Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Choosing an SSL Provider?

kdawson posted more than 6 years ago | from the who-you-gonna-trust dept.

Security 183

An anonymous reader writes "I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision."

Sorry! There are no comments related to the filter you selected.

RapidSSL is your friend (5, Informative)

teknopurge (199509) | more than 6 years ago | (#23198082)

They have cheap 128-bit cert that have Root in almost all browsers. The only issue we have run into is windows mobile devices.

If you're just after a basic root cert, RapidSSL(Equifax) is your best bet. If you need the stronger, blood-of-your-first-born cert, Verisign is the place to go.

Regards,

Re:RapidSSL is your friend (3, Informative)

TechyImmigrant (175943) | more than 6 years ago | (#23198162)

>They have cheap 128-bit cert that have Root in almost all browsers.

Usually they are 1024 bit RSA with SHA-1 signing (80 bit). These are deprecated by NIST for use past 2010.

MS don't support SHA-256 signatures in XP, until SP3, which explains some of the delay in rolling out stronger roots.

Re:RapidSSL is your friend (1)

ObsessiveMathsFreak (773371) | more than 6 years ago | (#23198480)

If you need the stronger, blood-of-your-first-born cert, Verisign is the place to go.
Knowing Verisign, they'll probably want that blood eventually.

Friend ? Look at their conversion rates.. (0)

Anonymous Coward | more than 6 years ago | (#23198618)

.. $69 = 69 euro ? I don't think so ! Avoid like the plague...

Re:Friend ? Look at their conversion rates.. (0)

teknopurge (199509) | more than 6 years ago | (#23198762)

We pay $10/cert.

depends on devices... (5, Informative)

bentley79 (1053828) | more than 6 years ago | (#23198668)

With more users accessing the web from mobile devices, certificate choice matters even more now. Motorola phones, for example, only have a verisign cert on them, so users will get annoying "untrusted site" warnings for sites with Equifax certs. Also, J2ME applications on these phones cannot connect to sites with non-verisign certs. This becomes a bigger problem for mashup java apps that try to access secure apis on multiple services. You end up greatly restricting how your service can be used if you go for a cheap, easy Equifax certificate.

Re:depends on devices... (4, Insightful)

Ucklak (755284) | more than 6 years ago | (#23199330)

Now ain't that a racket.
Still secure but because Verisign obviously has a hand in the mobile distribution market, no one else is 'secure'.
I see is as the losers are the Motorola users tied to Verisign only certs.

Re:RapidSSL is your friend (0)

Anonymous Coward | more than 6 years ago | (#23199182)

Stay with the "major" SSL vendors if you care at all about mobile devices.

We started using one from Comodo. Then we found that most cell phone browsers (i.e. those on consumer phones by Motorola, Nokia, LG, Samsung) don't recognize it. And there is no way for the end user to install another certificate authority on most of these devices. So we ended up getting another cert from Thawte.

On the other hand, if you don't care about supporting mobile devices, then just go for the price.

Re:RapidSSL is your friend (1)

friherd (1279364) | more than 6 years ago | (#23199310)

I agree, RapidSSL is quite good. I've used it for over 3 years without any issues.

What sort of support do you need? (4, Interesting)

TechyImmigrant (175943) | more than 6 years ago | (#23198100)

How do you support a cert? They're pretty much set once delivered.

1) You make a cert request. Pay Money.
2) They verify your identity.
3) They sign your cert request and return it as a signed cert.

It's not like you can upgrade a v3 cert to v3.1.

Re:What sort of support do you need? (5, Informative)

mackil (668039) | more than 6 years ago | (#23198416)

How do you support a cert? They're pretty much set once delivered.
Typically that is true. However when we tried an EV-SSL chained certificate, it wouldn't recognize the trust chain and caused all sorts of problems. We tried dealing with the support people, but they were very unhelpful and would only deal with us over email. Since they appeared to be in the UK (and we in the US), it was very frustrating in dealing with them. In the end we gave up and went back to a root certificate.

Re:What sort of support do you need? (0)

Anonymous Coward | more than 6 years ago | (#23198484)

If your product deployment is waiting on the authority to sign the cert(12-24 hours sometimes), then good support becomes desirable.

Re:What sort of support do you need? (1)

Ucklak (755284) | more than 6 years ago | (#23199364)

12-24 hours sometimes! Damn, what the hell. I can get a browser recognized Certificate in minutes. I can make my own in seconds and they're ALL the same level of 'security'.

Re:What sort of support do you need? (0)

Anonymous Coward | more than 6 years ago | (#23198612)

I guess he means support with installation and configuring the servers. Possibly actually creating the keys and csr's in the first place.

If that's the case you really shouldn't be looking at a certificate provider for this.

On the other hand, perhaps he means turnaround time after issuing a new CSR, that would definitely be a factor. We use digicert, and find them to be very nippy.

Re:What sort of support do you need? (1)

Albanach (527650) | more than 6 years ago | (#23199266)

I've used several of the super cheap providers in recent years and all have delivered pretty much instantly via email after the telephone verification.

In the past I've dealt with Verisign and Thawte in the days where they wanted to see bank statements and such like - certificates then could take days or weeks to arrive. These days I'd only expect that to be the case with EV-SSl certs.

I'm not clear what the issue the original poster is having. All the providers I've used in recent years have provided detailed instructions to make the certificate request. Assuming it's Apache or IIS, it seems hard to see what could go wrong?

