I'm not making any excuses. It's just that there's been a lot of discussion about SSL certs the past few months, and I'm willing to bet there's no more than a roomful of people worldwide with the knowledge and experience to understand how to run a CA and the costs associated.
Does your anger extend towards the domain name companies? Webhosts? After all, running on free software and 'cheap' commodity hardware - Dreamhost probably make the same figures you're talking about, and they don't have a lot of the large up-front an annual costs. Just an example, really.
To address each point:
Validation - not a fixed cost. Some can take several real man-hours to complete, and additional costs of access to third-party databases, translation costs. I see it possible to make a loss on some certs purely in validation.
Legal costs - insurance premiums for something this specialised are high, regardless of how many claims made.
CA chaining - as per other comments, you're lookat at potentially $50K a year just in audit costs, just to get into the mainstream browsers, with a 5-10 year wait to become ubiquitous enough to be commerically viable. You can pay to get a sub-CA and bypass this step, but it will cost...you can go into 7 figures annually.
Again, I'm not attempting to make excuses. I do agree some certificates are overpriced. I am just trying to show how the CA industry is no more a 'racket' or 'license to print money' than many more of the internet-centric businesses that exist, even though it may seem that way without insight.
It really is a license to print money. That's not an attack though, most SaaS businesses are. What's unique about being a SSL issuer is the relatively low levels of innovation involved. There is little technical innovation, and no time spent thinking about how to design a product that people want. Putting all the pieces together and striking the right deals certainly requires a bit of business savvy, especially to have done it in 1997, but otherwise the business is rather straight-forward.
I think part of the hostility towards SSL issuers comes from the seemingly monopolistic pricing structure. As you note, validation is the largest expense. Largely, that only needs to be done once though, so why doesn't the cost drop dramatically in the second year? And it seems clear to most people that the cost of servicing a domain and its subdomains should not be an order of magnitude higher.
If a SSL issuer charged me an upfront service fee representing the cost of validation, then low yearly maintenance fees, and didn't gouge me for subdomains or multiple domains with clearly the same ownership (.com .net), they would have my business forever and my gratitude.
Validation - not a fixed cost. Some can take several real man-hours to complete, and additional costs of access to third-party databases, translation costs. I see it possible to make a loss on some certs purely in validation.
Oh, so if validation is the big factor then why do you make me pay my hundred bucks year after year? Shouldn't it go down to, say, $10 from the second year onwards?
Also I have certified quite a few domains for the same company. Thawte strangely didn't ask us to send n copies of the same paperwork - but still happily charged the full fee for each cert.
Legal costs - insurance premiums for something this specialised are high
Again. Cry me a river. I have no idea how many customers VeriSign and the ilk have but the figure must be in the millions. Assuming an average profit per customer, per year of only $50 (which is probably a low shot) I'm not so worried about your insurance fees.
CA chaining - as per other comments, you're look at potentially $50K
Wow. Assuming one million customers this is almost half a day's worth of revenue! Indeed, you guys are suffering over there...
Plus, it keeps me gainfully employed :)
I'm not attacking you personally. I just hate being ripped off like that. And it is a rip-off, no matter how you spin it.
Not sure which CA you went with, but we re-validate each time you renew.
I don't know about the premiums or your figures - could be right. The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.
I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert.
You can also pay $100.
Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?
The same figures could well apply to many hosting companies though, and they don't have the insurance. Just an example.
Hosting companies have actual, real expenses, such as hardware dedicated to each customer.
I don't believe it's a rip-off anymore. Yes, you can still pay $1000 for a cert. You can also pay $100. Is $100 too much? For something you couldn't make for yourself without several million dollars or 'just' a few hundred thousand and 5+ year wait before being able to use it?
I don't know what kind of kool-aid you've been drinking but these are the structures that I'm criticizing. That's why I'm calling for legislation. Verisign and friends should be put out of business today rather than tomorrow. They have proven maliciously incompetent for long enough, really.
They should be replaced with one government-operated CA per country. The government has better tools to validate identity than any privately held company anyways.
Moreover this would finally enable Joe Sixpack to make meaningful guesses about which websites to trust. Countries would quickly grow a reputation for certifying scammers or not. Browsers could offer customizable CA ratings where, for example, a site certified by Nigeria triggers a popup warning.
The CAs could further establish multi-country validation for more trust. I.e. "this cert has been signed by USA and France".
None of this is possible with the current oligopoly of "Verisign", "Thawte" and friends. Despite their insane revenue they're not even trying to improve the situation. They're not just slowing progress, they're actively pushing it backwards with brainfarts like those colored address-bars.
All for the sole purpose of making the money-printer run even faster.
The government. Oh yeah great idea. So when you post something critical of the wrong official or say the wrong words on your website your certificate is summarily revoked.
Depends. Some governments (hello China) may indeed do such a thing but if you have such drastic steps taken against you then your SSL certificate is probably the least of your worries.
I'm not saying that this solution would be perfect and yes, most governments don't exactly have a flawless track record of managing, well, anything.
But no matter how screwed an actual implementation would end up - it can't get much worse than what we have now.
Admittedly a government has relatively little motivation to make SSL good. But even that is still better than what we have today with the commercial CAs - those have a strong and frequently proven motivation to make SSL worse!
The anger is because domains cost $10 and SSL Certificates cost $1000.
And you're telling me that companies that have to buy servers (which break, go obsolete, and require power in the meantime), racks, cooling, warehouse space, backup power, and fast and redundant Internet connections, and setup a good way for people to manage their hosting (not to mention support!) "don't have a lot of the large up-front an[d] annual costs"?
They did cost thousands, but the monopoly is no longer and you can get certs for $10 if you hunt.
EV ones can cost up to $1000 again, but they genuniely do cost more to issue.
And no, I'm not saying they don't have large costs.
You can become a webhost with a couple of co-lo boxes for relatively little cost.
You can't do that with a CA.
@moe we all understand what you're saying but nickf has nothing to do with this thing. your logic applies better to lots of other companies but here is hacker news so please..
@nickf i will buy an SSL certificate i need your advice. my needs are it should not ask any security alert dialog boxes and supports FF, Safari, Opera and IE. that's all. does those 20$ range ones work for me or what is your suggestion?
one more question how does insurance work? Merchant accounst also have insurance. Are these same? Please explain this too.
Does your anger extend towards the domain name companies? Webhosts? After all, running on free software and 'cheap' commodity hardware - Dreamhost probably make the same figures you're talking about, and they don't have a lot of the large up-front an annual costs. Just an example, really.
To address each point: Validation - not a fixed cost. Some can take several real man-hours to complete, and additional costs of access to third-party databases, translation costs. I see it possible to make a loss on some certs purely in validation.
Legal costs - insurance premiums for something this specialised are high, regardless of how many claims made.
CA chaining - as per other comments, you're lookat at potentially $50K a year just in audit costs, just to get into the mainstream browsers, with a 5-10 year wait to become ubiquitous enough to be commerically viable. You can pay to get a sub-CA and bypass this step, but it will cost...you can go into 7 figures annually.
Again, I'm not attempting to make excuses. I do agree some certificates are overpriced. I am just trying to show how the CA industry is no more a 'racket' or 'license to print money' than many more of the internet-centric businesses that exist, even though it may seem that way without insight.
Plus, it keeps me gainfully employed :)