[SSL Observatory] The real cost of "free" certificates

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Apr 20 02:55:56 PDT 2011


Every now and then when the cost of certificates comes up in a discussion,
someone drags out the old red herring of "but there are CAs that issue
certificates for free" (yeah, and you can get operating systems, web servers,
and other things for free as well, so web hosting should cost nothing).
Anyway, I thought I'd sit down and try and figure out how much these free-
like-a-puppy certificates actually cost.

First, the time to provision a machine or device.  This varies wildly from
minutes through to days, I'll take the representative figure from the PARC
study reported in "In Search of Usable Security: Five Lessons from the Field"
by Dirk Balfanz, Glenn Durfee, Rebecca Grinter and D.K. Smetters that highly
experienced computer users took over two hours to provision their machine with
a certificate.

Cormac Herley's "So Long, And No Thanks for the Externalities: The Rational
Rejection of Security Advice by Users" used a figure of US $14.50/hour for IT
workers (twice the US minimum wage), but in conversations with IT folks
they've pointed out that server provisioning (rather than playing with end-
user PCs) is typically charged at a much higher rate, running to several
hundred dollars an hour for time-and-materials jobs, so I've used a figure of
$50/hour as a kind of middling value.

The SSL Observatory found 7 million self-signed certs and 4.3 million "other"
certs (?) (see
http://www.ietf.org/mail-archive/web/keyassure/current/msg01810.html), for a
total of 11.3 million certs that would benefit from a free CA.

This leads to 2 hrs * $50/hr * 11.3M = $1.1B/year spent on privisioning
certificates.  So to a general approximation, "free" certificates have an
actual cost of over a billion dollars a year.

Comments/corrections welcome (although avoiding endless bikeshedding over the 
figures would be appreciated, if there's a large-scale study that has more 
representative figures I'd be interested in hearing about it).

Peter.



More information about the Observatory mailing list