Extended Validation SSL Certificates: Scam or Vital?
I am very interested in getting opinions from other administrators out there regarding extended validation ssl certificates. I can't really see how they are more useful in protecting an electronic commerce transaction over a "plain old SSL cert".
Taking the most expensive implementation from Verisign to illustrate my point, a standard SSL cert costs $399.00 for a cert that will expire in 12 months. "Upgrade" to a 128-bit only certificate will set you back $995.00. "Upgrading" that standard cert to an Extended Validation cert will cost you $995.00 too but if you also add-on the 128-bit only option to that EV cert, you are looking at almost $1,500.00 USD just to color the address bar green. A $1,200 markup seems like a lot to pay for something that didn't seem to me to be that big a problem in the first place--especially when it could very well (for all I know) be providing nothing more than a false sense of security.
For example, if my browser bar is green, does this mean that I need to no longer worry about making sure that SSLv2 or Null and Weak encryption ciphers are disabled? Something tells me that the answer to this is, "Ummm....No....". So what is it? Are you buying Extended Validation certificates or are you just implementing the strongest possible controls on your site and buying the no-frills cert? Are certificate vendors simply ripping us off by tricking users into looking for the green bar or are these certs doing something magical? Did sales increase drastically for those of you who have implemented them?
Taking the most expensive implementation from Verisign to illustrate my point, a standard SSL cert costs $399.00 for a cert that will expire in 12 months. "Upgrade" to a 128-bit only certificate will set you back $995.00. "Upgrading" that standard cert to an Extended Validation cert will cost you $995.00 too but if you also add-on the 128-bit only option to that EV cert, you are looking at almost $1,500.00 USD just to color the address bar green. A $1,200 markup seems like a lot to pay for something that didn't seem to me to be that big a problem in the first place--especially when it could very well (for all I know) be providing nothing more than a false sense of security.
For example, if my browser bar is green, does this mean that I need to no longer worry about making sure that SSLv2 or Null and Weak encryption ciphers are disabled? Something tells me that the answer to this is, "Ummm....No....". So what is it? Are you buying Extended Validation certificates or are you just implementing the strongest possible controls on your site and buying the no-frills cert? Are certificate vendors simply ripping us off by tricking users into looking for the green bar or are these certs doing something magical? Did sales increase drastically for those of you who have implemented them?