Ask YC: Why are SSL certificates so expensive?

[there]

some ca's do more labor-intensive verification before issuing certs which may cost them some money, but nowhere near what most are charging these days. since nobody realistically checks who issued a certificate before trusting a website with one, paying more for stricter verification nets you nothing.

while i probably wouldn't use them for a public-facing certificate on a shopping site that needs 100% browser coverage, startcom issues certificates for free that are supported by default in at least safari and firefox. very useful for encrypting communications to your backend admin interfaces and such where you just need to protect yourself rather than your customers. http://www.startssl.com/

[moe]

since nobody realistically checks who issued a certificate before trusting a website with one, paying more for stricter verification nets you nothing.

The sad part is that the VeriSign's of this world put a lot of money into into brainwashing the masses for the next addressbar-color. We have green bars, yellow bars, blue bars... Expect the pink-unicorn-bar any day now (IE9?).

So yes, currently the users are conditioned to look for the padlock only and you can get away with it in most cases. But I wouldn't be surprised if the browser-makers soon get strongarmed into displaying those "unworthy" certs in a less appealing way - crackled padlock, perhaps?

The net result will be more fancy address bar colors and even less understanding for the average user whether the site he's looking at is "secure" by any means or not.

This whole tragedy is one of the rare cases where I'd be glad to see legislation to step in. Free market is just not working here, on so many levels.

[ams6110]

If you just need certs for in-house use, make your own. You can do that for free.