To get some answers, I spoke with Vincent Lynch who is a Senior Security Analyst with The SSL Store - a leading online reseller of SSL certificates. Vincent explained some of the fundamentals of SSL certificates, where the industry is today, and where he thinks the industry is going in the next few years.
Please tell me a little bit about yourself and your background.
I started with the company over three years ago as an intern and have moved up the ladder through customer service, where I gained a lot of front line experience. Through these experiences I learned that there are a lot of misunderstandings in this industry. I have spent the past six months focusing on our blog, in an effort to not only share significant industry news but to also help educate our users and visitors. As a result, I have gained a lot of insight and expertise myself, which I also try to share. We try very hard to keep the blog separate from the business, so that it is objective and truly represents thought leadership.
What exactly is a SSL certificate? Who needs one and why?
An SSL (Secure Sockets Layer) certificate is a key element necessary to get HTTPS support for a web site. At the most basic level, it is a digital certificate which encrypts the data between the user and the web site. SSL certificates also offer varying degrees of validation of the web site and the business behind it. This allows browsers to establish secure connections with web sites and lets users know who you are as a web site/business. Over the past 6-7 years there has been a large focus on moving the Internet to be secure by default. Standard HTTP is totally insecure – HTTPS is the only viable way to have secure browsing.
Why should someone buy a SSL certificate from you if they can get it for free, or for a minimal cost, from their hosting company?
There are several reasons. First of all, SSL is still new to a lot of system administrators and it can often be confusing to configure them. We place a great emphasis on our US-based support team that is available 24x7 to help our customers to prepare for, and to manage, their SSL certificates. We also try to help the users understand what/why they are doing. Some of the free or minimal-cost certificates are valid for only 90 days, which means that they must constantly be renewed – adding additional tasks and confusion. These certificates also only offer the most basic domain-only validation. We offer more advanced certificates as well, where we will do more advanced authentication and vetting of the business. This makes access to web sites even more secure and helps to prevent other threats, such as phishing. In a nutshell, it comes down a greater level of validation and a greater level of support.
Have you see a significant increase in sales since Google announced that it was placing an emphasis on a site supporting HTTPS?
Yes, Google’s emphasis and pushing of HTTPS has certainly moved the needle. We expect this to continue as more and more browsers move in this direction.
I see that you actually offer many different types of SSL certificates. What are the differences between them?
We touched on this earlier, but let me go into a bit more detail. There are two main categories of certificates:
Level of Validation Domain Validated (DV) Organization Validated (OV) Extended Validation (EV) Functionality Single Domain Multi-Domain Wildcard
You then mix and match the level of validation and functionality to get the specific certificate type that you need for your particular needs and situation.
You sell certificates from several different vendors – what are the differences between them?
Yes, if you look at our web site you will see that we sell SSL certificates from the following six vendors: The truth is that the first four vendors on that list are actually just different brandings from NortonLIfeLock, in different markets and at different price points. In terms of encryption, they all adhere to the same standards and do the same thing. The differences are in the validation levels and functionality. Regarding the other two vendors – Certum is a Polish company that uses somewhat different technology to provide digital signatures, for applications such as email, code signing, etc. Comodo is NortonLIfeLock’s biggest direct competitor.
How do you define your market? Who is your specific target audience within that market?
We mainly target resellers, although we do make a good number of direct sales to small businesses. Resellers like to work with us because of the extra attention and support we give them. We can also offer them better pricing than what they could get on their own, due to the fact that we buy in such large quantities from the vendors.
How many active customers do you have today? Where are they mainly located?
We have sold over 500,000 certificates via direct retail and we have a robust channel with over 8,000 resellers, plus enterprise clients and affiliate partners. We service the entire English-speaking world.
How would you describe your current typical customer?
Up until recently it was a lot of IT professionals, or else for smaller businesses an owner or someone on the C-level. Now, with browsers moving to mandate encryption, we’re preparing to have an influx of new customers with far less familiarity towards SSL/TLS.
Who do you see as your main competitors?
There are clearly other large resellers in the industry that compete with us, but we don’t really focus very much on our competitors. We focus on our own strategy and path, although we obviously must keep our prices competitive. I will mention that the various free SSL certificates/services that are available have been disruptive to us, but although they are certainly appropriate in some circumstances, companies generally appreciate the value of paid-for certificates.
How do you see your products as different and/or better than theirs?
We differentiate ourselves in terms of pricing and our extensive support.
How do you see the encryption market evolving in the coming years?
This market is rapidly expanding and growing. The exposure and need for encryption is getting greater every day and this is fueling a period of very high growth. I hope and expect that HTTPS will soon become the default and baseline standard instead of HTTP. There has been more adoption of SSL in the past few years than there had been in the 20 years that the technology has existed. Some of the issues that will need to be addressed in the coming years include the question of the role of validation (of web sites/companies) in SSL certificates and whether validation and encryption should be combined altogether. Another subject of debate is the length of time a certificate is valid before it needs to be renewed. Google recently proposed that a certificate be valid for a maximum of only one year, but that proposal was voted down.
How many employees do you have today? Where are they located?
We currently have three offices. We have 15 employees in our home office in St. Petersburg, Florida, another 5-6 sales people in our EMEA office in The Netherlands, and 40-50 developers and SEOs in our India office.
What are your future plans for The SSL Store?
We have seen some good gains from our blog and overall content strategy, so we will continue to develop that. Today, 30-40% of the traffic to our site is from the blog. We publish three times a week, mainly on encryption related topics. It seems that our content has been very well received and we are having a greater influence in the industry.
As a business, the next big frontier for us is enterprise sales, which needs to be handled differently than reseller sales. We are currently adding and training additional staff in order to be able to better service enterprise clients.
How many hours a day do you normally work? What do you like to do when you are not working?
I usually work a standard 8-hour day, during which I try to balance my time between doing and thinking. I spend a lot of time reading, analyzing, and thinking about industry trends – especially those that are not being paid enough attention. However, even when my day at the office is over, I am always reading and thinking about things in our industry. When I am not working, I enjoy having down-time and hanging out with friends. I also enjoy leather-working and several other random hobbies.