The great digital certificate ripoff?

digital certificateRipoff: A ripoff (or rip-off) is a bad deal. Usually it refers to an incident in which a person pays too much for something. A ripoff is distinguished from a scam in that a scam involves wrongdoing such as fraud. From Wikipedia.

Digitally signing your software allows you to show that you are the author of the software and that the application hasn’t been tampered with. If your software isn’t signed, Windows displays scary looking warnings when customers download it. So it makes a lot of sense to digitally sign your software if you are distributing it on Windows. So far so good.

Anyone can create their own digital signature, but Windows only ‘trusts’ signatures that have been created by certain third parties. While there are quite a few Microsoft root certificate program members, I am only aware of 3 that sell code signing (‘authenticode’) certificates. This is where it starts to get ugly. Here are their published prices per year:

Verisign: $499.00

Thawte: $299.00

Comodo: $119.95

That seems an awful lot considering that all they appear to do is check a document (e.g. a scan of your certificate of incorporation), check your whois record, multiply a couple of large prime numbers and then send you a certificate file. Much of this process is (or should be) automated. No wonder the founder of Thawte could afford to be one of the first space tourists.

Given that authenticode certificates from these three companies are functionally identical[1], as far as I can tell, why the price difference? It seems even more bizarre when you consider that Verisign now own Thawte. If you had the misfortune to sign up for the Microsoft ‘works with Vista’ program you could get a 1-year Verisign code signing certificate for $99. I doubt they were doing this at a loss, so how can they justify selling the exact same certificate for $499? I would guess that at least 99% of customers will never check who issued a certificate, so it can hardly be due to the power of the brand.

So why doesn’t someone just set up their own certificating authority, get approved by Microsoft, and undercut these 3 companies? Because their root certificate wouldn’t be installed on all the millions of PCs currently out there. It would be worthless until the vast majority of PCs had the new root certificate. What a fantastic lock-in!

The good news is that you can buy Comodo certificates for much more reasonable prices from these resellers:

Tucows: $75 [2]

KSoftware: $85 ($75 for ASP members)

Which rather begs the question – if resellers can make a profit at $75, why are Comodo charging $119? Because they can, I suppose. I emailed Verisign, Thawte and Comodo to ask about the disparities in price. I only received a reply from Comodo:

This [difference between their price and the reseller price] is simply due to Retail Vs Wholesale solutions we offer. Our Resellers commit to a specific program which enables discounted prices allowing them to make margins on the product as they see fit. Whether that be reduced prices, or make a cash profit from the sale.

All 3 companies have had major price hikes in the last few years. With so little competition, why wouldn’t they? So what is Microsoft’s role is in all of this? One would have thought that they would want to keep certificate prices low to encourage their wider adoption. I emailed Microsoft’s PR people to ask about pricing and whether they had any financial interest in Verisign. Here is the response:

1) Why does Microsoft “insist” on VeriSign certificates?

Microsoft Windows Quality Labs only recognizes files that are signed with a Verisign Class 3 Certificate of Authority (COA). Windows Quality Labs is evaluating recognizing other COA’s. There is a USD $399 offer for Class 3 COAs for those partners (IHVs, OEMS, ISVs) – who plan to submit solutions for Microsoft certification. More details are available at http://www.verisign.com/code-signing/msft-organizational-certificates/.

2) Does Microsoft have any comment to make on the disparity in price?

VeriSign also offers a USD $99 Organizational ID certificate. This provides authentication for organizations to Microsoft Windows Quality Labs, providing access to various services, such as creating submission IDs for products to undergo Microsoft testing. This certificate is not valid for signing drivers or executable files.

Information pertaining to Microsoft Investments can be located at the MSFT Investor Relations site, under Investments/Acquisitions: http://www.microsoft.com/msft/default.mspx.

Steve Bell, Senior Product Manager – Server Certification Programs, Windows Server

After a bit of surfing I found this page which says that Microsoft invested in Verisign in 1996. I don’t know how much they invested, but it certainly puts things in a rather different light. So Windows authenticode certificates are effectively controlled by just 2 companies, at least one of whom is part-owned by Microsoft[3]. Companies are in business to make profits, but it seems to me that these companies are using their effective monopoly to take advantage of the situation. I only see the situation getting worse as Windows displays ever more scary warnings for unsigned software. Perhaps this is something government regulators should be investigating. Let’s hope that Verisign don’t buy Comodo as well.

