By Esther M. Bauer

This article appeared in the December 2005 issue of Web Host Industry Review magazine. Click here to subscribe for free.

January 5, 2006 -- (WEB HOST INDUSTRY REVIEW) -- Web hosting is no longer the business of providing a set of Web site-related services and letting the customer figure out how to make it work. Modern Web hosts know they are in the business of enabling their customers' online operations, whatever those may be, and whatever that might require. Most of the additional tools Web hosts are required to provide are obvious - domain registration; a control panel; a simple site-building tool; basic search engine submission. And some are more complex, such as hands-on development or marketing help.

E-commerce is also one of those obvious requirements. Whether they're selling online or not, e-commerce is an eventual concern for almost any business buying Web hosting services. And along with shopping cart software and payment processing tools, security features have become an obvious add-on to any hosting platform. While it is conceivable that a Web hosting customer would acquire digital certificates from a third party, it is hardly practical. The host in that relationship would be passing on an easy added revenue stream and, ultimately, on a customer who will no doubt move to a more complete provider before long.

Secure Sockets Layer certificates have become a must-have hosting feature, says IDC (idc.com) analyst Melanie Posey, as customers now know to look for the padlock or key symbol in their browser on sensitive pages. The symbol serves as a security seal of approval and signals that the consumer's privacy is protected and it's safe to provide sensitive data, such as a social security number or credit card information.

Packaging SSL offerings with other capabilities creates an offering that Posey terms "online business enablement."

"While SSL is essential," she says, "some of the things around it, such as domain name registration, payment processing, online marketing tools and email, all get bundled and delivered to small businesses as a package. That's how a lot of hosts are moving away from just providing hosting and getting beaten up on price in the process."

While customers may not fully understand the technology behind the encryption protecting their transactions, Web hosts should understand the digital certificate technology, the market and the kind of security they provide to their customers. And at least some study should go into understanding the path of SSL technology, from certificate authority through to the end user.

A certificate authority issues and manages security credentials and public keys for encryption on the Secure Sockets Layer, a protocol developed by Netscape for the secure transmission of messages. Public Key Infrastructure is a complex system for providing keys and certificates that enable the use of encryption - the standards today are 128 and 256 bits. WebTrust.org is the place to explore the principles and criteria set forth for CAs by the public accounting profession.

While cryptography is critical to secure e-commerce, it is not the only requirement. The AICPA/CICA WebTrust Program for Certification Authorities was developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, and consists of a stringent audit of security measures that CAs must pass for certification.

While an SSL certificate can be vetted by the vendor, or self-signed by the site operator, such security measures, while technically encrypted, skip over the verification aspect of SSL security, and will produce warnings in some browsers. Web hosts looking to partner with a CA must consider the importance of factors like where the vetting takes place, the CA's reputation and whether the authority owns its own root or chains to another provider's root.

"That's just a better way to ensure continuity of business operations," according to  Posey. "As far as long-term stability and reliability goes, it's critical."

Reputation, in particular, still holds some sway in markets like these, where the companies that started in the business still hold significant shares of the market. In the SSL market, like the domain market, VeriSign (verisign.com) is the elder - the first public certificate authority and the oldest provider of SSL certificates. In its 10-year history, the company has issued more than 2.4 million SSL certificates and more than 36 million digital certificates of all types. VeriSign also owns thawte (thawte.com), another CA, but operates it as a separate company and a lower-cost alternative.

VeriSign's program enables hosting providers to make VeriSign SSL certificates available to their own customers. Hosts can offer thawte-branded SSL certificates to their price-sensitive customers, or upsell to VeriSign-branded certificates in order to increase margins among brand-conscious customers. Both brands come with APIs that enable hosts to integrate the certificate system into the hosting provider's interface.

The company offers certificates enabled for the Server Gated Cryptography extension, a technology used by financial institutions that makes it possible for nearly all Internet users to connect at 128-bit or stronger encryption.

"Research published by the Yankee Group in September 2005 indicates that, in the absence of SGC, tens of millions of Web users will connect at dangerously low encryption levels such as 40- or 56-bit," says Tim Callan, group product marketing manager of SSL for VeriSign.

