×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cheap SSL Certificates for Small Websites?

Cliff posted more than 11 years ago | from the why-can't-we-be-our-own-certificate-authority dept.

Security 445

zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

445 comments

New improved FP version 5.0 (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4376964)

Get your own!!!

GeoTrust.com rocks, and is cheap! (5, Informative)

CrudPuppy (33870) | more than 11 years ago | (#4376980)

we use them for all of our commercial sites.

Re:GeoTrust.com rocks, and is cheap! (1)

CrudPuppy (33870) | more than 11 years ago | (#4376999)

for got to mention, geotrust charges $119 per year (can get cheaper if you work deals with them)

Self-sign (0, Insightful)

vegetablespork (575101) | more than 11 years ago | (#4376966)

And put text in saying to click through the security warning. Most people will, anyway.

Re:Self-sign (0)

Anonymous Coward | more than 11 years ago | (#4377008)

Hell, even Microsoft puts text asking you to click through any security warning boxes for windows update!

Re:Self-sign (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4377021)

That's not a very safe attitude for "people" to take. How can they be reasonably certain the remote server is actually who it says it is if the cert is self signed?

Re:Self-sign (2)

Raskolnk (26414) | more than 11 years ago | (#4377022)

I would agree, but I can't get IE to install the certificates permanently. I click through the install dialogue every session, but it never sticks. Mozilla is fine after the first run.

Re:Self-sign (3, Informative)

Anemophilous Coward (312040) | more than 11 years ago | (#4377070)

There is a way to do this with ASP scripting. A good base to start with can be found at this Microsoft Knowledge base article [microsoft.com] .

It is a starting point I used to make the root certificate stick. It will present the user with a large-ish alert box asking them if they want to install the certificate. It will only do this once as long as they click 'yes'. Subsequent visits to your site will be automatic from then on out.

This is course is great for internal sites, you can educate your users to click on the box the first time, then they never have to worry again. And they know it's trusted since it came from you. One small caveat, this probably only works on IIS servers and only works in IE web browsers.

- "A non-productive mind is with absolutely zero balance."
- AC

Re:Self-sign (0)

Anonymous Coward | more than 11 years ago | (#4377160)

did i hear you say asp?

yea..that'll go over like gasoline and matches at a fireman's birthday party.

you have some guy complaining about corporate lockup because of some over priced bullshit scam run by a psuedo monopoly, and you have the nerve to suggest Microsoft IIS, Internet Explorer, and Windows all in one shot?

jeez and people wonder why they have no ass left after their first wanderings on to slashdot...

psshhhaaaaaa

Re:Self-sign (0)

Anonymous Coward | more than 11 years ago | (#4377192)

Because they laughed their asses off?

Re:Self-sign (1)

iosphere (14517) | more than 11 years ago | (#4377183)

For IE, you'll want to copy make the machine that signed it a trusted certificate authority on your computer. I don't have step by step instructions on how to do that, but it should be in the doco for whatever you're using to generate the certs.

SSL worthwhile? (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4377030)

This is just kind of a question, really... Because you bring up an interesting one with the whole 'click-through instruction' thing: How effective are certificates and SSL, anyways?

If people accept any certificate because don't know what one is, and just want their effing content? If the sites using SSL are not keeping current versions, that is, are vulnerable to exploits anyways?

Go ahead and click, don't worry... (2)

jaaron (551839) | more than 11 years ago | (#4377140)

And put text in saying to click through the security warning. Most people will, anyway.

An excellent example of why "computer security" is an oxymoron.

Seriously though, this is of why many viruses spread -- people are gullible and lax on security. While I really understand that getting a proper certificate can be expensive, I'm not sure if I want to encourage this type of behavior.

Re:Go ahead and click, don't worry... (0)

Anonymous Coward | more than 11 years ago | (#4377167)

Probably because SSL cerfiticates are a racket anyway, and the thing that matters is ENCRYPTION, not some token 3rd party verification saying you are who you say you are.

If you roll your own certificate it is 100% as secure as the one verisign does. The encryption (128 bit) is identical. The only reason I don't roll my own is with 4,000 customers a day, if even 1 percent of them left because of a little security message, that is 40 too many.

