UPS Switches SSL Certificate to Comodo – Causes Problems for Ecommerce Stores

Last week, United Parcel Service (UPS) switched their main www.ups.com SSL certificate from VeriSign to Comodo (both VeriSign and Comodo provide SSL certificates). What should have been a non-event instead caused headaches for many ecommerce merchants…

Why the switch

www.ups.com previously had a VeriSign SSL certificate that was up for renewal. It seems UPS decided to switch from VeriSign to Comodo for their SSL vendor.

[UPDATE: 12:30 PM ET 4/19/2011UPS actually has both a VeriSign and Comodo certificate installed for www.ups.com, and is serving different certificates based on which load balanced system is responding. This just exacerbates the problem as now you have mixed certificates in use…]

Why? Maybe they were “sold” by Comodo, or had a falling out with VeriSign. Or maybe the IT person in charge of SSL certificates thought they could save a few bucks by going with Comodo.

Whatever the reason, last week the SSL certificate vendor switched, and www.ups.com was now a Comodo EV certificate.

[UPDATE 2: 10:30 AM ET 4/20/2011An unnamed source (sounds so James Bond-ish) has let me know that Akamai required UPS to switch to a Comodo cert to have their content distributed across their network. The URL onlinetools.ups.com will remain as a VeriSign SSL certificate.]

Why it was a problem

It turns out that Comodo is not fully compatible with older web browsers and older root certificate bundles installed on many servers. This incompatibility impacted many ecommerce applications such as ShopSite ®, Miva Merchant, and others.

Previously, UPS used a VeriSign certificate. VeriSign (and GeoTrust) are trusted by all web browsers and operating systems, so it was never a problem. But with Comodo, even operating systems as new as Red Hat Enterprise Linux 4 (RHEL 4) and centOS 4 would not validate the Comodo certificate as safe. This lead to some ecommerce applications failing when trying to get real-time shipping rates from UPS.

ShopSite issued a patch the same day this was found out, and we patched the handful of clients that were impacted by this problem (turns out UPS kept onlinetools.ups.com with their existing VeriSign certificate, so this URL validates fine).

Why it should NOT be Comodo

I don’t understand why UPS would switch from a trusted VeriSign SSL certificate to Comodo. The money saved is negligible. But the headaches this can cause, the increase in older web browsers and various operating systems that do not see Comodo as a trusted certificate seems to heavily outweigh any advantages.

I’ve never been a big fan of Comodo (they often use predatory practices and deceptive marketing to try to get SSL certificate owners to switch to them). This latest problem with UPS is just another example of the headaches a Comodo cert can cause.

Going with a VeriSign or GeoTrust SSL certificate means that older browsers and operating systems will still be able to use the secure portion of a website or application without any security warnings or issues. And yes, people shouldn’t be using old browsers like IE6 or Netscape, but a quick glance at your stats will demonstrate that a large enough percentage still do.

I doubt UPS thought about the implications of switching SSL vendors. In fact, they didn’t announce this switch to anyone. However, as is often the case, what starts out as an innocent change that should not impact anyone turned out to be a huge pain for a number of online stores that rely on UPS to return real-time shipping rates to their customers.

I take away two lessons from this event:

1. Always plan for the unexpected when you make a change.

2. Choose a VeriSign or GeoTrust SSL certificate over Comodo to avoid compatibility issues with older browsers and servers.

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Leave a Reply