Google Checkout - Confusing Security Information
Feb 10th, 2007 by Greg Bulmash
So, I'm considering using Google Checkout to accept payments for a web site I'm dreaming up.
Since I'd like to give customers immediate access to services they buy, I was considering the Level 2 API integration. That requires you have an SSL secured server.
So, I did a search to see if they accepted self-signed SSL certificates. Nope. They have a list of accepted certificate authorities and their certificate types that Google will recognize.
Since GoDaddy has cheap certificates, I decided to check their price on a "Go Daddy Class 2 CA" from Google's list. That's where the problems begin. The choices available at GoDaddy are "Turbo", "High Assurance", and "Extended Validation". Now, I could assume that the "High Assurance", being the second level, is the Class 2. But I wanted to be sure.
I scrutinized GoDaddy's marketing pages, even searched their FAQs and helpdesk, but there was no mention of "Class 2" anywhere.
I started looking at other certificate authorities on the Google list. Again and again, at vendor after vendor, the names Google used for the certificates did not match the names the vendors were using. I must have spent a half hour looking around vendor sites, looking for the certificates on Google's list and not finding matching names.
If Google wants more merchants to adopt their checkout system, they need to catch issues like this and deal with them. If it was just one or two vendors where the "marketing" names for the certificates that they used to sell them didn't match the "class" of certificate used on the backend, I could see where it might be the vendor's fault. But when the issue is this pervasive, Google needs to get on the ball.
UPDATE: I got a reply from Google Checkout customer service. They acknowledged that the list was confusing and said they'd look into it. In the meantime, they referred me to a thread in the Google Checkout discussion group. In it two people cite certificates they've used successfully, one being the GoDaddy "Turbo" SSL certificate, which is one of the lowest cost certificates you can buy.