[1] Only Verisign certificates are recognised for some of the Microsoft certification programs, for example x64 Vista driver signing.

[2] You need to register with Tucows to login.

[3] Assuming they haven’t sold their Verisign stock. I am not aware that Microsoft owns any Comodo stock. I haven’t been able to find any further details by Googling.

28 thoughts on “The great digital certificate ripoff?

  1. Peter Gadzinski

    Great post. I’m currently dealing with this situation myself. I’m planning to integrate my software with Quickbooks which requires my code to be digitally signed. I purchased a certificate from Thawte last year. I have to renew and the price has gone up. Why? No stated reason of course. I’m going to check out Comodo. Wasn’t aware of them.

    1. Anymouse

      As if Wikipedia is an authoritative source on the English language, or on any topic, for that matter.

      In this case, Wikipedia is contributing to the continued dumbing down of the English language to accommodate current improper usages and slang.

      Can’t complain too much about Wikipedia, though, because most of the American Dictionaries are regrettably doing the same stupid thing.

      Words have meaning, and precise language conveys precise thoughts and meaning.

  2. Andy Brice Post author

    Jan,

    I hadn’t heard of globalsign. At $229 per year they are positioned between Comodo and Thawte. I couldn’t find out from their website exactly which versions of Windows their certificates are valid for.

  3. fabiopedrosa

    “GlobalSign is a Microsoft approved Certification Authority for Authenticode technology and ObjectSign can be used to sign applications intended to be run on the Windows 9x, XP and Vista operating systems.”

  4. Louis Kessler

    Great article. You told me a few things I didn’t know before.

    Several years ago, I checked out all the Code Signing Vendors. I settled on Comodo and paid them their $99 annual fee. The next year I was kicking myself that I didn’t get it for 3 years, because I found they had raised it to $179.

    I don’t think the price you list for Comodo is correct. I believe it is still $180 for 1 year (down to $167 per year for 3 years). The “$119.95″ link you provide to their Certificate page shows me the prices I was used to, and nowhere do I see the price you state. I

    But first of all, thank you very much for the links to the resellers. I for one will be very happy to pay $75 a year to Tucows. I already use Tucows for their dirt-cheap domain registration.

    Now, with regards to the Microsoft ‘works with Vista’ program: I attempted to sign up with when it had a couple of months left to go. I was ready to go through the work to make my application, still in alpha testing, completely Vista compatible. It would have been painful, but worth it to me to get the Certified for Vista label.

    I already had Comodo as my digital certificate provider. As you know Windows computers recognizes Comodo and treats it as a known commodity. What Microsoft required was a digital certificate to prove —whatever— just so I can join their program. Okay, so that’s not so bad, but JUST TO JOIN their “free-to-join” program, they required I buy that “special” $99 Verisign digital certificate. Comodo wasn’t accepted for this.

    Well, I’m sorry, but that p–ssed me off enough that I sent in my complaints and received the same “sorry, but you need Verisign” answers with no adequate explanation as to why.

    But your little story above, really helps to clarify all this for me. Thank you.

    This was only one of the hoops and barriers in Microsoft’s Vista Logo program. But it was the straw that broke my camel’s back.

    It’s no wonder why Microsoft didn’t get anywhere near the signups they expected for their logo program.

  5. KK

    I am going through the Vista logo certificate pain right now. I can barely swallow the $99 certificate for establishing an account with Winqual. When I asked Microsoft, whether I can use the $99 certificate for Vista Logo Certificate but not Works with Vista program. I have a Comodo digital certificate already. My question wasn’t answered directly and told me to buy the $399 certificate for hardware submission while my product is a software.

  6. Jeffrey Smith

    Thanks for taking the time to post this article. I was about to sign up directly with Comodo for $179.00 until your article pointed me to the tucows.com site where it was discounted to $75.00, saving me $104.00 thanks to you. I had previously been using Thawte for my code signing certificate for which I had paid $109.00 at my last renewal date. This time around, though, they bumped the price 174% to $299.00. When I asked for an explanation, they dropped the price to only a 128% increase or $249.00 (with no explanation). I felt that was outrageous and refused to renew with them I am glad Comodo and tucows are here to keep this market honest.

  7. Logan

    Excellent post, very informative.

    @ Louis: I feel your pain. This is a total sham and we ought to put pressure on Microsoft to alleviate this problem.