+3, Insightful...? (1)

Wakko Warner (324) | more than 11 years ago | (#4377245)

I know this was a troll/joke, but it really helped prove just how much crack the moderators have been smoking lately.

Tnx 4 dat!

- A.P.

FP! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4376968)

First Post

although this sounds like an advertisment... (5, Informative)

r00tarded (553054) | more than 11 years ago | (#4376973)

a bunch of excellent geeks I know use entrust [entrust.com] .

DirectNIC.com does SSL certs for $99/yr (5, Informative)

Anonymous Coward | more than 11 years ago | (#4376991)

Title says it all

Re:DirectNIC.com does SSL certs for $99/yr (0)

Anonymous Coward | more than 11 years ago | (#4377134)

They're $149.. See link in same thread.

Re:DirectNIC.com does SSL certs for $99/yr (2, Informative)

suicidal (111181) | more than 11 years ago | (#4377220)

Actually, it's $118 annually.

$99 is the one-time gateway fee for setting up a merchant account.

Still, not bad.

Re:although this sounds like an advertisment... (5, Informative)

dildatron (611498) | more than 11 years ago | (#4377019)

I just checked them out. Decent prices. Their prices are here [entrust.com] for those who are interested.

Re:although this sounds like an advertisment... (2)

wanted (66025) | more than 11 years ago | (#4377187)

...and they use a classic US-centric approach.
International prices are way higher, an approach similar to Verisign. For non-US customers, Thawte seems to be the best choice. Their root certificate is installed by default in many older browsers.

Thawte (5, Informative)

JM (18663) | more than 11 years ago | (#4376979)

They charge $199 for certificate, and have a pretty good service. I've been using them for years.

Re:Thawte (0)

Anonymous Coward | more than 11 years ago | (#4377017)

They got bought by VeriSign though. We use Thawte too and they had had EXCELLENT service up until VeriSign took them over... then they got all bitchy, raised prices, etc...

They now make you resend your documentation (ie business license) every time you renew a cert now. That's pretty damn annoying on a renewal. Sure I can just fax it in, but is that really necessary?

Hi son (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4377084)

Your father and I have had a talk, and we have decided that it's ok if you're gay. We know that you didn't choose to gobble cock, that you were born that way. We accept you as our fag son, and we love you just as much as ever.

You just can't live in our house anymore.

Sincerely,
Your Mom

Re:Thawte (1, Insightful)

snubber1 (56537) | more than 11 years ago | (#4377214)

When the fuck did they start charging $199??
Last time I looked it was $125 first time, $99 renwal.

Greedy mother fucking bastard cum-lapping whore dicks.

I guess it suddenly became more expensive to take your money.

Might want to check....... (5, Informative)

tiwason (187819) | more than 11 years ago | (#4376983)

The stories /. has already had on the topic....

Why Are SSL Certificates So Expensive? by Cliff with 192 comments on Sunday March 18, @04:48PM
http://ask.slashdot.org/article.pl?sid=0 1/03/18/18 55230&mode=thread&tid=93

Are FreeSSL Certs Worthwhile? by Cliff with 8 comments on Friday September 07, @11:50AM
http://ask.slashdot.org/article.pl?sid=0 1/09/06/04 51218&mode=thread&tid=148

Certificate Services on Windows 2000 (3, Informative)

Anonymous Coward | more than 11 years ago | (#4376984)

You can use it to create certs, and you can even add your organization to the browsers trusted organizations so the users don't get an error message.

Sign yourself (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#4376986)

You can create your own certs. the only problem is that you won't automagically be trusted by your users - they will have to click to accept your certificate. But its free!

No Real Options, Sorry (3, Informative)

sabat (23293) | more than 11 years ago | (#4376993)


There aren't really many options, because the browser has to recognize the signer, and the major browsers only recognize Verisign (and Thawte, which is also Verisign).

RSA is the company that started Verisign, so you can guarantee they'll not be of help.

If this is a situation with a limited client base, like a company, you can self-sign and send everyone your CA certificate and have them all import it into their browsers (all browsers support this, I believe). But what a pain.

I wish the news was better, but you're right -- it's a scam. The problem isn't technical; it's political.

Re:No Real Options, Sorry (2)

namespan (225296) | more than 11 years ago | (#4377046)

and Thawte, which is also Verisign

WTF? How? Do they get their service through Verisign, or are they held by Verisign now?