Do they need a large number of certs quickly - then maybe a wildcard certificate or a root certificate (and spending $$$) is what they need.

There's not enough detail in the summary to define the question that needs answering.

Re:What sort of support do you need? (1)

speculatrix (678524) | more than 6 years ago | (#23199308)

Actually, most SSL providers barely check identity, relying on email only which is pretty crap to be honest. To rectify this they have introduced a new tighter specification ssl cert which of course costs more money, but since 95% of the public barely know what https means, it's all pretty pointless.

Support? (1)

jrumney (197329) | more than 6 years ago | (#23198110)

What sort of support are you expecting for a certificate? Installation support should be available from the vendor of your servers. Was it renewal or revocation you had problems with? Renewal means more money for the CA, so it should just be a matter of phoning their sales team, they'll fall over themselves to provide you with service if you have a large number of certificates to renew. Revocation - I'm not sure enough customers will have had to deal with that to get enough feedback to make a judgement.

Re:Support? (2, Insightful)

TechyImmigrant (175943) | more than 6 years ago | (#23198222)

... Revocation - I'm not sure enough customers will have had to deal with that to get enough feedback to make a judgement.
I run a small CA for a particular technology. My advice to the manufacturers obtaining certs is "Don't compromise your keys!". Revocation is painful.

Depends on priorities (3, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#23198124)

What are your priorities?

It sounds like service is pretty high up on the list. What about price?

There is everything from CACert.org, which offers free certs, but supported is limited to the community it serves, to budget providers to full-service providers like Verisign.

Do you need more than just a few certificates? Do you need someone to be available 24x7 for phone support or is e-mail support good enough? What do you need?

Like anything else in life, you decide based on what your needs are and how well that, in this case, a particular CA fits your needs.

Re:Depends on priorities (4, Informative)

crush (19364) | more than 6 years ago | (#23199198)

Except that's a pretty good community and is more clueful and ethical than many of the for-money providers. The problem with CAcert is not on the support end, it's the fact that their root certificate is not distributed with current browsers. Each potential verificant would have to import their cert manually. Supposedly that's changing slowly with the Mozilla Foundation spelling out exactly what the audit process is to allow the inclusion of CAcert. We can but wait and hope. Personally I'd rather have community support for something like this.

Impression (3, Informative)

esocid (946821) | more than 6 years ago | (#23198140)

I was under the impression that SSL providers had a hold on the "market" and didn't really need to provide that good support, but that is coming from someone who has never had to deal with that side of it. Here [web-hosting-top.com] is an aggregation of a bunch of providers though, beware it's an ugly page.

Re:Impression (2, Insightful)

mendax (114116) | more than 6 years ago | (#23198362)

They do indeed have a hold on the market... in that the big guys listed in the question have their certificates in the main key store files of your browse, Java runtime installations, etc. which guarantees that they are trusted and cause the least amount of hassle.

I've thought for a long time that the answer to this problem is competition. What bugs me is why government hasn't gotten into the act. The purpose of an SSL certificate is to verify that the entity who owns the server you're communicating with is who they say they are. This is the role of a notary, a private individual who is commissioned by the government to verify that people are who they say they are when documents are signed. Sounds like a profit-making enterprise to me.

Re:Impression (1)

esocid (946821) | more than 6 years ago | (#23198530)

I don't think getting the govt in on it would be a good idea. You'd then have people pandering to politicians and we'd end up with Diebold offering SSLs. Competition is still operating since I've seen multiple SSL providers on different sites, but Verisign is without question the top dog, whether that's due to it's solid performance or the hold it has, or both, but at least there's multiple alternatives if you aren't satisfied with who you have currently. Somehow I can't see that existing to such an extent with govt regulation.

Re:Impression (0)

Anonymous Coward | more than 6 years ago | (#23198876)

No, they don't actually have their certs in MY browsers. The only certs that are in my browser are the ones I save. All of the inital certificate authorities' certs that came with have been removed.

Re:Impression (1)

jimmypw (895344) | more than 6 years ago | (#23199188)

Really now, Whats the point in that? Surely thats just more inconveniance for yourself at the end of the day as your ultimatly going to re save a few that were already in there. Think hard about it.. your exposing yourself to more risk as the certificate that your saving could have come from an intercepted connection.

Re:Impression (0)

Anonymous Coward | more than 6 years ago | (#23199706)

I do save individual certificates for sites I expect to return to. This actually does more to alert me if I accidentally go to the wrong site, since I will get an unexpected notice about the unknown certificate.
I have no special trust relationship with Verisign or other CA provider and their signature doesn't tell me that I am really at the site I think I am.
The current way browsers warn about certificates seems to be more geared toward scaring people away from sites that don't pay protection money, rather than being actually designed to help people not be tricked into dealing with someone they didn't intend to.

Re:Impression (1)

dekemoose (699264) | more than 6 years ago | (#23199226)

Well la-dee freakin' dah, good for you.

SSL Monopolies, SubCAs, PKI use, and supply/demand (2, Interesting)

CarpetShark (865376) | more than 6 years ago | (#23198704)

I could be wrong about this, but I think the problem is that PKI was intended to be much more hierarchical, like DNS.

In other words, I think the idea was probably that ISPs or other organisations would purchase bigISP.com certs, that allowed them to be certificate authorities too.

