Hacker News new | past | comments | ask | show | jobs | submit login
Ask YC: Why are SSL certificates so expensive?
41 points by andr on March 24, 2009 | hide | past | favorite | 60 comments

This certificate costs $995 per year. If you think about it, there is very little that the issuer does, other than supposedly validate your ownership of the domain. They don't even need to maintain considerable server infrastructure.

So why isn't there no serious competition? Why isn't there a company that issues certificates for $10?

I work for a CA, a large public one.

As someone mentioned - please don't equate the cost of the certificate to buy against the cost of the certificate to produce. Signing costs nothing (well, ignoring the expensive HSMs!).

Most of the cost is performing the vetting/validation. Then there's support costs. Then legal costs (insurance, warranties etc). There's often inherent costs with owning/controlling the root certificates - WebTrust annual audits just to get in the major browsers, plus any fees that some manufacturers charge for root-embedding. Infrastructure costs - CRLs and OCSP responders. CRLs may be tiny files, but we can serve TB a day in a 160KB file :)

Ask any questions - I'll answer as best I can.

Ehm, excuse me but gimme a break.

Owning a CA is a license to print money - it's as simple as that and really no need for excuses.

The costs you cite are dwarfed by the profits.

Vetting/validation and support is a fixed cost (support squad), legal costs can't be too rough (how often is that warranty actually claimed?) and well, cry me a river about the chain of extortion going up the CA chain. Yeah, it's really annoying you can't build your own money-printer, you have to rent it!

Honestly, a tiny bit of math sobers me of any pity: 1 million customers, $100 bucks a year. That's a solid one hundred million bucks annually. That kind of money buys quite a bit of vetting/validation and legal costs. It might even cover your 30T/month crl-traffic. Barely.

I'm not making any excuses. It's just that there's been a lot of discussion about SSL certs the past few months, and I'm willing to bet there's no more than a roomful of people worldwide with the knowledge and experience to understand how to run a CA and the costs associated.

Does your anger extend towards the domain name companies? Webhosts? After all, running on free software and 'cheap' commodity hardware - Dreamhost probably make the same figures you're talking about, and they don't have a lot of the large up-front an annual costs. Just an example, really.

To address each point: Validation - not a fixed cost. Some can take several real man-hours to complete, and additional costs of access to third-party databases, translation costs. I see it possible to make a loss on some certs purely in validation.

Legal costs - insurance premiums for something this specialised are high, regardless of how many claims made.

CA chaining - as per other comments, you're lookat at potentially $50K a year just in audit costs, just to get into the mainstream browsers, with a 5-10 year wait to become ubiquitous enough to be commerically viable. You can pay to get a sub-CA and bypass this step, but it will cost...you can go into 7 figures annually.

Again, I'm not attempting to make excuses. I do agree some certificates are overpriced. I am just trying to show how the CA industry is no more a 'racket' or 'license to print money' than many more of the internet-centric businesses that exist, even though it may seem that way without insight.

Plus, it keeps me gainfully employed :)

It really is a license to print money. That's not an attack though, most SaaS businesses are. What's unique about being a SSL issuer is the relatively low levels of innovation involved. There is little technical innovation, and no time spent thinking about how to design a product that people want. Putting all the pieces together and striking the right deals certainly requires a bit of business savvy, especially to have done it in 1997, but otherwise the business is rather straight-forward.

I think part of the hostility towards SSL issuers comes from the seemingly monopolistic pricing structure. As you note, validation is the largest expense. Largely, that only needs to be done once though, so why doesn't the cost drop dramatically in the second year? And it seems clear to most people that the cost of servicing a domain and its subdomains should not be an order of magnitude higher.

If a SSL issuer charged me an upfront service fee representing the cost of validation, then low yearly maintenance fees, and didn't gouge me for subdomains or multiple domains with clearly the same ownership (.com .net), they would have my business forever and my gratitude.

Validation - not a fixed cost. Some can take several real man-hours to complete, and additional costs of access to third-party databases, translation costs. I see it possible to make a loss on some certs purely in validation.

Oh, so if validation is the big factor then why do you make me pay my hundred bucks year after year? Shouldn't it go down to, say, $10 from the second year onwards?

Also I have certified quite a few domains for the same company. Thawte strangely didn't ask us to send n copies of the same paperwork - but still happily charged the full fee for each cert.

Legal costs - insurance premiums for something this specialised are high

Again. Cry me a river. I have no idea how many customers VeriSign and the ilk have but the figure must be in the millions. Assuming an average profit per customer, per year of only $50 (which is probably a low shot) I'm not so worried about your insurance fees.