Arrrrg. Verisign is the hydra...

Re:No Real Options, Sorry (3, Informative)

stefanlasiewski (63134) | more than 11 years ago | (#4377107)

Verisign bought Thawte about 2 years ago.

As I understand it, Thawte mostly deals with customers outside of the US (which has been their domain for years). Verisign mostly deals with customers inside the US and Canada.

I they they are mostly two distinct entities, with 2 different sets of managers (A few managers probably work both sides of the fence). The profits from both entities drop in the same bucket.

Thawte's support used to be much, much better then Verisign's support. Let's hope they spread the Thawte philosophy among the Verisignites...

Re:No Real Options, Sorry (3, Informative)

1984 (56406) | more than 11 years ago | (#4377130)

This is somewhat misleading. I bought a cert for a smal personal Web server from Comodo [comodogroup.com] , since it was cheap (about $60). It works fine with (i.e. is trusted by) all 4.7x Netscape and above, all IE 5 and above.

The only point of buying one, after all, being that visitors aren't subjected to confusing warnings about certificates.

Besides that one certificate I haven't dealt with Comodo so won't recommend at random -- but they supplied the certificate quickly, cheaply enough, and it works.

Re:No Real Options, Sorry (2, Informative)

Slycee (35025) | more than 11 years ago | (#4377144)

and the major browsers only recognize Verisign (and Thawte, which is also Verisign).

That depends on what you mean by "major browser." Take a look at the list of authorities that Mozilla recognizes, for instance (in prefs > privacy and security > Certificates). It's quite a large list.

Re:No Real Options, Sorry (1)

yer-man (611440) | more than 11 years ago | (#4377210)

Netscape & IE also include long lists of trusted root certs from a number of different cert authorities. If you view these certs, you'll often find contact info (an e-mail address in the 'Issuer' field). Even fairly old versions of the browsers have fairly long lists with still-valid certs.

Thawte (2)

peterdaly (123554) | more than 11 years ago | (#4376994)

Thawte [thawte.com] may be worth looking into. They used to be a competitor to Verisign, although now I believe they are owned by them (what isn't?).

They have certs available for $199. Still not cheap, but better.

-Pete

It is a scam (5, Interesting)

dnoyeb (547705) | more than 11 years ago | (#4376997)

I say the same thing about signing my Java applets. Sun only puts Verisign or Thawte root certificates. So if you want to avoid your customers seeing some redicuouls

"Jesus!! this software is unsigned!!!"

message, then you gotta buy the certz. I am self signing right now. I would love if OSDN could have their own root certificate and let us public folks buy from them. Any malicious signers will be found out quickly so whats the big deal???

I think this signing thing is DRM in action. Nobody is realizing it yet.

Re:It is a scam (0)

Anonymous Coward | more than 11 years ago | (#4377095)

Great idea. I'd buy from OSDN.

Re:It is a scam (3, Interesting)

ADRA (37398) | more than 11 years ago | (#4377208)

"I think this signing thing is DRM in action. Nobody is realizing it yet."

I think everyone is realizing it, but doing nothing about it. It is one of those sticky technologies that can be used for good and evil. There is and always will be good uses for this technology like the way it is being used today, but on the other hand, forcing certificates on those that just want secure internet connections seems rather arguable to me, but since it is in spec there isn't much for us to do until I take a flame thrower to all the anal-monopolistic companies.

Just to clearify the DRM == cert part, I think the nature of DRM forces anyone who implements that security mechanism to use certs.

The real problem when internet connected devices become more pleantiful, and central authorities like Microsoft and Verisign start signing everything under the sun. Running a program on Windows 2004:

#bash
- Error 31337 -
Problem: This program has not been signed by an
application trusted provider.

Solution: Bend over and take it like the
mule that you are
-

#Format C:

- Error 31337 -
Problem: This program has not been signed by an
application trusted provider.

Solution: You can never escape us! MWAHAHAHAHA!
-

ssl webhost won't work? (2, Interesting)

dildatron (611498) | more than 11 years ago | (#4376998)

I would just go for one of the thousands of web hosts [google.com] that give you some sort of SSL package. Unless you need your very own certificate, they are definately the way to go for the small business because the host purchases the stuff and just charges you a small fee.