Then, an ISP's customers could go to THEM for certs. The customer's site cert would be signed by their CA; the ISP, and the ISP's in turn would be signed by the big names.

I think that does work. If so, then the problem is almost certainly that ISPs and such just don't buy those big certs, because so few people use SSL on their sites.

BUT... note that CA certs could be used much more widely than they are -- for email signing/encryption, server/client authentication in WANs, etc.

Re:SSL Monopolies, SubCAs, PKI use, and supply/dem (5, Insightful)

greed (112493) | more than 6 years ago | (#23198870)

What you describe does work, though it gets annoying.

Basically, when your server negotiates SSL with the browser, it has to provide all the certificates in the trust chain that the browser doesn't have. So, bigISP.com has a certificate signing certificate from VeriSign, and signs a Web certificate for your company. Any time an SSL request comes in, your server has to present it's public certificate and the public certificate of bigISP.com's signing certificate. The browser already has VeriSign's public certificate signing certificate.

So, it's kind of like DNS resolution, where you have to "know" the root server, and then can build a chain down to get the actual name server to ask. But, in this case, you need a trust chain of signed certificates. With one or two layers, it's not _that_ big a deal...

The real downside is maintenance. Each layer has its own expiry, and you have to re-establish the chain whenever a certificate in it expires. That means new private certs and updating the public certs that are sent with the SSL transaction.

If, instead, your certificate is signed by a certificate for which there is a public key pre-loaded into the browser, you only have 1 certificate to update when it expires or when the signing certificate expires.

I use a self-signed certificate signing certificate for my home systems and for my department's SSL servers at work. But there's a very limited number of people who are supposed to access those servers, so they can be given the public signing certificate by hand. And even then, I wind up on vacation and unable to get to my IMAPS server because I forgot the signing certificate is going to expire on me....

So, keeping the chain short is actually worth-while, just from a maintenance perspective.

SSL (3, Informative)

mackil (668039) | more than 6 years ago | (#23198154)

We've used Geotrust since the beginning and have never had a problem. They are a bit more expensive than others, but we'll take the hit there for the good support.

There was one year where we wanted to try the EV-SSL. We decided to go cheap and went with Comodo. Big mistake. It didn't work, and after dealing 2 weeks with the support people there, we gave up and went back to Geotrust. They would only talk to us via email and were generally very unhelpful. I'm not saying that is what everyone experiences, I'm simply stating our own.

Re:SSL (1)

travisd (35242) | more than 6 years ago | (#23198398)

...and of course GeoTrust is now owned by Verisign.

We used them as well. Price was the main thing - we did a "bulk" type plan since we were trying to get a hold on all of our rogue cert purchasers. We also got a decent portal out of them to expedite certs for any pre-vetted domain.

Re:SSL (1)

mackil (668039) | more than 6 years ago | (#23198452)

...and of course GeoTrust is now owned by Verisign.
Actually that is why we tried Comodo in the first place, in not wanting to fill the pockets of Verisign. Unfortunately it didn't work out.

Re:SSL (0)

Anonymous Coward | more than 6 years ago | (#23199204)

Not to be a grammar police, but your use of "They" right after "...went back to Geotrust" relays exactly what you didn't mean, I do believe.

Rapid SSL Wildcard (4, Informative)

Kagato (116051) | more than 6 years ago | (#23198174)

Go with a Rapid SSL wildcard cert. It will take care of most external needs with a single cert. They have a self service model that works pretty well. Cost is very reasonable.

Buy a real SSL cert, with location info (4, Insightful)

Animats (122034) | more than 6 years ago | (#23198184)

Buy a real SSL cert, one with "Location" (L field) information and a real business name (not a domain name) in the "Organization" (O field). Avoid those cheap "Instant SSL" "Domain Control Only Validated" certs.

At SiteTruth [sitetruth.com] , we consider the low-end certs worthless. They don't provide any information about who you're dealing with. We encourage other developers of certificate-validation software to take a similar position. You don't want to input a credit card number to a site with a "domain control only validated" certificate. "Domain control only" validated certs are enough for logging into a blog, perhaps, but not more than that.

Re:Buy a real SSL cert, with location info (4, Insightful)

pyite (140350) | more than 6 years ago | (#23198250)

Are you also amongst the group of people that think Extended Validation certificates are anything more than something to make Verisign more money?

Re:Buy a real SSL cert, with location info (1)

Albanach (527650) | more than 6 years ago | (#23199630)

I certainly do - my first SSL cert from Thawte cost a fraction of the $900 an EV SSL certificate costs from them, and required utility bills, bank statements etc to verify my identity.

Identity can, and has, been validated in the same fashion as EV-SSL certificates for a fraction of the price in the past. If they wanted to establish identity they could, and for less than an EV-SSL cert costs at present.

Re:Buy a real SSL cert, with location info (5, Insightful)

vux984 (928602) | more than 6 years ago | (#23198370)

I thought the main point of a SSL cert for most people was session encryption.

And the main reason we pay for one is so we get one the browser recognizes without throwing up a prompt about unrecognized certs that might be off-putting to a customer.

How many site visitors really look at the cert? Or care whether its got an company name or more. How many even KNOW there are different levels of cert? For most either the 'lock icon' is there or its not. They don't -check- the cert, or even know how?