CA chaining - as per other comments, you're look at potentially $50K

Wow. Assuming one million customers this is almost half a day's worth of revenue! Indeed, you guys are suffering over there...

Plus, it keeps me gainfully employed :)

I'm not attacking you personally. I just hate being ripped off like that. And it is a rip-off, no matter how you spin it.

Not sure which CA you went with, but we re-validate each time you renew.

I don't know about the premiums or your figures - could be right. The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.

I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert. You can also pay $100. Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?

The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.

Hosting companies have actual, real expenses, such as hardware dedicated to each customer.

I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert. You can also pay $100. Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?

I don't know what kind of kool-aid you've been drinking but these are the structures that I'm criticizing. That's why I'm calling for legislation. Verisign and friends should be put out of business today rather than tomorrow. They have proven maliciously incompetent for long enough, really.

They should be replaced with one government-operated CA per country. The government has better tools to validate identity than any privately held company anyways.

Moreover this would finally enable Joe Sixpack to make meaningful guesses about which websites to trust. Countries would quickly grow a reputation for certifying scammers or not. Browsers could offer customizable CA ratings where, for example, a site certified by Nigeria triggers a popup warning.

The CAs could further establish multi-country validation for more trust. I.e. "this cert has been signed by USA and France".

None of this is possible with the current oligopoly of "Verisign", "Thawte" and friends. Despite their insane revenue they're not even trying to improve the situation. They're not just slowing progress, they're actively pushing it backwards with brainfarts like those colored address-bars.

All for the sole purpose of making the money-printer run even faster.

The government. Oh yeah great idea. So when you post something critical of the wrong official or say the wrong words on your website your certificate is summarily revoked.

Depends. Some governments (hello China) may indeed do such a thing but if you have such drastic steps taken against you then your SSL certificate is probably the least of your worries.

I'm not saying that this solution would be perfect and yes, most governments don't exactly have a flawless track record of managing, well, anything.

But no matter how screwed an actual implementation would end up - it can't get much worse than what we have now.

Admittedly a government has relatively little motivation to make SSL good. But even that is still better than what we have today with the commercial CAs - those have a strong and frequently proven motivation to make SSL worse!

The anger is because domains cost $10 and SSL Certificates cost $1000.

And you're telling me that companies that have to buy servers (which break, go obsolete, and require power in the meantime), racks, cooling, warehouse space, backup power, and fast and redundant Internet connections, and setup a good way for people to manage their hosting (not to mention support!) "don't have a lot of the large up-front an[d] annual costs"?

They did cost thousands, but the monopoly is no longer and you can get certs for $10 if you hunt. EV ones can cost up to $1000 again, but they genuniely do cost more to issue.

And no, I'm not saying they don't have large costs. You can become a webhost with a couple of co-lo boxes for relatively little cost. You can't do that with a CA.

@moe we all understand what you're saying but nickf has nothing to do with this thing. your logic applies better to lots of other companies but here is hacker news so please..

@nickf i will buy an SSL certificate i need your advice. my needs are it should not ask any security alert dialog boxes and supports FF, Safari, Opera and IE. that's all. does those 20$ range ones work for me or what is your suggestion?

one more question how does insurance work? Merchant accounst also have insurance. Are these same? Please explain this too.

I've bought numerous certificates in the past and there's rarely been any serious form of vetting. As for the 1 TB / day, I would hope that at $100/client/year you would be able to afford that without even noticing the costs...

Can you give us a breakdown of roughly how much each of those activities costs, or is that private information?

I doubt I can give too much information out publically, sadly. As for the level of vetting, a lot depends on who you bought it from, and what type of cert.

As for the level of vetting, a lot depends on who you bought it from, and what type of cert

Which is part of the absurdity here. The CA's make us pay ridiculous fee's for the validation but can't even protect us from other CA's issuing certs for the same domain.

Why are people like Mike Zusman get certificates for already existing domains, which can then be used for extremely effective phishing attacks? The "verification" is a joke at best, harmful at worst.

There is, you just need to know where to look. GoDaddy has them for $30/year and Namecheap has them for $15/year. I know that the Namecheap RapidSSL cert is single root and at that price, you can't go wrong.

One of the things to note about SSL certificates: don't think you can renew them like you can a domain name. When you renew, you get a new cert that you have to install on your server. So buying multiple years at a time can save you a lot of hassle (and drive the cost per year down).

