Why are code signing certificates so expensive?
-
Is there a reason you can't use Let's Encrypt[^] or Cloudflare[^]?
Pete O'Hanlon wrote:
Is there a reason you can't use Let's Encrypt[^] or Cloudflare[^]?
Good question, and one I had earlier. SSL certificates for websites are not the same as code signing certificates. Neither of them offer code signing certificates, only SSL certificates for website https use.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
It's the most mind blowing profitable business racket: let me sell you a number! Certificates are essentially a number and there is no chance of running out of them. Now they don't even sell those; they lease them for a year. Isn't that genius?
Mircea
-
It's the most mind blowing profitable business racket: let me sell you a number! Certificates are essentially a number and there is no chance of running out of them. Now they don't even sell those; they lease them for a year. Isn't that genius?
Mircea
-
I get what you're saying, but surely you realize it's not just the "number" they sell you; it's the whole trust chain that has to be in place before yours can be trusted.
I know, but it's still funny. Reminds me of that game: "You say a number. If I say a bigger number I win." :)
Mircea
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
The verification part is quite extensive, if done properly. My previous employer had code signing certificates: The issuer demanded lots of official documentation as a proof that the company was the one it claimed to be, it required phone numbers that they could call to specific persons and ask them for a secret password etc. etc. Lots of this verification could not be automated, but required a lot of manual work. You are not paying for the USB stick, but for the work of verification that you are you. (They may have been doing a lot of checks that you never noticed or knew about.) Maybe there are certificate authorities that are a lot more sloppy/lenient in their verifications. But as an authority, they have a great responsibility, comparable to that of a passport office. Your passport is a proof of your identity, guaranteed by the passport office. The code signing is a proof of the code's source, guaranteed by the certificate authority. An email certificate doesn't prove much: It proves that the mail originates from one who received the certificated sent to address someone@somedoma.in. Nothing about the person, organization etc, only the mail address, which is implicitly verified by the certificate being sent to this email address. All can be done automatically, with no manual operations. So an email encryption certificate should be very cheap, or free.
-
The verification part is quite extensive, if done properly. My previous employer had code signing certificates: The issuer demanded lots of official documentation as a proof that the company was the one it claimed to be, it required phone numbers that they could call to specific persons and ask them for a secret password etc. etc. Lots of this verification could not be automated, but required a lot of manual work. You are not paying for the USB stick, but for the work of verification that you are you. (They may have been doing a lot of checks that you never noticed or knew about.) Maybe there are certificate authorities that are a lot more sloppy/lenient in their verifications. But as an authority, they have a great responsibility, comparable to that of a passport office. Your passport is a proof of your identity, guaranteed by the passport office. The code signing is a proof of the code's source, guaranteed by the certificate authority. An email certificate doesn't prove much: It proves that the mail originates from one who received the certificated sent to address someone@somedoma.in. Nothing about the person, organization etc, only the mail address, which is implicitly verified by the certificate being sent to this email address. All can be done automatically, with no manual operations. So an email encryption certificate should be very cheap, or free.
That makes sense. But since the one who issued my previous code signing certificate did that already, the renewal cost should be a lot lower.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
It would defeat the purpose if they were cheap or free, etc. I would hope that the money is justified by a detailed verification process. I mean, I'm sure they could be a bit cheaper... but something like $20 is just no bueno. That being said, eventually the block chain will make all of this moot. People are still wrapping their heads around that tech and only associate it with crypto. But, mark my words... more use cases be coming.
Jeremy Falcon
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
Been through a process mere weeks ago. The price looks more the effort for the audit rather than the USB stick. They checked everything and we needed to update our data to prove we are who we say we are. They checked the email address provided and called the phone number we provided. They checked several databases that have data of our company. It was a cumbersome, tedious and frustrating process :-)
V.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
The reason anything costs the purchaser what it does has almost nothing to do with how much it costs to produce or support. As a business, you charge what the market will bear, not what it costs you + markup.[1] Microsoft has presumably done the research and found that by raising the price of certificates by 200% produces more income than by raising it by 5% (or whatever inflation is). If you are selling widgets that cost $1 to produce, but the market wants to pay $100 for it, why on earth would you sell it for $1.25? [1] I'm an independent contractor and consultant, and I never give an hourly rate. I prefer to give fix-fee quotes because then I can charge what I think the client is willing to pay. If what they are willing to pay is too little, then it's better that I don't take the job. If the problem that they want me to solve is worth $10k to them, they don't feel bitter if I solve it in a day. IOW, I charge what the market will bear. It's also why, even as an ex Staff Engineer at a FAANG, I don't do work for tech companies - they say "we need a Go programmer for two weeks, and this is what Go programmers make, so that is what we are prepared to pay". A non-tech company doesn't even know what a Go programmer is, but they say "We want a system to do $FOO. How much?".