It would appear as though seniority counts for something in the SSL business, where VeriSign says it provides certificates to more than 93 percent of the Fortune 500, 94 percent of the 50 largest e-commerce businesses, and the world's 40 biggest banks. Its high assurance certificates are probably the most expensive in the industry.

However, like the domain market, where lower-cost challengers have taken away some of the dominance that VeriSign once held - Go Daddy surpassed the company as the world's largest domain registrar this summer - a crop of strong challengers has emerged to take up a significant share of the market for SSL certificates as well.

Foremost among those is challengers GeoTrust (geotrust.com), which has grown to be second to VeriSign in size among CAs, largely thanks to its reseller channel. The company's automated vetting and delivery system enables customers to quickly provision certificates 24 hours a day. The company offers resellers the option to buy certificates in bulk or pay as they go, enabling them to get started without much overhead.

The company's QuickSSL Premium certificate is its most popular certificate among partners. GeoTrust makes all its certificates available to resellers, but QuickSSL Premium offers 10-minute provisioning with a dynamically generated site seal.

Certificates can be provisioned by partners through GeoCenter, the company's Web based online partner console, which helps resellers manage their customers' certificate lifestyles. GeoTrust, too, offers an API that enables resellers to integrate its certificates into their hosting environments.

Joan Lockhart, GeoTrust's vice president of marketing, says owning its own root is a sign that the company is a mature competitor in the SSL market.

"Unlike other companies, which issue certificates off chained roots or license roots from third parties," she says, "GeoTrust is able to offer customers a simplified installation process, less maintenance and an assurance of root stability during the lifetime of a certificate."

Each of the CAs in the SSL market seems to have its own angle on the business - as evidenced in the complete-package approach of security company Comodo, a smaller company that offers SSL certificates among a variety of other security services.

Comodo (comodogroup.com) has a global presence for its services in general, with more than 150,000 customers in more than 100 countries. Its Digital Trust Lab provides a selection of hosting management solutions, infrastructure services, e-commerce services, customer privacy and vulnerability management solutions, along with digital certificates. The company's identity and trust assurance business has 3,500 resellers worldwide. It provides its Instant SSL certificates through a partnership with Cyber Trust, using that company's root signing.

One of Comodo's marketing tactics is education. The company operates WhichSSL.com, providing customers with what Comodo says is an accurate description of the services available from each CA.

"Hosting providers need to be aware of the additional services they can provide to their customers," says Steve Roylance, technical marketing director for Comodo. "Simply being a ?me, too' padlock provider is not enough. Our private branding and white labeling programs allow hosting providers to seamlessly provide a range of certificate services, fully extending their branding right down to the SSL certificate itself."

As far as Comodo is concerned, price has been the fundamental difference in the market. An early monopoly by VeriSign enabled that company to charge high prices for its certificates. Comodo says it looked for innovation in its validation techniques and improved its processes to significantly reduce the price point of its certificates.

Distribution is not limited to the certificate authorities, however. Certificates are often issued to smaller providers further downstream by major channel operators like Tucows (tucows.com), an Internet services company that provides back office solutions to more than 6,000 hosts and ISPs, and the largest ICANN-accredited wholesale domain registrar.

Tucows has worked with GeoTrust for four years, issuing SSL certificates through a provisioning system it has integrated with its other services. The company prices on a per-certificate basis to make costs manageable for small hosts moving limited volumes.

"We selected GeoTrust for its brand recognition in the industry, its reputation and its robust provisioning platform," says Kim Phelan, product manager for Web site tools at Tucows.

When selecting a CA partner, says Phelan, hosts should consider whether their clients require certificates very quickly or if they want the full verification of their organization. They should also take into consideration how easy it is to integrate the ordering of certificates into their existing environment.

While the SSL market has obviously matured from its early days, becoming considerably more diverse, its evolution is by no means complete - a reality evidenced by the recent entry of Go Daddy (godaddy.com), a company whose mastery of the mass market enabled it to capture the domain registration lead from VeriSign.