Many certificate companies have bilked their customers into paying too much, but there is competition. It's just that people change slowly. Plus, if you're, say, Citibank, what are the odds that you're going to quibble over $1,000/year? For many businesses, it just isn't worth the hassle of switching. Even a company that I used to work for used to pay nearly my salary to an outside firm for content management (and they didn't even have a good CMS). So, many companies will just keep paying and it's one of those situations where the markup is more valuable than pushing additional units.

He was looking at wildcard certificate prices. GoDaddy is still $199/year for those, and Namecheap resells RapidSSL wildcard certificates for $148.88. Sure, both of those are way lower than my monthly bandwidth costs, but it isn't exactly commodity pricing.

I think you're missing the point. Wildcards obviously must be more expensive than single-certs because they have those extra 2 bytes in the common name. These bytes don't pay themselves, you know?

In regards to GoDaddy, I've been using retailmenot to get 10-20% discounts on the wildcard certificates I've bought recently.

My understanding is the prices are high because there's an oligopoly. To have competition, all the major browsers would have to agree to let in more companies, and they're just not doing that.

Sorry, but that's incorrect. The major browsers will let you in - you just have to pass all their audits, comply to all their regulations, and commonly have a WebTrust audit....which can set you back mid-$xx,xxx. All browsers/OSs are accepting new roots all the time - check the Mozilla dev lists/Bugzilla and you'll see.

You also have to wait about 5 years before you will have the 99%-99.9% browser support that customers require.

I just bought a RapidSSL wildcard cert through this reseller:


It's a wildcard for $140-ish, which is the cheapest I could find. The wildcard means it works for blah.domain.com, otherblah.domain.com, etc, etc.

Basically there are those "extended verification" certs that give you the green crap in the address bar. Which I don't think users actually care about.

And yeah, the whole SSL business is an insane racket.

I don't know about racket, but you can read my other comments for, I hope, some more insight.

As for the green-bar - I'll admit it's taking some time to get hold, but testing (not just from my CA, but all of them) has shown consumer awareness is increasing and people are inclined to 'trust' the green a bit more.

Mind you, the same users will stick their bank login details on a phishing page with no ssl hosted on some .cn....so what can you do, eh? :)

Sorry, despite my many posts in this thread already I can't resist to vent about the green-bar stunt, too.

So, one day the CAs discovered that their regular certification procedure is broken. That the "normal" certs are effectively unfit for their stated purpose.

Am I the only one who would have expected them to go back, properly re-validate their certs and fix the problem that way? Or at least perform this procedure at expiry time?

I mean, I understand that inventing new levels of "secure" (with fancy colors even) is a much more effective way to sell more certs and crank up the prices. But heck, can you think of a comparable stunt in any other industry?

Just imagine a watch-maker who has a problem with water-proofing to invent an "even more water-proof" label instead of fixing their mishap. It would rain tears and lawyers...

You're right - that should have happened. It didn't of course, because the company(-ies) that started the DV issuance didn't want to go back and fix it. As well as that, if the browser/OS people did 'downgrade' the DV certs, millions of customers by that point would be affected. Assuming they cared about the customers and not the heavy pressure to do nothing from....larger CAs.... ;)

Ironically, it gave us Ubuntu.

Care to elaborate?

I will. Mark Shuttleworth made his massive fortune by creating Thawte and selling it to Verisign. He created Ubuntu using that money.

some ca's do more labor-intensive verification before issuing certs which may cost them some money, but nowhere near what most are charging these days. since nobody realistically checks who issued a certificate before trusting a website with one, paying more for stricter verification nets you nothing.

while i probably wouldn't use them for a public-facing certificate on a shopping site that needs 100% browser coverage, startcom issues certificates for free that are supported by default in at least safari and firefox. very useful for encrypting communications to your backend admin interfaces and such where you just need to protect yourself rather than your customers. http://www.startssl.com/

since nobody realistically checks who issued a certificate before trusting a website with one, paying more for stricter verification nets you nothing.

The sad part is that the VeriSign's of this world put a lot of money into into brainwashing the masses for the next addressbar-color. We have green bars, yellow bars, blue bars... Expect the pink-unicorn-bar any day now (IE9?).

So yes, currently the users are conditioned to look for the padlock only and you can get away with it in most cases. But I wouldn't be surprised if the browser-makers soon get strongarmed into displaying those "unworthy" certs in a less appealing way - crackled padlock, perhaps?

The net result will be more fancy address bar colors and even less understanding for the average user whether the site he's looking at is "secure" by any means or not.

This whole tragedy is one of the rare cases where I'd be glad to see legislation to step in. Free market is just not working here, on so many levels.

If you just need certs for in-house use, make your own. You can do that for free.