-
Been through a process mere weeks ago. The price looks more the effort for the audit rather than the USB stick. They checked everything and we needed to update our data to prove we are who we say we are. They checked the email address provided and called the phone number we provided. They checked several databases that have data of our company. It was a cumbersome, tedious and frustrating process :-)
V.
> It was a cumbersome, tedious and frustrating process For you, yes (I have to go through it every three years), but not for them. They are all geared up to do it. The way I see it is that the requirement for these fancy new dongles has been used as an excuse for a massive price hike. Perhaps competition will bring these inflated prices down, but don't hold your breath. I should add, btw, that there are two types of certificate, OV (for individuals) and EV (for companies). The level of proof of identity required for EV certificates is higher, so I can understand why they cost more, but OV certificates have also gone up in price by a factor of about 3 since I last bought one. Colour me p!ssed off. ----- Edit: Oooo, just found this: https://www.ssl.com/certificates/code-signing/buy/ That's by far the cheapest price I've seen since the new dongles came in. Seems too cheap, I wonder they're any good.
Paul Sanders. If I had more time, I would have written a shorter letter - Blaise Pascal. Some of my best work is in the undo buffer.
-
Been through a process mere weeks ago. The price looks more the effort for the audit rather than the USB stick. They checked everything and we needed to update our data to prove we are who we say we are. They checked the email address provided and called the phone number we provided. They checked several databases that have data of our company. It was a cumbersome, tedious and frustrating process :-)
V.
In my case, a single person business, it took a month of grit and irritation. It seemed that the org in question had never had a Dutch request, I had to explain that the verified pdf I sent was sufficient proof of my business being registered by the proper authorities; that after they kept asking every time more outlandish evidence without saying why. I'm 100% sure that in my case the money did not cover the effort ;P
-
> It was a cumbersome, tedious and frustrating process For you, yes (I have to go through it every three years), but not for them. They are all geared up to do it. The way I see it is that the requirement for these fancy new dongles has been used as an excuse for a massive price hike. Perhaps competition will bring these inflated prices down, but don't hold your breath. I should add, btw, that there are two types of certificate, OV (for individuals) and EV (for companies). The level of proof of identity required for EV certificates is higher, so I can understand why they cost more, but OV certificates have also gone up in price by a factor of about 3 since I last bought one. Colour me p!ssed off. ----- Edit: Oooo, just found this: https://www.ssl.com/certificates/code-signing/buy/ That's by far the cheapest price I've seen since the new dongles came in. Seems too cheap, I wonder they're any good.
Paul Sanders. If I had more time, I would have written a shorter letter - Blaise Pascal. Some of my best work is in the undo buffer.
I looked on that site, and I appreciate that you took the time to look and post it. But you either pay $20/month extra, or $249 for a USB stick. So, the lower certificate price is offset by the cost of the delivery method.
-
The verification part is quite extensive, if done properly. My previous employer had code signing certificates: The issuer demanded lots of official documentation as a proof that the company was the one it claimed to be, it required phone numbers that they could call to specific persons and ask them for a secret password etc. etc. Lots of this verification could not be automated, but required a lot of manual work. You are not paying for the USB stick, but for the work of verification that you are you. (They may have been doing a lot of checks that you never noticed or knew about.) Maybe there are certificate authorities that are a lot more sloppy/lenient in their verifications. But as an authority, they have a great responsibility, comparable to that of a passport office. Your passport is a proof of your identity, guaranteed by the passport office. The code signing is a proof of the code's source, guaranteed by the certificate authority. An email certificate doesn't prove much: It proves that the mail originates from one who received the certificated sent to address someone@somedoma.in. Nothing about the person, organization etc, only the mail address, which is implicitly verified by the certificate being sent to this email address. All can be done automatically, with no manual operations. So an email encryption certificate should be very cheap, or free.