If this is not acceptable for your situation, then I am afraid you have to bite the bullet and front the money.

But don't get lost in the middle - remember the whole reason you are using SSL is for security. Whether the certificate comes directly from you or your webhost doesn't really matter as long as it is secure. That's why I would recommend that you let them pay for it and disperse the cost among their users.

Comodo - $49 (2, Informative)

wooft (608721) | more than 11 years ago | (#4377002)

Comodo [comodogroup.com]

You can even get a free 30-day trial cert.

Re:Comodo - $49 (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4377085)

The free cert basically only works with IE. They claim IE has 95% of the market share, but I guess that depends on the type of website you operate...

Are there actually limitations on that free cert? E.g. are you required to buy the 'real' cert? With other words, is it a 'get 3 months free if you buy one year' scam?

BUSH = RECESSION (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4377007)

While war looms, or murder, if you will, the economy, the dow, AT AN 8 YEAR LOW.

UNEMPLOYMENT is at a 10 YEAR HIGH.

It was at a thirty year low just 5 years ago.

Re:BUSH = RECESSION -- So true! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4377065)

The reason that war looms is that Bush is willing to carpet bomb an entire country to keep Americans from focusing on the sad state of the economy.

Bush is an idiot and were it not for the crooked Banana Republicans down in Florida, we would not have to put up with his sorry ass.

Re:BUSH = RECESSION (0, Troll)

NathanielSamson (610709) | more than 11 years ago | (#4377082)

Yes it is all his fault, if only the man behind the curtain would have just pulled some more levers all of the bad business models of the .com era would have magically worked. Oh and all those restated earnings would have never happened. For the southpark underpants gnomes were the genious behind all of those business models. Phase 1 put op website phase 2 ?????? phase 3 profit

Re:BUSH = RECESSION (0, Troll)

NathanielSamson (610709) | more than 11 years ago | (#4377101)

No really I can spell, I am not a product of word no really okay maybe, oh what the hell Microsoft has destroyed my ability to function without a spellcheck

Tucows (1)

Leme (303299) | more than 11 years ago | (#4377020)

Tucows also does this:

http://resellers.tucows.com/opensrs/certificates /

Quite affordable plus you can become a reseller.

Thwate (1)

nelsonal (549144) | more than 11 years ago | (#4377033)

Thwate [thwate.com] is a Verisign company who used to charge lower prices for what ends up being a Verisign certificate. Last time I checked they were about half the price of Verisign. An alternative company is Baltimore Technologies [baltimore.com] . One of the main reasons to go with a known player is that their certificates are already in browsers, and they tend to do some background checking to ensure that your business is legit. Anyone can create SSL certs, it helps to be able to point to a name your customers will recognise, as a method to add credibility to your business.

Re:Thwate IS NOT THAWTE!!! (1)

Spy4MS (324340) | more than 11 years ago | (#4377205)

And appears to be a different company than Thawte. I wouldn't trust them (or nelsonal now that I've read his endorsement).

Thwate's site [thwate.com] is a different design than Thawte's site [thawte.com] but still uses the 'Thawte' name. This looks like a lawsuit waiting to happen.

Cheapass trusted SSL certs (5, Informative)

pablos (122458) | more than 11 years ago | (#4377034)

You can purchase a ridiculously cheap ($50) 128bit SSL cert, trusted by browsers from http://www.geotrust.com

All you need a valid credit card to get a
cert. The CA key is loaded in almost all of the browsers, the notable exception being Opera.

They do send a 'auth check' by emailing the domain admin contact you can select.

The entire ordering process (including filling out forms) takes less than about 5 or ten minutes.

This should SCARE you if you're relying on the security provided by Veri$ign and the root that ship with browsers. - pablos.

Re:Cheapass trusted SSL certs (1)

Letnux (613107) | more than 11 years ago | (#4377098)

I think you are a little off... I just went to there website and a 128bit QuickSSL Web certi si $119 Is there something I am missing?

