Browser root ubiquity is an important requirement when deciding on a Certificate Authority (CA) for your SSL Certificates. Many CAs claim 99% browser ubiquity but this claim does not mean that every certificate will activate without triggering a security warning in a browser. Newer or smaller CAs may not have had their roots included in the root store for some browsers This is especially an issue for older browsers.
VeriSign SSL does not have this issue. All browser manufacturers certainly remember to add VeriSign roots to their root store when new versions of that browser are released.
This is not the case, however, for every SSL Certificate vendor out there. In the past, some CA roots have been left out when a new browser version was released. If a CA's roots are not included in a browser's root store, unsightly error messages can occur -- messages that can motivate users to abandon that session. This leads to lost opportunities for sales and creates dissatisfied customers who may or may not be lost forever. If you'd like to learn more about how trusted root stores work, see here.
Today, a prominent company experienced this type of error on their web site. It happened after they received an SSL Certificate for one of their sites signed by a CA other than VeriSign (we don't like to name names, so we won't in this post). For this site, if a user visited the site on older versions of certain browsers, namely IE6 which still enjoys nearly 11% of worldwide browser market share, they would receive an error message indicating that the certificate was not trusted. Think about that. More than 1 in 10 visitors to this site were being shown a message that told them not to trust the site they were on. And all because the CA who signed that certificate (and who claims 99.3% browser ubiquity on their web site) didn't have their roots in the older browser.
We all have to justify cost as we make our decisions in IT. Sometimes, site owners will get the impression that SSL is SSL and if I can save a few bucks, why shouldn't I? Browser root ubiquity is one of the many reasons why VeriSign SSL Certificates are not the same as all other certificates out there. The list of reasons why is in fact quite long, but we'll continue touching on that later...