    There’s absolutely no justification for requiring a $400 code certificate to qualify for a compatibility logo! Signing has nothing to do with compatibility. I can understand requiring a piece of software BE signed, for the user’s sake, but to require a SPECIFIC (and the absolute most expensive) certificate is a complete and utter outrage.

    Spending this kind of money is not even an option for me. I can barely justify the $75 for a Tucows/Comodo cert, but thank goodness there is this option.

    You would think MS would want to encourage people to meet logo requirements, not scare them away by making it some sort of elites-only club.

    *vent steam*

  8. Mii

    Q:What does Microsoft Vista and Seinfeld have in common?
    A:They both suck!

    and another one:
    Q:Why didn’t Bill recognize that Vista sucks and cannot be sold?
    A:Coz he’s a Mac

    LOOOOL

    Bottomline: Vista does not sell and can only be forced onto the community so they look for other sources of income.

  9. mranalogy

    I tried to purchase a Cert through Tucows a year or so ago and it was a MESS. It partially installed. Then when I tried to finish it got confused by the partial install. Calls to support went unanswered for some time. I was then told to buy it again. Then they didn’t remove the extra cc charge.

    In the end I appealed to a blogger associated with Tucows.

    I’ll try again soon. When I get time.

  10. Pingback: 100 ways to increase your software sales in 2009 « Successful Software

  11. Stephen Cleary

    I’ve used GlobalSign for almost a year now.

    The link in this blog post:

    http://msdn.microsoft.com/en-us/library/ms995347.aspx

    is for code signing for *web pages*. If you want code signing for device drivers (e.g., 64-bit), you need to use one of these companies:

    http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

    It’s not just Verisign. Most of the cheaper providers are excluded, though; GlobalSign was the cheapest I could find.

    However, a $100 Verisign “organizational certificate” is required to sign up for WinQual unless you have a code signing certificate *through them*.

    I agree, the entire business is a ripoff. I’ve always wondered why Verisign was such a favorite of Microsoft – now I know!

  12. Backazon Online Backups

    Last year, I bought a 1 yr cert from Comodo for $179. It worked great for signing my DLLs, EXEs, and MSIs. Those files were submitted to Microsoft for certification under the ISV program and they passed without problems.

    Thanks to your article, I just visited the Tucows sight and signed up for a 3 year cert for only $195. Thank you so much for sharing your insights!

    After paying Tucows for the cert, I was redirected to a private label version of Comodo where I completed the cert request using basically the same screens I would have used to purchase directly from Comodo.

    While I’ve not gotten the cert as yet, I don’t expect any troubles. If I have any…I will report back. Thanks again!

  13. Pingback: SSL and Code Signing for the Micro ISV | The Agile Micro ISV Blog

  14. Pingback: Why I won’t be bothering with the Windows 7 logo program « Successful Software

  15. softwarecandy

    Isn’t it scary that a company that sells digital certificates has a checkout process with compromised security?

    Case in question: tucows code signing certificates, in the page meant for entering your credit card number and other billing information:

    https://author.tucows.com/checkout.php

    They said they will fix the problem “in the next few weeks”. It’s too late for us, however, so we will have to go with other, more expensive, alternatives.

    Security should not be taken lightly. After all, this is the main reason for code-signing our software.

  16. Cursive Writing - Carol

    Thanks you so much for this post – very helpful! I was only aware of Verisign and that’s out of my league. I noticed that Comodo offer their digital certificate to UK customers like me for GBP119 – that’s equivalent to $185 – how fair is that?

    I’ve ordered a 1yr certificate from Tucows so I’ll see how that goes.

    Thanks again for your help.

    1. softwarecandy

      Carol, we just received a notification of your posting.

      Cost-wise, Tucows offers the best deal — no doubt about that. We would love to purchase our next certificate from them.

      As of now, however, that checkout link (https://author.tucows.com/checkout.php) still triggers the “unencrypted information” warning on the browser.

      We hope that they will fix this problem within the next 7 months. Their pricing is very attractive.

      1. Cursive Writing - Carol

        Yes, not ideal is it? I answered “Yes” to the security warning – “Do you want to view only the webpage content that was delivered securely?” Is this the same as the unencrypted information? Clicking yes disabled the “Sponsor” advert at the top of the page, which seems to be the only issue (I hope!)

  17. Pingback: Tucows/Comodo Code Signing Certificates « Worktime Talk

Comments are closed.