Re:Buy a real SSL cert, with location info (1)

tepples (727027) | more than 6 years ago | (#23198538)

I thought the main point of a SSL cert for most people was session encryption.
And the main point of an SSL cert that isn't self-signed is to keep ISPs between the browser and the server from acting as a man in the middle and intercepting all communication. If you have some other reasonably secure infrastructure for distributing software to your customers, your company can distribute its own root cert for customers to install, leaving VeriSign and all the CAs it has acquired out of the loop.

Re:Buy a real SSL cert, with location info (1, Interesting)

TheLink (130905) | more than 6 years ago | (#23199022)

Wrong. The main point of an SSL cert that's by one of those CAs is for the very reason he said:

So _public_ users don't get a pop up prompt.

Nobody really gives a damn about the "other stuff" (e.g. real security, and even if users get a pop up, more than half the time they'll just click through ;) ).

After all when CAs like Verisign issue "Microsoft" certs to nonmicrosoft people[1], and lots of sites still use Verisign (who are already known for _intentionally_ doing very dubious stuff), where's the security?

If you actually want security you're better off deleting most CA root certs and stick to getting the browser to recognize certs for sites that you really trust on a per site basis.

You shouldn't be depending on CAs that don't really care. Because some random CA will sign some cert they shouldn't and then you're screwed since your browser has their cert built in, and so you don't get a prompt when you get MITM'ed at some WiFi + Latte place. Instead of your bank site, you end up passing your credentials to some hacker.

Whereas if you recognized the bank site just because of the bank's usual cert, and not because some evil/incompetent CA signed it, if a hacker presents a different cert, you will get a prompt. Naturally when the cert expires you get a prompt, but that's really not a big deal in practice.

[1] http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

Re:Buy a real SSL cert, with location info (2, Insightful)

caluml (551744) | more than 6 years ago | (#23198594)

I thought the main point of a SSL cert for most people was session encryption.
Don't forget about identifying the server at the other end. No point having ultra-mega-good encryption if it's with a MiTM.

Re:Buy a real SSL cert, with location info (4, Insightful)

CalvinTheBold (122460) | more than 6 years ago | (#23198610)

I think you may be a little mixed up.

The point of the encryption is transport layer security and privacy. The point of the certificate is TRUST. Having an encrypted session makes no difference if you are communicating with an impostor.

The prompt about unrecognized certs certainly SHOULD off-put the customer; it's likely to be that customer's only warning that the party on the other end of the connection isn't who it claims to be.

Re:Buy a real SSL cert, with location info (4, Insightful)

vux984 (928602) | more than 6 years ago | (#23198904)

I think you may be a little mixed up.

No. Think soley in terms of the average web user.

The point of the encryption is transport layer security and privacy.

Right. And that's what the average user is interested in when they see 'secure login', the lock icon, or the https prefix. I don't think most users even know that https is guaranteeing WHO they are talking to at all.

The point of the certificate is TRUST. Having an encrypted session makes no difference if you are communicating with an impostor.

That's true. But beside the point. From an engineering perspective, yes, the reason for the cert is trust, and the signing chain to root CA's etc establish a chain of trust.

But in practical terms, the average user doesn't have the foggiest idea what this all means.

So as a website developer looking to satisfy customers demands, I might want to provide seamless encryption which the customer understands and wants; so I need an SSL cert because the browsers don't support seamless encryption without one. And the customer gets what they demand.

They also get some 'trust', but its a side effect of the good engineering that went into the system. The customer doesn't actually -check- the cert and verify who they are talking to. And if someone sent them a fishing email pointing at 'bankotamerica.com' instead of 'bankofamerica.com' as long as bankotamerica.com has at least a domain only cert that their browser accepts, and their lock icon comes on, they'd be satisified.

Re:Buy a real SSL cert, with location info (1)

Burz (138833) | more than 6 years ago | (#23200002)

Yes, simply verifying the domain name when looking for the lock icon would fix the problem. Except that most people IMO don't even look for the lock.

And us techies are to blame for not educating users on using https to begin with. When I ask techs whether they instruct/remind people about https, they write the users off as too stupid... but when I ask when was the last time they tried, the answer is 'I just don't' or 'don't remember' which I uncharitably interpret as NEVER.

Sadly, most techs (incl. CNEs and such) don't even know how to use https in a web browser. Techies culture has a serious problem that must be fixed if we don't want the net to be handed over to authoritarian control.

Re:Buy a real SSL cert, with location info (1)

tinkerghost (944862) | more than 6 years ago | (#23198862)

I thought the main point of a SSL cert for most people was session encryption.

Depends entirely on the reason you're putting together a cert. Cert's on web services are much more than just for encryption, they are the primary means of secure verification. Verizon, for instance, will only accept Verisign Certs for their automated repair services and the cert information has to match what was sent to Verizon in the setup process.

Re:Buy a real SSL cert, with location info (1)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#23199074)

Well, that depends upon whether or not you want me as a customer. I look at the cert. Will not buy anything from a site with a CA, I don't trust. I might not make a dent in your sales, but I am often asked to recommend sites for friends, family, non for profits, and small businesses.

Re:Buy a real SSL cert, with location info (1)

Metasquares (555685) | more than 6 years ago | (#23199680)

Firefox 3 accentuated the distinction between self-signed and CA certificates in the browser quite a bit. Now you get this "error page" that forces you to add an exception for self-signed certs before it will let you view the page. I guess they did it to combat certain types of phishing.