Re:Cheapass trusted SSL certs GEOTRUST (1)

Ark42 (522144) | more than 11 years ago | (#4377109)

*MOD PARENT UP*

Geotrust are probably the cheapest there are. Very no-hassle to aquire (all automated).
I got a good deal with geotrust ssl + rackshack.net (the ssl cert was free for me :)


url for the $50 please, $119 is lowest i can find (1)

DrSkwid (118965) | more than 11 years ago | (#4377156)



QuickSSL(TM)
Web Server Certificates

Exclusive QuickSSL features:
Only $119 for a one-year certificate

Re:url for the $50 please, $119 is lowest i can fi (0)

Anonymous Coward | more than 11 years ago | (#4377174)

Get the $49 version via Rackshack.net.

Re:Cheapass trusted SSL certs (0)

Anonymous Coward | more than 11 years ago | (#4377197)

Disclaimer I work for what we fondly call the not-so-evil empire.

The entire ordering process (including filling out forms) takes less than about 5 or ten minutes.
This should SCARE you if you're relying on the security provided by Veri$ign and the root that ship with browsers. - pablos.

No, it should encourage you not to trust certificates from the source you mention if their authenticatin procedures are non existent.

The VeriSign authentication procedures are considerably more demanding. It takes time to get authenticated and they check the data you send. On the only occasion that we did do a boo-boo we found out because of our own internal audit processes.

There is currently a spec in last call of the IETF that allows logos to be added to certificates. That will mean that when you go to a Web site you will know if it is a VeriSign cert or a cert from an issuer with the practices you describe. The browser will show a different icon instead of the padlock.

Free root cert project (5, Informative)

kylegordon (159137) | more than 11 years ago | (#4377035)

You may find what you're after over at http://www.cacert.com [cacert.com] The creator of this website believes that trusting someone should be free, and is doing his best to make this happen.

Re:Free root cert project (0)

Anonymous Coward | more than 11 years ago | (#4377114)

I trusted your mom and it's cost my urinary tract big time, so maybe that guy is wrong.

Re:Free root cert project (1, Offtopic)

Gordonjcp (186804) | more than 11 years ago | (#4377180)

You shouldn't piss off the nurses in the Genito-Urinary Medicine clinic then, should you? I warned you, they can really do painful things to you in the name of "treatment"...

Easy one (5, Informative)

shurdeek (571257) | more than 11 years ago | (#4377038)

There is a nice page, http://www.whichssl.com. Through the comparison tables there I found comodo's http://www.instantssl.com. I generated a demo certificate first and after I had no problems with it, I bought it. For $49 a 128 bit, not 40. Recommended.

That's interesting (5, Informative)

petard (117521) | more than 11 years ago | (#4377223)

WhichSSL [whichssl.com] is nothing but an ad for Comodo:

Registrant:
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: WHICHSSL.COM
Created on: 25-JUN-02
Expires on: 25-JUN-04
Last Updated on: 25-JUN-02

Administrative Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Technical Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Domain servers in listed order:
DNS01.EXODUS.NET
DNS02.EXODUS.NET
DNS03.EXODUS.NET

InstantSSL (3, Informative)

aldjiblah (312163) | more than 11 years ago | (#4377039)

Just switched from Thawte (adding $100 each year for your certificate services is NOT a good way to hold on to your customers, Thawte!) to InstantSSL [instantssl.com] .

At $49 a piece for standard certificates they're the cheapest my company could find when we went looking last month. So far I have no problems recommending them.

Re:InstantSSL (2, Informative)

Snap E Tom (128447) | more than 11 years ago | (#4377078)

I'll vouch for InstantSSL/Comodo. I'm using it on a local non-profit site [sspca.org] . $49/year gets you a 128 bit certificate. They've got a 30 day trial program, and their support staff was very helpful when we had a problem.

Everything you need to be a certifying authority (5, Informative)

Chuck Chunder (21021) | more than 11 years ago | (#4377045)

comes with openssl [openssl.org] . It even has a nice perl script to make it easy.
What Verisign and co have that you don't is their root certificates installed with the browsers by default. For internal use you should have no problem using your own certificates. For external use, where an existing business relationship exists (ie you aren't selling to the public, but to people who can trust your cert because they know who you are) it should take little more than a quick explanation.

This is all Thawte did.... (1)

jsimon12 (207119) | more than 11 years ago | (#4377186)

Become your own cert auth, hehehehe Thawte did it, made billions, went to outer space, etc etc.

Try equifax Certifiacet server (0)

Anonymous Coward | more than 11 years ago | (#4377050)

They are cheap and give you lot's of leeway on how you use your certificates with various URL's on your machine(s).

It's not as much of a scam as you think. (5, Informative)

antis0c (133550) | more than 11 years ago | (#4377052)

Sure we all hate VeriSign for all kinds of reasons.

However when you get an SSL Certificate from VeriSign and some of the other Cert signers out there, you are getting two things.

The most commonly understood thing you are getting is the encryption thats automatically accepted by just about any modern browser. However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier). This way you know when you're going to https://secure.yourdomain.com to enter your credit card information, that you are indeed still on yourdomain.com and that your information is encrypted, and verified to be sent to the company you intend to send it to.

So if all you are concerned about is encryption, just generate your own. It will however throw a warning in just about any browser that the identity of the site can't be verified. Other than that, cost of this service isn't going to drop very dramatically without losing its verification services.

I understand though, that browser warning annoys me too.

Re:It's not as much of a scam as you think. (3, Interesting)

g4dget (579145) | more than 11 years ago | (#4377132)

However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier). [...] Other than that, cost of this service isn't going to drop very dramatically without losing its verification services.

That would be a fine argument if they actually do any significant verification. My impression is that they don't.

I think it's foolish to rely on VeriSign or anybody else to guarantee that the company on the other end is who they claim they are. And you don't need that anyway--you don't get that protection for mail order either, and, besides, lots of people can get your credit card number without all the hassle of setting up a web site.

What matters ultimately is the money trail: not VeriSign, but MasterCard, needs to know where your money went and get it back for you. That's their responsibility as credit card companies.

Re:It's not as much of a scam as you think. (2, Insightful)

borud (127730) | more than 11 years ago | (#4377185)

However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier).

knowing your social security number does not make me you. it makes me someone who knows your social number. nothing more. nothing less.

while a lot of people seem to think they know the mechanics of cryptography pretty well (and probably do), there still seems to be a lot of people who aren't really in the habit of thinking where security supposedly comes from in any given scheme.

Yeah, whatever (1)

putrescence (588712) | more than 11 years ago | (#4377193)

It's still just a monkey pressing a button on a machine. That should rightfully cost $400? Ooooooookaaaaaay.

FreeSSL... (2)

Chicane-UK (455253) | more than 11 years ago | (#4377055)

Try out FreeSSL.com [freessl.com] - they used to give fully signed SSL certificates away that lasted for three months.. I read that they were planning to offer free 'year' certificates.

They also currently offer a ChainedSSL certificate at a cost of $25 per year...

The problem with self-signing (2)

Pinball Wizard (161942) | more than 11 years ago | (#4377080)

For the 85-90% of you using Internet Explorer, take a look at Tools->Internet Options->Content->Certificates->Trusted Root Certification Authorities.

The established certification companies are already on this list. You are not. If you self-sign, you are basically counting on your potential customers to trust you as a certification authority. They can add you to that list individually. The question is, will they?

Since you are an unknown, small company, basically your customer has to trust that you have done everything right in order to protect their security. That's a lot to ask someone. Having a big player certify you tells your potential customer that even though you are a small unknown, you have done everything right.

It's just my personal opinion, but its one based on running an e-commerce site for the last four years. Go with an established certifier. If you are doing any sort of business at all online that requires SSL you will more than make up the annual fee in the sales you don't turn away because you were too cheap to get a real certificate.

Re:The problem with self-signing (1)

Ark42 (522144) | more than 11 years ago | (#4377131)

If the warning box PROPERLY EXPLAINED to the user that the question at hand is "Do you trust thissite.com ?" instead of "warning! lots of bad things will happen if you click yes!". How does paying money to a corperation really mean you are automatically trustworthy anyways? I would argue all CA's should be done away with and people should trust who they want to trust based on how the site presents itself. Browsers should ask the user in plain english, the simple question, "Do you want to trust this site for providing secure content?" Think of SSH as far as retaining the key for future verification.

I can... (0)

Anonymous Coward | more than 11 years ago | (#4377091)

sign it for you for, say, $99 (ac no. AIB ~ 039 749826746)
And sorry for my hand-writing...

Sincerely yours
AC

The question that needs asking is... (1)

borud (127730) | more than 11 years ago | (#4377096)

Why blow $400 on a certificate from a company that doesn't really provide a useful service. How much is their promise really worth that the holder of a certificate is authentic? I can't remember anyone actually checking if we were who we said we were the few times I've been involved in getting certificate -- apart from sending some papers and making some calls. Nothing an even half competent con artist can't deal with.

I think the whole CA-business is rather fishy. The only thing people are paying for is to have the pesky warnings that pop up if the certificate is not signed by a CA known by the browser removed. I have yet to see a single individual with even half a clue about cryptography state that he or she actually believes that the big certificate authorities actually provide any form of useful service.

I wish I had started a CA a decade ago and then jumped into bed with Netscape a few years later. This must be the single most profitable business online.

GeoTrust through OpenSRS (1)

GreenLantern (157616) | more than 11 years ago | (#4377097)

If you also have the need for about $250.00 of product including domain names, check out becoming a OpenSRS reseller. You can get GeoTrust Certificates from $99.00

Stupid question (1)

f97tosc (578893) | more than 11 years ago | (#4377105)

So, what is a signature and when is it needed?

What is 'self-signing'?

Tor

Re:Stupid question (1)

tomstdenis (446163) | more than 11 years ago | (#4377179)

Each HTTPS site has a public/private key pair. The public key is signed by a root. The idea "magically" is that your browser has the root public key and can verify the signature on the particular sites public key.

The thought process is that if the key of the site you are visiting is signed then the site must be reputiable, etc, etc...

In effect root CA's are just a scam and the only thing you are paying for is a key signed by a CA root already installed in your browser.

If browsers were shipped without the stupid warning then the whole PKI industry would fail.

Tom

What about InstantSSL? (2)

Klaruz (734) | more than 11 years ago | (#4377119)

Has anybody used InstantSSL [instantssl.com] ? They claim to work with IE 5+, NS 4+, AOL 5+ and Opera 5+, which they say is 99% of the browsers in use out there. Sounds like a good deal to me.

I'm looking at using the cert to do some credit card auth for a webhosting company, and I don't really think I'd have a problem turning away that 1% of people who can't upgrade to a browser that came several years ago. That whole 80/20 rule kicks in there. I'm sure somebody who can't be bothered to upgrade to a modern browser is going to be a tech support nightmare.

You do have a choice (1)

dethro (22344) | more than 11 years ago | (#4377133)

It's just not easy to figure it out with SSL certs - no one wants to make it easy, especially Verisign (which also owns Thawte). My company recently had to renew some certs of ours - I picked InstantSSL [instantssl.com] .

It costs $49 US for one year. It works with IE 5+ and Netscape 4.7+. Mozilla works fine too. There is a test cert on the site if you are paranoid (which you should be). They have more expensive certs too, but if you need cheap it does the job.

DH cert? (0)

strombrg (62192) | more than 11 years ago | (#4377135)


You could try a Diffie-Helman cert. I believe that way you get encryption, but no signing by a CA. There's nondefault support for it in openssl, I believe. I've never tried it.

My guess is a browser is going to react a bit to a D-H cert, but not as strongly as to a self-signed cert. But that's -only- a guess. Browsers may even reject them for all I know.

GeoTrust.com is $119 (1)

shtirlits42 (546311) | more than 11 years ago | (#4377136)

We use GeoTrust.com. It's $119 /year, and you'll be up and running with SSL in ~30 min, -- vs. several days + paperwork with Verisign.

PKI == scam (0, Flamebait)

tomstdenis (446163) | more than 11 years ago | (#4377138)

I don't know why people fall for this. Anyone can make a RSA key for their site. The fact that Verisign signed it says nothing about the business at all. In fact quite a few "questionable" sites have verisign certs.

I say people should get used to the fact that non-trusted introductions are always risky and the only real benefit of RSA [or ElGamal which is what DH/ECC based protocols can use] is key distribution.

Even then MITM attacks are always possible...

The fact that it cost 400$ for a key that takes all of a few seconds to make [using non-asm code my libtomcrypt library can make 1024-bit RSA keys in a manner of seconds] shows that you're getting considerably ripped off.

Tom

Create own CA, don't just self-sign (5, Informative)

coyote-san (38515) | more than 11 years ago | (#4377142)

You're going at the problem wrong. Don't worry about getting your clients to accept a self-signed cert, worry about getting them to add your own root certificate to those they trust.

This is actually straightforward - you point them to a URL that returns the root cert, with MIME type application/x-x509-ca-cert, and tell them to accept it for all uses when the broswer pops up a dialog box.

You should then use this root cert to sign your web server certs (and certs for mail servers, databases, whatever). All should be trusted immediately, assuming you have your other ducks in a row. (E.g., you need to have your web server cert's common name resolve to the IP address of the web server.)

It's a bit more work to maintain a mini-CA than to just use self-signed certs, but overall the benefits outweigh the hassles. Many of us are working on JSP tools to operate mid-range CAs, but I don't know how far most are. (The problem is Microsoft's eternally changing standards on how clients generate the cert request on their side - I can handle Netscape/Mozilla with ease, but it seems like every version of MSIE is just slightly different.)

Look in your browser (2)

Eric Seppanen (79060) | more than 11 years ago | (#4377146)

In Mozilla, anyway, you can see a list of the trusted certificate authorities. There's a lot of them in there; Verisign couldn't have bought all of them (yet).

I think a lot of people out there use some other browser than Mozilla, though, so you might want to see what certs that other browser supports.

$49 (0)

Anonymous Coward | more than 11 years ago | (#4377171)

http://www.instantssl.com/ do certs for $49 they are quick at getting them out to you as well. We had ours delivered in less than 4 hours. verisign charge an extra $150 to have them to you with in 24 hours.

I highly recomend these people their support people are very good at their jobs and always phone you back with an answer to your questions.

Just exploit the IE SSL bug (5, Informative)

giminy (94188) | more than 11 years ago | (#4377177)

Have your company buy a key, then create signed keys for your domain private domain with it as the issuing key. Nobody will know, as most people still use IE, and it still has that fun bug.

I just did this two weeks ago... (0)

Anonymous Coward | more than 11 years ago | (#4377196)

... and the answer I came up with was from InstantSSL [instantssl.com] (apparently a division of Comodo). They're only $49 and they work with MSIE 5.0+ (which comes standard with Win98 SE), Netscape 4.x+ and a host of others. (Comodo's certs are signed by GTE CyberTrust Root)

Even better, you can get a trial 30-day cert. They're fully functional and registered for your site, so you can test it out completely without getting any "SECURITY WARNING!!" notices from your browser.

Also check out www.whichssl.com [whichssl.com] It's run by Comodo, but it's surprisingly unbiased and shows you all the prices, browser compatibility issues, etc. of all the major CA's.

I am soooooooo glad I found them! Why pay $300-$500 for a 128-bit certificate when a $50 will work every bit as well? (The only reason I can think of is if you need support for MSIE 4.0 or something)

drop me an email (1)

Triumph The Insult C (586706) | more than 11 years ago | (#4377211)

i will sign a cert (shit, i'll sign as many as you want) for you for, hmm. what's fair? $20, a case of Natty Light, a Playboy, and an 8 iron.

thanks

Open CA (1)

Alethes (533985) | more than 11 years ago | (#4377212)

I think I should mention a new project that is in the works. The founder of OpenNIC [unrated.net] , Robin Bandy, and I (Nathan Lunt) have been in discussions over the last couple of months to create a daughter project of the OpenNIC project for a democratically-controlled Certifying Authority modeled after OpenNIC. As such, we're looking at a situation where people will be able to get a certificate signed by a third party for, as it stands, free.

Such a project has enormous possiblities ranging from, as this thread discusses, cheap SSL ceritifcates for small websites, to potentially DRM applications as well, as mentioned in Robin's article here [kuro5hin.org] .

This project is only in the very infant stages, and has been off to a fairly slow start due to our busy schedules; however, once we are over the hump of policy creation and technical implementation, we should be well on our way to having a system of certification that is fair and within reach to every application imaginable.

Self signing is BAD. Roll out your CA ! (1)

mosha (217365) | more than 11 years ago | (#4377224)

Self signing my certificates works of course, but just about all browsers make a big fuss about it

This is a joke, right ? Self-signing the certificate defeats the purpose ! I will redirect DNS entry to point to my web site instead, and will use self-signed certificate. How would you know that this is not the genuine site ?
The right solution is to roll out your own Certificate Authority (CA) and make it trusted CA on all the client machines which will use the application. Then you can issue certificates signed by this CA.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...