I am an IT Manager. My department produces OEM software among other "normal" IT tasks. Our software is used to create USDA inspection data. We are required by the government IT Modernization mandate to maintain a Code Signing Certificate in addition to regularly scanning our code for security weaknesses and vulnerabilities. We use AppScan for our code scanning and GlobalSign for our CSC's. My point is that in some instances, there is an absolute requirement to obtain and maintain the Code Signing Certificates as well as code scanning. Without the Code Signing Certs, Windows Defender, AVG, and the other AV software will either disallow installation and operation, or even delete the files outright at times. Yes it is expensive, but is a cost of doing business for some of us.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
Our state (Germany) emits ID cards with chips to uniquely verify my identity with readers connected to the PC. Could be easy to establish a code signature instance based on these personal identifications (Only if our country wants digital progress :) )? I'm sure other at least european countries have similar mechanisms ...
-
The verification part is quite extensive, if done properly. My previous employer had code signing certificates: The issuer demanded lots of official documentation as a proof that the company was the one it claimed to be, it required phone numbers that they could call to specific persons and ask them for a secret password etc. etc. Lots of this verification could not be automated, but required a lot of manual work. You are not paying for the USB stick, but for the work of verification that you are you. (They may have been doing a lot of checks that you never noticed or knew about.) Maybe there are certificate authorities that are a lot more sloppy/lenient in their verifications. But as an authority, they have a great responsibility, comparable to that of a passport office. Your passport is a proof of your identity, guaranteed by the passport office. The code signing is a proof of the code's source, guaranteed by the certificate authority. An email certificate doesn't prove much: It proves that the mail originates from one who received the certificated sent to address someone@somedoma.in. Nothing about the person, organization etc, only the mail address, which is implicitly verified by the certificate being sent to this email address. All can be done automatically, with no manual operations. So an email encryption certificate should be very cheap, or free.
ok, that makes sense RE: paying for all the work to do the manual verification etc, but that doesn't address why they charge the same year in year out. why not a lower fee for successive years. If your going to buy a new cert and you get all the verification done, your not going to change much of what was verified every year. You MIGHT have a slight change in staff rotation, but that could be handled by getting the old person to get in touch, provide the existing password or whatever, then hand over to the new person. In my mind $300 for the first year (Because of all the work) then $100 per year continuous after that, with perhaps a re-verification once every 5 years or something similar.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
Here's a radical idea: somebody thought it would be a good idea to monetize it. Someone won't like me to say this, but in my opinion, it's a scam, and the whole certificate structure is just so-much nonsense that has zero-utility as it essentially does nothing except to add a placebo effect of software safety.
-
Here's a radical idea: somebody thought it would be a good idea to monetize it. Someone won't like me to say this, but in my opinion, it's a scam, and the whole certificate structure is just so-much nonsense that has zero-utility as it essentially does nothing except to add a placebo effect of software safety.
Story as old as government maybe? Make something required by law, hard to compete in because of regulation/approval, and then jack the price up. It's basically how we ended up with insane insulin prices. They'll literally kill people to make a bit more money. Inconveniencing a business or individual for some hokey false sense of security? That's kiddie stuff.
-
I understand that there were changes to minimum key size for code signing certificates that increased from a minimum 2048 bits to a new minimum 3072 bits on June 1, 2021, and a need to put the certificate/token on a compliant hardware device (such as a USB stick). The sites I visited ask anywhere from USD$90 to $USD$299 for the USB stick (which sots about USD$3 or less). Does it cost that much to make batches of USB sticks compliant? I cannot imagine that. In past years, I paid less than USD$100 for a 2-year code signing certificate (I use them on my NuGet packages). Now it is USD$300 or more. Per year. And if I opt for multi-year to lower that price by a little, they don't bill once a year for the committed amount. They bill for every year up front. For an individual developer putting out open-source binaries (like NuGet packages or some other app), that is prohibitively expensive. If anyone has more insight on why the huge price jump for just making the key length longer and providing a cheap USB stick, I'd love to hear it. Thanks
It's the work they do to verify your (enterprise) identity. That's what is meant by EV ("Enterprise Validation") certs. As opposed to DV ("Domain Validation") certs, which are freely available and commonly used for SSL/TLS on the web. I really wish Windows would support DV certs, for code-signing. I get that it's not as strong, but it seems like 90% of games apps and tools out there don't have any signing at all.. surely DV signing would be better than nothing. :/
-
I looked on that site, and I appreciate that you took the time to look and post it. But you either pay $20/month extra, or $249 for a USB stick. So, the lower certificate price is offset by the cost of the delivery method.
OK, thanks. I thought there might be a catch. I think the USB stick is something you only have to pay for once though (so when you renew, it should be cheaper). Currently, I use ksoftware. I think they probably offer the cheapest way to buy outright.
Paul Sanders. If I had more time, I would have written a shorter letter - Blaise Pascal. Some of my best work is in the undo buffer.