cert
and sent me the instructions to disable auto-renewals I linked to above.

This times 1000

I experienced this exact same issue. I was pretty pissed to say the least but
I called, got a human in about 60 seconds, and they refunded me as well as
told me how to disable auto renew. I see no problem here.

~~~
pavel_lishin
> I see no problem here.

Really, you don't see a problem with their "better ask forgiveness than
permission" tactic?

~~~
citricsquid
> Really, you don't see a problem with their "better ask forgiveness than
> permission" tactic?

uh, isn't that what PG and all the other people here _constantly_ say is what
you should do in business?

~~~
samdk
Not with my money. You taking my money without specifically asking means that
I will never, ever do business with you again. (And that I'll specifically
warn other people against dealing with you.)

"It's better to ask forgiveness than permission" is not a universal truth to
be applied to every aspect of startups/tech work. It _is_ often a good idea
when there's a lot of bureaucratic red tape and/or you need to get approval
from other people about things. This is a very different situation: you're
charging your customers ~4x more than they originally paid for something
automatically. Are there other companies that do this sort of thing? Sure.
Maybe it makes sense financially, but it's not a good way to treat your
customers.

~~~
elehack
I might generalize that to say that "better to ask forgiveness than
permission" just doesn't apply to customer relations.

------
aneth
Godaddy is he only place I've found "Extended Validation" certs at a
reasonable price - $99 instead of $499+. I hate their website and crosselling,
but I do appreciate as the author points out that they have people you can
call - how many registrars have that?

Are there any alternatives for EV certs that are not a ripoff?

~~~
waterside81
How arduous was the EV process? What did you have to provide as proof? I tried
to go down this route with Comodo and it was a colossal waste of time. The
documents they require would make the FBI blush.

------
AltIvan
Use paypal guys. All those auto-renew things get 100% visible on your paypal
dashboard so its pretty easy to remove them all.

------
PaulHoule
Complain all you like but it seems at any given time I'm working for at least
one organization that is running an expired SSL certificate on a server I need
to use. More of these organizations should be using auto-renew.

~~~
dchest
Auto-renew won't automatically setup a renewed certificate on your server.

