What are the benefits of a more expensive SSL certificate?

A few things. In theory, the better and more expensive SSL providers are supposed to validate who you are in some way and vouch for your identity. This takes time and manual effort and thus costs more.

Traditionally manual validation (as used by VeriSign, Thawte, Entrust) has been cumbersome, long winded and expensive for the SSL Provider and therefore the purchaser. Automated validation (as used by GeoTrust and GoDaddy) is faster and more cost-effective, yet does not provide the level of assurance expected by consumers relying on SSL - For example GeoTrust's QuickSSL Certificates only validate the applicant's right to use a domain name and not the legitimacy of the company itself.

There's also some crazy new type of SSL cert which does "extended validation" and is much MUCH more expensive.

https://www.verisign.com/ssl/ssl-information-center/ev-ssl-certificate/index.html

An EV SSL Certificate gives customers more confidence that they are interacting with a trusted Web site and that their information is secure. An EV SSL Certificate triggers high-security Web browsers to display your organization’s name in a green address bar and show the name of the Certificate Authority that issued it.

The cheaper SSL providers do little to no validation of identity which may or may not matter to you (or your users).

Honestly, when we use SSL it's for the encryption, not for a web of trust.

(One valid reason to pay for a more expensive SSL cert is when it's a wildcard cert so it works on all *.example.com domain websites you may ever have. The regular SSL certs are only good for one specific address.)


In terms of security there isn't any difference.

What you really buy is the certification's company verification that persuades your customers you are trustworthy. That is why Verisign sells the same services for x10 the amount of others.

Also in higher-priced certificates there is an extra level of verification (where you need to send company verification documents, there is a check for the domain owner if the credentials match etc). And usually they give you a fancier banner to put on your website.

There are also the Extended Validation Certificates (EV) where most browsers make the address bar green and clearly identify your website/company.


I'll just add a comment about ecommerce standard requirements which often comes up.

As long as a SSL cert is current and at least 128bit (and pref using TLSv1.1 which will be required by 2018) then it is acceptable by Australian PCI-DSS standards (ecommerce), and most ecommerce standards elsewhere, though you would need to check with your local standards body.

And of course, if it is from a trusted CA (Versign,Comodo,LetsEncrypt,Cloudflare,CAcert,Starcom,Wosign etc.) then the browser automatically accepts it without requiring confirmation.