With more than 10 million domains under management, Go Daddy has become the world's largest registrar, and one of the largest Web hosting companies. Noting customers coming to Go Daddy requesting help in acquiring certificates, Go Daddy became a certificate authority about 18 months ago.

The company acquired a trusted root from ValiCert, which had been embedded in earlier versions of Internet Explorer, Netscape, Opera and Mozilla, and built its own certificate authority. A Go Daddy sister company, Starfield Technologies, was formed in April 2003, to deliver SSL certificates for Go Daddy.

The company approached the SSL space with the same set of customer-focused priorities with which it approached domains and hosting: an affordable price point in what it considered an overpriced industry.

"We came in at a price point for a high-assurance certificate of $89.95," says COO Warren Adelman. A one-year 128-bit Secure Site Pro certificate from VeriSign costs $995. The company also offered a domain validation certificate for $29.95.

In 18 months, Go Daddy has captured a little more than 5 percent of the SSL market globally, with customers from the ranks of the Fortune 500 to small businesses. The company has a reseller network numbering 17,000 that is able to offer domain names, SSL certificates, email marketing programs and other services.

"We don't put a lot of requirements on the reseller in terms of understanding the technology behind these certificates," says Wayne Thayer, director of certificate authority and Web security services. He says Go Daddy offers both a Class 3 high assurance certificate and a Class 2 domain validation certificates.

While Go Daddy has proven itself capable of capturing market share through aggressive pricing, other competitors and new entrants to the SSL market are also relying on innovation and new services to make their presence felt.

GeoTrust, for instance, is exploring new offerings with its free TrustWatch search site and toolbar. The browser plug-in displays site verification information - describing whether a site is safe for e-commerce, whether it has been verified by an independent third party, or whether it is a known fraud site.

Innovation and advancing technology is the bulk of the strategy of XRamp, a relatively new entrant to the SSL business.

 

XRamp (xramp.com) became a pure play certificate authority in 2003 after starting life in 2001 as a firewall software provider. Since switching its business model, says CEO Scott Harris, XRamp has become a leading force in SSL technology and policy by being the first to offer 256-bit encryption certificates. He says the company was the first CA to drive the market to 100 percent free reissues of certificates through its automated process.The company places a heavy focus on having a customer-centric philosophy and has worked to develop tools and resources to make it easy for customers to manage their digital certificates. Harris says doing things differently is key to XRamp's business.

"We have a Public Key Infrastructure interface that we call PKI for Everyone," he says. "With other certificate vendors, in order to do PKI you have to buy more certificates. We offer it out to everybody. They can manage all of their certificates in one place. We are the only certificate authority to offer the full-featured PKI, which allows them to renew, revoke or reissue their certificates."

The privately held company has made significant inroads into the SSL space and is used exclusively by Mozilla Foundation, which distributes the Firefox browser, throughout its Web site. XRamp customers span the globe from the University of Singapore to the University of Hawaii, and include a sizable number of government agencies, large corporations, and a variety of smaller shops.

XRamp offers a private-label certificate delivery service that costs a reseller $149 to set up and includes the $128 cost of a high-assurance digital certificate for their site.

Web host HostMySite.com (hostmysite.com) recently began offering XRamp certificates to its customers.

"We chose XRamp as a security partner because the company's technology integrates easily with ours and because XRamp's business philosophy parallels our own," says Lou Honick, CEO of HostMySite. "They provide superior customer service at a great price that's easy for customers to implement."

In early November, XRamp became the first CA to be certified as an authorized security vendor under the VISA Cardholder Information Security Program. The program is a payment card industry consortium of MasterCard, Visa, American Express and Discover that protects sensitive information from being compromised by imposing standards on credit card processors.

XRamp can now work with businesses that maintain cardholder information on their systems to assure they comply with security requirements. It will offer what Harris calls a total transactional security package: selling SSL certificates, handling network security audits; and certifying customers as CISP compliant.

Clearly, there are a variety of options available to a host seeking a partner for the delivery of SSL security, with choice varying according to price, speed of issuing, reputation and philosophy. The only choice not realistically available to a Web host is to avoid the SSL certificate question altogether.

• (0) Comments

Read Back Issues of WHIR Magazine