Re:Buy a real SSL cert, with location info (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23198504)

To an end user there are three types of SSL certs:

those that error,
those which display a padlock
and those which make the address bar go green in their crappy browser.

Re:Buy a real SSL cert, with location info (1)

Burz (138833) | more than 6 years ago | (#23200046)

And are you going to tell them the key to using it properly, to check the domain spelling??

What's that? "...no??"

Re:Buy a real SSL cert, with location info (4, Informative)

jroysdon (201893) | more than 6 years ago | (#23198572)

I found SiteTruth's search worthless. I put in my own domain [roysdon.net] and it said it was suspect, no address listed on the website. Totally bogus information. One of the first links is to the AUP [roysdon.net] page, which contains the same address WHOIS has listed. Even if I search giving the AUP link, it cannot find the address. Further, it says no usable certification info - I could see it complain that it doesn't like my CA, but there cert works just fine in any non-Microsoft browser. I find this site worthless as it fails to provide valid information. I could see it complaining that my SSL cert (free for non-commercial, personal use) is a domain-only, but it doesn't, it just says, "No valid cert." Finally, just because something doesn't have a valid business behind it (as in a personal website/email hosting), doesn't mean it is invalid or worthless. Don't give me your money - I'm not asking for it.

Re:Buy a real SSL cert, with location info (1)

Animats (122034) | more than 6 years ago | (#23199894)

That site has the address only on the "AUP" page, an unlikely place for a user to look for it. SiteTruth checked the "Contact" page, and didn't find it there. We look at about forty keywords ("contact", "about", "office", "address", "site map", etc.) likely to lead to an address, much as a user would.

The site does have an SSL certificate, but it's from StartCom, a relatively new root certificate authority, and we don't have them listed as a valid root CA. Now that Firefox is accepting them, we should start; we generally use the same root CA set as Firefox, but only update once a year or so. Many browsers won't recognize StartCom certs yet, either.

Re:Buy a real SSL cert, with location info (1)

Animats (122034) | more than 6 years ago | (#23200116)

Updated the root CA file on the SiteTruth servers to the Mozilla version of April 7, 2008. SiteTruth will now recognize StartCom-issued certs.

Now we get:

This certificate identifies the domain only, not the actual business.

Domain www.roysdon.net

  • emailAddress=webmaster@roysdon.net
  • CN=www.roysdon.net
  • OU=Domain validated only
  • OU=StartCom Free Certificate Member
  • O=roysdon.net
  • L=Turlock
  • ST=California
  • C=US

It's one of those low-rent "domain validated only" certs.

Re:Buy a real SSL cert, with location info (1)

Burz (138833) | more than 6 years ago | (#23200156)

I agree. Its a stupid service founded on a misconception of what https is supposed to offer.

Https verifies the domain-based, Internet 'who' which is the important (and the most semantically verifiable) aspect of server's identity. Real-world addresses are actually more ambiguous and wouldn't matter anyway unless you have a penchant for entering sensitive info on sites you've never heard of before.

Re:Buy a real SSL cert, with location info (0)

Anonymous Coward | more than 6 years ago | (#23198792)

If there's an unbroken chain of trust between a certificate vendors certificates and a root certificate installed into (most) modern browsers, what is the problem?

Re:Buy a real SSL cert, with location info (0)

Anonymous Coward | more than 6 years ago | (#23198796)

Well, no one has ever heard of SiteTruth, so, what you consider worthless is really inconsequential.

From the average consumer's eyes, that little lock in the corner is what matters. It ensures a nebulous sense of security, and little other differentiation can be expected from the average user. IMO, levels of identity verification and encryption should be abstracted and seperately communicated to the user through the browser. Extended Validation, also known as the VeriSign Stupidity Tax, or Clueless CTO Tax, isn't the answer.

Also, for a blog, why pay for a cert? Use a self-signed one instead.

Re:Buy a real SSL cert, with location info (2, Informative)

firewrought (36952) | more than 6 years ago | (#23199726)

At SiteTruth, we consider the low-end certs worthless.
But the self-signed cert you have for your own domain is laudable? Sheesh... it's even expired, not that you'd know since your "site verification site" doesn't even take the most basic precaution of defaulting to https.

It depends on your needs but (2, Informative)

gerry_br (801484) | more than 6 years ago | (#23198192)

I have had success with both OpenSRS and GoDaddy for SSL certs. OpenSRS will allow you to easily supply the needs of your customers. Never had a problem with using either. Also, what type of support do you need? My experience is you install them and they work, then you renew them/reinstall as needed. just mu $0.02

Simply use a lock favicon for your website (4, Funny)

Anonymous Coward | more than 6 years ago | (#23198198)

Look at the "/." just before the http in your location bar. Just turn it into a lock icon for your website.

Re:Simply use a lock favicon for your website (1)

sakdoctor (1087155) | more than 6 years ago | (#23198332)

Mod parent up.

Seriously what a torrent of bullshit. Certs are encryption keys, and the rest is just marketing.
Users don't even care so long as there is a padlock on their browser. The danger of this "money can buy trust" idea is that it just leads to escalation. If a yellow padlock is all too common and can be bought for $5.99 then next you will need a green tick that proves among other things that the company has given at least $999 to verisign.

I rate the firefox invalid ssl cert warning as insightful, and the IE one as alarmist, bordering on mass hysteria.