Also: I'll do a shameless plug here. If anyone here on HN needs a cert, or just advise on setting one up, what to buy - I'm more than happy to help (even if you don't get one of ours!). I'll certainly do what I can discounts-wise.

I'm a techie, not a marketeer-o-naut.

Email on my user profile.

First, never buy a GeoTrust certificate directly from GeoTrust. They charge their MSRP, but all their resellers charge less than the MSRP. For example, you can buy that same exact certificate through Trustico for half the price (scroll down): http://www.trustico.com/products/truebusinessid/true_busines...

Second, if you want a wildcard cert that works with mobile browsers, Verisign and Geotrust are your only options for the next few years. After that, prices should drop considerably as newer devices ship with many more root certs than older ones.

It looks like they are even cheaper at this reseller: https://www.servertastic.com/

Oops, I think I gave the multi year price and the GP quoted the single year price. The prices are actually identical at $499 for 1 year. Sorry.

Of course, if you can pay, I would recommend buying as long as you can anyway. Refreshing SSL certs every year gets real old, real quick.

Use Servertastic - https://www.servertastic.com/. They're basically the cheapest and best.

If it's a personal site or you're on a really strict budget, get RapidSSL. It's a single cert, non chained, cheap enough. A wildcard is $149 a year which will serve most needs well. However, there's one important caveat - mobile phone browsers suck and you will have difficulties with them using a RapidSSL cert. Long and miserable experience there, trust me.

If you care about mobile browsers, or your few remaining strands of hair, you need GeoTrust, which bumps the price up. "TrueBusinessID" is the one you need, $114 for a single or $499/yr for the wildcard.

For both of these, the prices are lower for multiple years, of which you should probably buy as many as you can afford. Refreshing SSL certs is a nasty fiddly process and unless you are on a really low budget it is probably best to eat the upfront cost and buy 5 years out.

In answer to your question, why isn't there any other options - well, because they were there first and their cert is everywhere and that's the price they want. Simple as that. Sucks but here we are. At least $499 is less than $995.

(I am not affiliated with Servertastic in any way, shape or form other than as a satisfied customer)

(edited to correct prices, i'd put the multi year discounts instead of single year prices. sorry!)

Thanks, you just saved me $50.

As I commented below I accidentally gave the multi year price. Probably didn't save anything. Sorry!

Trustico wants $149.00 for a 1-year True BusinessID cert. Servertastic is only asking $114.00. So, you still saved me at least $35.

I don't understand why people still try to correlate value to difficulty of producing something. That was never the case, especially in a service economy, or else we wouldn't have people on the entire gamut of wealth.

Pro sports players don't get paid per effort dedicated, but by the amount of value they generate. You can complain about baseball players making millions all you want, but in the end, they sustain a huge economy surrounding sports.

If SSL certificates were pennies (which is in essence what it takes to generate them), then they would lose almost all value they provide. They need to be somewhat expensive to not dilute the amount of valid certs. But that is superficial; authorities take on responsibility of verification and they assign their own name behind the validity of a third party. That's valuable.

The amount of value you provide, less transaction costs, represents the maximum that you can charge for a product or service even if you are a monopoly (and there are no viable substitutes).

In a market economy, competition drives prices down towards the product's marginal cost to produce. Consumers then get to keep the 'excess' value delivered. The lower price also brings in consumers for whom the product delivers less value.

So when you have a product, like SSL certificates, where the marginal cost of production is nearly zero, it is fair to ask why the certificates aren't nearly free.

(And since the certificates are not free, and so the providers seem to be printing money, we have to ask how all of us missed out on this business.)

Although the production costs are free, the maintenance costs (both short and long term) to make the certificates have any worth to purchasers is very significant.

What are those maintenance costs that you speak of?

Ignoring wages, hosting, DR site maintenance, general business costs etc, the other maintenance costs I can see over other SaaS/webhosting/domain businesses (which are similar).

mid $xxxxx/mo for CDN hosting mid $xxxxx startup for the hardware (you can't store keys on disk) mid $xxxxx anually for audit (thats the simple cost to get it done, nothing to do with performing it - manpower, expenses, recification of any issues) [Sometimes multiplied for various other compliancies/audits around the world]

It's like this: Webhosting - you can pay $100 a year for mid-to-low-end hosting. You could probably do it yourself from your ADSL line, or a cheap co-lo, right? Save a few bucks.

