GeoTrust vs. VeriSign: An SSL Controversy

Who’s the top dog in the SSL certificate market? According to a GeoTrust statement, it is. VeriSign
would have you believe otherwise, though.
Regardless, bragging rights are at stake
in a market that forms the basis of modern Internet security and may be on the verge of explosive growth.

GeoTrust made the claim that it had surpassed each of VeriSign’s individual SSL certificate brands in the North
American SSL certificate market based on its interpretation of data from a May Netcraft survey. The survey measured
the VeriSign brands RSA Data Security, VeriSign Trust Network and Thawte.

But according to Brendan P. Lewis, VeriSign
corporate communications manager, GeoTrust parceled the data, so it looks favorably on them.

“Overall we still have a commanding lead of
market share for SSL certificates. By far and away we still have more SSL certs out there.”

Lewis contends that, on the whole, VeriSign still outsells GeoTrust by a significant margin. A recent June SSL survey
by Securityspace.com says VeriSign SSL brands command a global 47.29 percent market share across all domains as
opposed to GeoTrust’s 15.6 percent market share.

GeoTrust is aware of the Securityspace.com findings, but sees a different aspect of the survey as a positive
indication for their business.

“Securityspace.com also tracks SSL market share statistics, although they track the VeriSign brands in aggregate,” said
Joan Lockhart, vice president of marketing at GeoTrust. “But the trend lines still confirm VeriSign and thawte’s
dramatically declining market share and GeoTrust’s aggressive growth.”

GeoTrust also claims that part of its fast growth occurs in the enterprise market where SSL certificates are used
behind the corporate firewall and cannot be measured by third-party survey services. VeriSign is also seeing growth in
the number of enterprises that are securing themselves with SSL certificates.

The reason for the growth of the SSL certificate market, especially across the enterprise, is based on the ever-increasing
importance of security amidst an ever growing list of attacks on the Internet and the need to secure Web services.

“We think that it is still a relatively new market, and that there is much room for growth on the enterprise side.
In fact, we think the market is growing at about 40 percent per year,” said GeoTrust’s Lockhart. “We see SSL being deployed
in a wide range of applications, such as securing Web portals and messaging services in Web services, and it will be
used in other extended enterprise applications.”

According to a recent Evans Data survey release, 70 percent of Web services developers use SSL as
the primary means of securing their applications.

“SSL was originally designed for business-to-consumer transactions on the Internet,”
said Joe McKendrick, an analyst with Evans Data in a statement. “However, SSL is gaining a new
role, as 70 percent of respondents expect to use the security mechanism for Web services interactions, as well.”

SSL certificates may play a part in the fight against phishing and spam. The SenderID initiative being spearheaded
by Microsoft will act as a caller ID for the originating domain for the sent e-mail. An authenticated SSL-secured domain
name may play a critical role in that setup to help provide a stronger solution to stop the flow of spam.

“As we take steps to mitigate the problems of spam and e-mail-propagated viruses, the need for people to have an
authenticated domain name rises exponentially,” said VeriSign’s Lewis. “So I think you’ll see a spike in the SSL market,
as well. If this truly takes off there’ll be more people looking to authenticate themselves. And that can be through
VeriSign or any other reputable certificate provider.”

SSL certificates are of course available from other vendors besides VeriSign and GeoTrust. Other options include free
services from certificate authorities (CA), such as CAcert or simply doing something known as self-signing a certificate
without going through a CA, which exist to provide a measure of authenticity
to the validity of an SSL certificate. Without going through a browser-recognized CA, an alert box will pop up
indicating that the certificate is not from a recognized authority. Microsoft recognizes CAs through
its
Root Certificate
program.

Both VeriSign and GeoTrust strongly believe that it’s important to go through a recognized CA rather than
going the free or self-signed route.

“These are fine for testing and internal use, but they don’t provide the ubiquity that products like GeoTrust and VeriSign
certificates do in the public domain,” said GeoTrust’s Lockhart. “Companies [and enterprises in particular] want a
reputable company to stand behind its certificates. And when you consider all of the costs in an
e-commerce equation, the price of a certificate is a very small investment.”