Re:Simply use a lock favicon for your website (1)

sherriw (794536) | more than 6 years ago | (#23198568)

Yes, thank you! The IE7 warning on shared certs has made a friend of mine's little online shop nearly unusable. It scares people off. But it's just a hobby shop and can't really afford the trouble of getting their own cert. The shared one comes free with their host, but is now useless. I emailed the IE7 team to complain and the official line was, if you are using a shared certificate, you must be a phisher. ARG!

Re:Simply use a lock favicon for your website (0)

Anonymous Coward | more than 6 years ago | (#23198908)

There is something wrong if he can't afford the trouble of getting a Trustico.com resold rappidssl cert...

1 year for $14.95, and 5 years for $63.54

Only PIA is needing a dedicated IP for the virtual host. Heck I have SSL certs on my "play" personal servers now.

Re:Simply use a lock favicon for your website (1)

Sancho (17056) | more than 6 years ago | (#23199298)

If they're using Apache, check out mod_gnutls. It supports SNI (Server Name Indication) meaning that your virtual hosts on the same IP can have different SSL certs.

Re:Simply use a lock favicon for your website (1)

toporok (1138049) | more than 6 years ago | (#23199244)

I use shared SSL with 1and1 and granted 1and1 sucks a big one when it comes to service or doing things like backup or informing that somebody hacked your site, deleted your content and uploaded some muslim terrorist propaganda site but in terms of ssl and dns, their service is pretty solid.

Re:Simply use a lock favicon for your website (1)

uberzip (959899) | more than 6 years ago | (#23199202)

But Firefox 3's warning makes the average user think the site is broken as it looks too similar to a page not found error rather than giving a warning in a message box. Even one of my developers was confused by the Firefox 3 SSL warning because he didn't read the screen but just interpreted it to mean that the site was down. I think this and IE7 have alarmist reactions to certs. Consider that intercepting data traveling between client and server is not a common source of security breaches and is actually very difficult in most situations (where the user is hooked directly to their ISP). If company's understood this and read the news they'd realize that its much more worthwhile to worry about encrypting their databases and data stores rather than the connection to their clients. Every occurrence of stolen data that I can think of has not happened during the transmission of data but at the storage location. That's not to say that SSL certs are worthless, but its not something my company worries about as much as securing the data we have on site. We buy our cheap SSL certs and leave it at that.

Re:Simply use a lock favicon for your website (1)

uberzip (959899) | more than 6 years ago | (#23199300)

I guess I should also point out that my use of SSL certs is just to secure data tranmission. I certainly see the use of them if you are running a commerce site and want to ensure people that you are a legit company. In that case the expensive certs are useful to a degree. For our company, we don't have any need to prove to the client that we are a legit company via ssl certs as there is already an established relationship. I have found it laughably bad in terms of how ssl certs are granted though. A few years ago we ordered some certs from verisign for a lot of $$$. All they wanted from us in order to prove that we were a legit company was a faxed letter on our company letterhead... not necessarily a deterrent for a scam artist. I could easily make up any letter head and send it along.

Re:Simply use a lock favicon for your website (0)

Anonymous Coward | more than 6 years ago | (#23199690)

You forgot to say place a little green bar on the top of your page with an official looking logo that says "Super Secure Hacker Proof Site Guarantee"

I am telling you, 99% of web users wouldn't know the difference.

Re:Simply use a lock favicon for your website (1)

ceejayoz (567949) | more than 6 years ago | (#23200000)

Oh geez, that's a good (nasty) idea...

Re:Simply use a lock favicon for your website (0)

Anonymous Coward | more than 6 years ago | (#23200122)

I don't have an location bar with graphics support, you insensitive clod!

Digicert all the way (3, Informative)

cryogenix (811497) | more than 6 years ago | (#23198220)

If you want good support, go with Digicert. Absolutely phenomenal support. You don't go through hold queues to get to some person god knows where. Usually the person who picks up the phone is the one that helps you and they know what they are talking about. I've been extremely happy with them.

Re:Digicert all the way (0)

Anonymous Coward | more than 6 years ago | (#23200290)

I haven't had to call DigiCert support yet, but can say that their wildcard cert is very cool. We switched from about 30-some Thawte certs to a single Digicert wildcard cert, and save about $4500/yr.

When I checked, I thought I found rapidssl's cert was 'licensed' for use on a single server, whereas digicert lets you use it anywhere.

Verisign has poor service (0)

Anonymous Coward | more than 6 years ago | (#23198244)

We have dealt with verisign and had issues with their certs. The worse part is getting them to correct it. It can take WEEKs with them. All in all, I would recommend not going with them.

Your old provider (1)

hansamurai (907719) | more than 6 years ago | (#23198276)

Since you're already anonymous, why not reveal who your crappy provider was so we know who to avoid?

Support? (0)

Anonymous Coward | more than 6 years ago | (#23198336)

It's an SSL cert, not a new born child.

You purchase it for 3 years, install it, then forget for another 3 years. The website emails you a month before expiration, you rinse, and repeat as desired.

go with (1)

ZonkerWilliam (953437) | more than 6 years ago | (#23198358)

Verisign, always used them for public cert's.

Comodo (0)

Anonymous Coward | more than 6 years ago | (#23198378)

I've used Comodo for 5 years with great success. They are very fast (10 minutes) at reissuing certificates if I need to move to a new piece of hardware or server platform. I use the E-PKI Manager which allows me to get certs issued in just a couple of minutes. Now that they have switched over to the AddTrust/UTN User First root authorities the compatibility has improved over what it was 5 years ago.

Most of the vendors do not offer a good way to manage Digital IDs, but Comodo lets me order those as well.

The only difficulty I've had with them is ordering a Code Signing Certificate, the process is a little backwards but does work.

I currently have 4 SSL certs and about 15 DigitalIDs from them.

It's in the name (0)

Anonymous Coward | more than 6 years ago | (#23198396)

Believe it or not a lot of people look at the CA when considering it's 'security'. Unfortunately, Verisign is like 'Kleenex' in the SSL game. It all depends on who your customer/audience is. What are the certs for? www?

SSL Shopper (4, Informative)

CSMatt (1175471) | more than 6 years ago | (#23198414)

SSL Shopper [sslshopper.com] has a great list of SSL certificate providers and reviews, as well as the ability to compare different providers side by side using their SSL wizard.

Re:SSL Shopper (1)

perlith (1133671) | more than 6 years ago | (#23199360)

Nice link! Also keep in mind if your organization utilizes mobile devices, you need to verify if the mobile device has a built-in root certificate for that SSL provider. You really don't want to explain to your executives why their mobile devices aren't "just working"....

It's a wash (2, Insightful)

cusco (717999) | more than 6 years ago | (#23198434)

The company I work at goes with Verisign, but that's only because Verisign is one of our customers. Unless your customers are financial houses or some equally paranoid group no one is going to give a rip where the certificate comes from as long as their browser automagically recognizes it. I've only met one person in my decade in IT who checks web site certificate validity (she works at a major investment firm) on a regular basis, and that's only because her job requires that she do so before transferring X-many millions of dollars.

Thawte (3, Informative)

NekoXP (67564) | more than 6 years ago | (#23198496)

You can't go wrong with Thawte..

Re:Thawte (1)

grnrckt94 (932158) | more than 6 years ago | (#23198722)

I second the Thawte...

Re:Thawte (1)

Burz (138833) | more than 6 years ago | (#23200250)

Thawte is now also owned by Verisign.

We use three different providers (1, Informative)

Anonymous Coward | more than 6 years ago | (#23198506)

At my company, we use three different providers depending on the need.

Client Facing
We use Verisign [verisign.com] for anything a client will interact with since we can use the Verisign Secured Seal [verisign.com] on any web content on our site. Our studies have shown a percentage of our users actually know of the Versign secured logo and helps to assure them of the security.

Non-client Facing
We use Thawte [thawte.com] certificates since these are much cheaper than Verisign, and are fully compatible with most browsers/mobile devices.

QA/Dev Servers
We use GoDaddy [godaddy.com] for internal/external tests and projects. They are cheap and quick, which makes them useful in a non production environment.

Cheapest non-intermediate certs (1)

bastion_xx (233612) | more than 6 years ago | (#23198544)

I've used VeriSign, Thawte (pre-VeriSign days) QuoVadis (for Bermuda companies), Comodo, GoDaddy, and RapidSSL (geotrust rebrand).

If I have a multi-million dollar e-Commerce site, I'd use an EV cert from a VeriSign or similar company. For the other 99.99999% of uses, it'll be the cheapest certificate that is signed by a trusted root in the IE, FF, and Safari browsers. Don't care if it's domain validation only, as long as it works.

RapidSSL has been good for price, root signing, and the wildcard certs work well to.

$$ vs requirements (1, Informative)

Anonymous Coward | more than 6 years ago | (#23198658)

Choosing an SSL provider really depends on your requirements. If all that you need is a SSL cert for encrypted traffic and have no other corporate or audit requirements to adhear to, then almost any ssl provider with 99% browser compatibility will work. These certificates are usually in the $49-150 range. If you have to adhear to a policy, or if you want your "secured by xxxx" logo to be a well known name, then I would recommend Thawte. Others have recommended Verisign, but what most people do not realize is that Verisign and Thawte are the same company; and that you can purchase a Thawte SSL certificate for a little less than half of the price for the exact same thing.

https://www.thawte.com/ssl-digital-certificates/buy-ssl-certificates/?click=buyssl-buttonsleft
$699 one year

https://ssl-certificate-center.verisign.com/process/retail/product_selector;jsessionid=F682F047C9C50A9204F1B5A1F3971614?uid=d62acac0de1cbeb4b281f52d35982a1d&product=GHA002
$1,499 on year

Both certificates will pass all of the major security benchmarks (pci, hippa, iso20001, etc)

Godaddy. And, SSL use will increase. (2, Informative)

sherriw (794536) | more than 6 years ago | (#23198694)

I used GoDaddy for the one standard cert I ever had to order and had no problems at all. My one complaint is that when I ordered it, their pricing was $19.99, it has now gone up to $29.99.

The cert auto renewed and I wasn't expecting that, but a ticket to their support center and I got it canceled and refunded. So pretty good service I think.

But watch out. The more that ISPs start filtering content, and the more that governments increase monitoring and censoring data on the web... you're going to see rising demand for SSL certs and rising instances of the, pay more money for a green url bar nonsense.

The SSL providers are trying to sell you on the idea that it's the cert that makes the site trustworthy. Meanwhile, all you really need the cert for is the encryption.

IE7 has succeeded in making shared certs utterly useless. Too bad for the little guy who was using the shared cert provided free from his hosting company, because you can no longer use it without an enormous frightening message from the browser.

Look for more of this to come.

Re:Godaddy. And, SSL use will increase. (1)

jmichaelg (148257) | more than 6 years ago | (#23199040)

Meanwhile, all you really need the cert for is the encryption.

You need both the encryption and the knowledge that the site on the other end is the one you intended to converse with.

One without the other isn't worth much.

May I ask ... (1)

RKBA (622932) | more than 6 years ago | (#23198826)

May I ask which vendor did a really poor job with support?

Re:May I ask ... (3, Informative)

Anonymous Coward | more than 6 years ago | (#23200188)

The vendor was Verisign. And after reading some of these posts I think some clarity may help everyone. We have about 600 ssl certificates in geographically distributed data centers, with another 25,000 other types of internal certificates. You would not just go to CACert or RapidSSL for this. We need an API and Control Panel, Audit privileges, management tools etc.

Speaking with some experience (1)

gimpyben (715189) | more than 6 years ago | (#23198914)

I've ordered and installed hundreds of SSL certificates (usually one or two a week). We use GeoTrust for nearly all of our certificates and I have never had any sort of problems. Their turn-around time is very fast too, at least in comparison to VeriSign and Thawte. Probably the easiest thing you can do to ease the process of ordering certificates is to make sure your domain WHOIS info is up to date. But really, as long as you know what info you want to have on your cert, there isn't much to getting one ordered.

Anonymous Coward (0)

Anonymous Coward | more than 6 years ago | (#23198932)

Check out http://www.securityspace.com/s_survey/sdata/200603/certca.html

The survey is about 2 year old.

StartCom - Free SSL (1)

k1e0x (1040314) | more than 6 years ago | (#23198972)

Not really for the OP but I wanted to mention StartCom if someone was looking for a free cert as opposed to a self signed one. http://www.startcom.org/ [startcom.org]

Godaddy (3, Funny)

StealthyRoid (1019620) | more than 6 years ago | (#23199014)

I've had reasonably good experiences with Godaddy, and as far as I know, they're one of the cheapest around. SSL cert signing is mostly just snake oil anyway. It's not like the company signing your cert for you has any impact on the actual security of your site, and I can't imagine that many customers look at the cert signer and go "RapidSSL? No way! Fuck those guys! I'm gonna go spend my money at some other dildo store". So, your best bet is to go with the cheapest one around that's likely to be in all the major browsers' trusted CA list.

Poor support or just PITA (1)

Geak (790376) | more than 6 years ago | (#23199130)

I work for a web hosting provider. We do provide SSL certs which can be purchased on an annual basis and are easy enough to install. (Basically you subscribe to it and it's installed automagically for you). However, if you buy your own SSL cert things get more complicated - at least for us 1st level support types. We have to install the cert manually which can be a massive undertaking - especially if the customer doesn't understand how it works. This usually results in numerous emails back and forth with the customer because they don't provide the "EXACT" information they used to register the cert. Since certs are purchased annually, and some customers have a habit of jumping from one hosting provider to another every couple of months, this can add to the complication. My advice would be to find a web hosting provider that caters to your needs and stick with them. Purchase your SSL cert from them for minimal headache. You may end up paying a little more because you are going through a reseller instead of purchasing directly from the issuer but it's definately worth it.

Support Free Certs... (1)

actionbastard (1206160) | more than 6 years ago | (#23199154)

Become a member of CaCert.org http://www.cacert.org/ [cacert.org] .

Support their certificates and their root CA.

Advocate for support in OSS browsers like Firefox.

Tell everyone you know about CACert.

Certs want to be free like information (and beer, too).

NameCheap (0)

Anonymous Coward | more than 6 years ago | (#23199820)

Check out NameCheap.com. They have cheap RapidSSL certs w/ GREAT customer service...100% guarantee. Had a cert not install that was our fault. We lost the key (doh!)...they refunded our original request, and then processed our new request, can't beat that! They have the normal various levels of encryption available. Never found a reason to waste money on Verisign. And no..I have no affiliation w/ them at all...I've just been using them for the past 4 or 5 years w/ 0 problems.

Verisign - my experience (1)

Zontar_Thing_From_Ve (949321) | more than 6 years ago | (#23200018)

The company I work for uses Verisign. We can't really use self-generated certs or cheapish certs from companies nobody has heard of. We have to use certs from somebody who is a name vendor so our customers get those warm, fuzzy feelings that customers need to keep doing business with us. Verisign's customer support is very good. I had a relatively minor issue and they had it fixed within 1 minute of my call. I was shocked. Verisign is not cheap. SSL certs cost $399 for just the basic bare bones ones for 1 year. You'll pay more for more bells and whistles and the longer it lasts, the more you pay, but you do get a discounted price for multi-year renewals.

Thawte (1)

FreeBSD evangelist (873412) | more than 6 years ago | (#23200296)

For what it's worth, we use Thawte and have never had a problem. Even let us re-roll a cert when (our error) we messed up the cert request.

Trivia: Thawte was founded by Mark Shuttleworth, the guy behind Ubuntu Linux.

Geotrust QuckSSL Premium (1)

unity100 (970058) | more than 6 years ago | (#23200306)

Cheap, all known, instant activation, and allows you to display a verified site seal on your site. nothing can beat it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?