SSL - you can pay $100 a year. Or, unlike hosting/SaaS, even becoming your own domain-reg...you're looking at the above costs, plus waiting with your thumbs up your ass for 5+ years before you can do anything. Still paying, too. You could bypass the wait, shell out for the hardware and then pay 6-7 figures to get a subCA and issue immediately. Rip-off? Not as clearly as you think.

When there's a large gap between an item's marginal cost and value to consumers, producers who capture a large amount of the difference are considered lucky or evil. This is an advantageous meme for consumers, and nearly everyone sees more individual consumption transactions than production transactions, so it's not going to go away, no matter how much more we drill people in economics.

"They need to be somewhat expensive to not dilute the amount of valid certs."

I don't understand you. The validity of a cert isn't dependent on its cost, though as you note, steps taken to ensure validity drive up cost. In any case, virtually no one is served by getting a more expensive cert these days, now that $50 and lower certs are available and just as trusted by browser manufacturers. The original idea that cert providers would verify actual identity has given way to the idea that certs only verify that the encryption really comes from the website itself, rather than some middleman. There's a place for business identification, but it's hard to do cheaply. Actually, it's hard to do at all, in a global marketplace.

I've seen a lot of certificate issuers for $15/year, so I have a different question: Why the price difference? Are the cheap ones just as useful as the expensive certs?

Here we go:

There's essentially 3 types of certificate:

DV - Domain Validation. The cheap, automated ones. Certs contain no more than the domain name they're issued to, and the whole process is automated.

OV - Organisational Validation. The original 'standard' of certs, that most CAs issued until a few years back. Domain ownership checked, business checked (for legal existence and verified address).

EV - Extended Validation. The new 'green bar' standard. Lots of hoops to jump through - agreements, legally-notarised letters, checking of business existence with local govt. & third parties, phone number verification, verification that the person requesting the cert actually has the right to do so....and so on.

The question then becomes: why?

The OV and DV sadly appear the same to the user. A few years back, one CA decided to issue the certs purely based on domain checking. Automation = cheap certs = big, fast marker share. It took, they made money. Then a time came to do something about the DV certs (ie making the browser chrome showing them 'less' secure or similar). By this time, the big boys in the CA world had aquired the company and had a pretty penny invested in the DV certs not becoming the red-headed stepchild.

So the CAs and the browser and the OS people invented EV. There's still talk that DV will be 'downgraded' one day, but we'll see.

Other types: Wildcards as someone mentioned will cover unlimited subdomains of the domain they're issued to (traditionally certs are for single FQDNs). Then we've got the new UCC for MS Exchange/OCS which has multiple, unique FQDNs in a single cert. Then you've got client & email certs, code-signing, and more :)

"The OV and DV sadly appear the same to the user."

AFAICT, OV and DV certs appear differently in the newest versions of every browser. Usually OV certs are blue and DV certs are white where EV certs are green.

Wildcard certs are more expensive because they cover any and all subdomains. (The perception is that they "do" more, so the price is hiked. I have not the expertise to know whether the issuer actually has to do more, or it's just a bit of a racket.)

The other difference is High-Assurance certs, which involve someone from (for example) GoDaddy calling your business-use land-line phone (which is required) and verifying some information, if I recall correctly.

Other than that, as far as I can tell, you're paying for the opportunity to put some silly seal on your site, bearing the name of whatever company of theoretically good repute, to make your users feel safe from the conniving, thieving, drooling hackers lurking behind each form button.

They all give you that little padlock icon in the users browser. When a user hovers over the padlock with mine they see "Verified by: GoDaddy.com"

Is a purse from K-Mart as useful as one from Gucci? For holding stuff: yes. For impressing people how cool, important, reliable you are: maybe not.

I only paid $15 for my "K-Mart" certificate which covers both <mydomain>.com and www.<mydomain>.com

I am guessing, but there might be high legal liability for SSL issuers so they offset the costs to the customer.

Can anyone point to a case where a SSL issuer has been sued successfully?

There isn't one. I very much doubt there ever will be.

Godaddy has one for $30

The URL to which the original poster points is to a wildcard certificate. GoDaddy's cheapest wildcard offering is $199.99/yr. https://www.godaddy.com/gdshop/ssl/ssl.asp

That's still 1/5th the cost of the prices he's getting.

And to be fair, his specific question referred to "SSL Certificates", not "Wildcard SSL Certificates".

Because a company the size of Verisign isn't just one guy at a shell prompt generating keys for customers.

Trust is expensive. It's probably the most expensive thing you can buy in modern society. A thousand bucks is a deal, if you ask me.

Except that Verisign has shown itself repeatedly to be the least trustworthy of all its competitors, for most of its major businesses.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact