61 comments

[ 2.8 ms ] story [ 126 ms ] thread
Author here. This should hopefully be pretty self explanatory. If you're interested in how Edge shows DV certificates, see https://certsimple.com/images/blog/edge-vs-ie-ev-vs-dv-ssl.p...
Is there any entity which is working towards bringing down the cost of EV SSLs? They seem to be ridiculously priced as of now.
Yep. Most smaller businesses struggle to justify the costs of regular certificates (because let's be honest, the certification is BS – certificate theft is a bigger threat than fraudulent registration), gods forbid a wildcard cert. EV are not even an option.

And if you want SSL for your private website, tough luck.

(Replying from openid account due to rate limit)

Yes, see my response to the price point above.

We'd all rather have EV. That's not the question. The problem is price. SSL certificates are simply too expensive. Reduce the price and you will see an increase in adoption.
Yep. Shit, if we were a customer of certsimple, we wouldn't have SSL at all for 99% of our sites because we couldn't afford it.
I don't want to focus on and skewer certsimple; they're just one provider out of (likely) hundreds. I've never seen a cheap EV certificate from any of them.
Oh, sure. But others at least offer DV certificates which are remotely affordable… to companies.
Why not? They spam this place every week or so.
StartSSL's EV certs are pretty darn reasonable.
(replying from old openid account due to rate limit)

I have no idea about StartSSL, but some cheaper EV providers Comodo immediately ask you to use a lawyer or CPA to write professional opinion letters.

This allows the CA to do less work according to the EV guidelines, but massively slows down the validation process and may incur additional fees unless you have an in-house legal team or CPA.

OTOH, their support is pretty much shit.

Still waiting for a cert request they flagged "for check within 2-3 hours" two weeks ago…

I know this is a little off-topic, but who is a good/trustworthy certificate provider with reasonable prices for certificates that are supported by Android and iOS browsers?
Namecheap is a reseller but they resell Comodo certs cheaper than Comodo does themselves.
(comment deleted)
That's a legitimate point and is best solved by more EV capable CAs entering the market. Which we're working towards.

We're also doing some future work to make EV more affordable. I'll have more to announce in the next month.

In the meantime, EV works out to be around $20 a month, which is not significantly different to what you pay for GitHub Enterprise or Trello.

Given how often people check the company name in the address bar, and how easily you could found a company in some other country that uses a pretty similar name, I'm very doubtful that EV certificates are worth their price tag.
The only advantage I see for EV certificates is mandatory OCSP. But there's no technical reason why we cannot just have that for all certificates (now that OCSP stapling is widespread and OCSP no longer generates an unreasonable load for certifiers).
Replying from old openid account due to rate limit:

That's why the jurisdiction is shown in the address bar. However it'd be worth seeing how effective that is.

This is pretty silly. Customers don't care or know what EV SSLs are and the level of functional security is no different.

We didn't renew our EV SSL and went to a domain validated SSL. Our number of daily orders actually went up (this is probably just company growth.)

Hell, even Amazon.com and Google.com can't be bothered to go EV.
Google I'll grant, but Amazon's site is actually insecure, not only do they lack EV but they lack even "basic" SSL/HTTPS across the board. They deliver cookies via HTTP (without even flagging them HTTP only) and an attack can intercept/modify the HTTP page in order to redirect a user who hits the "login" button to a server controlled by the attacker (essentially turning the real Amazon.com page into a giant philishing attack on an insecure network).

Amazon should be ashamed of themselves in 2015. No assets let alone their home page should be non-HTTPS.

Yep. Actually you can even self-sign certificates and you'll probably be fine as long as it's not a production launch. For better or worse most users are just click through the browser warnings anyway.
I don't know on what browser you are but the Firefox warning is pretty frightening.
Well a lot of free WiFi places trigger it because they use a man-in-the-middle HTTP(S) server to serve up the (utterly pointless) login screen. So I have to regularly click through the warning screen, even for www.google.com ...
People more understand that SSL prevents clear text transfer of data. People have been trained to understand that passwords and credit card data should use HTTPS. As long as you accomplish this, then any extra value is not seen by users.
Is there any extra value at all?

Anyway, I doubt most users even check for the padlock and will gladly send their data trough HTTP. Even if they do chack, they'll have no idea what the green bar means.

letsencrypt.org will demolish the DV market and there's already minimal profit without extreme volumes, so lets be honest about this.

> Our CA, DigiCert, does the final checks before issuing your certificate, so you should speak to them directly.

What exactly are you offering here other than reselling DigiCert?

I always hoped CAcert.org would have gotten us there sooner, but that never happened. Agreed letsencrypt.org will radically change the cert market. I have already stopped renewing some personal certs and am using CloudFlare free SSL with a self-signed cert on the origin.
Does cloudflare check that your self-signed cert has the right signature? MITM would still be possible if it doesn't.
> What exactly are you offering here other than reselling DigiCert?

1. We check your company registration, status, and DNS/whois and CSR while you apply - and before you pay.

2. Better CSR creation. There is no software to install, and no command line Q and A or clicking. You just paste a command onto your server, in either bash or pwoershell, then paste back the results.

3. We're massively faster than standard CAs. CertSimple deliver EV certificates in an average of 5 hours. The standard time for an EV cert is 7-10 days.

And a bunch more. See https://certsimple.com/about

Thanks for the response, so really you're just improving a job that the CA should and could do better.

In your position I would fear that my business/model/product could be easily replaced by any other partner/reseller of a CA, or the CA themselves. Unless your intention is to build volume then either be acquired by a CA or become a CA yourself under somebody elses root?

(replying from old openid account due to rate limit)

No probs: I understand the cynicism: the SSL industry is dominated by sales and marketing giants that market snake oil like SGC and seal in search, I wouldn't trust any of them either.

There's not a lot of people who get UX and get crypto: I've got my name in RHEL and I've also built consumer facing web apps for Google and Microsoft. That's 17 years of pretty unique experience, and we launch new features every couple of weeks. If a CA tries to follow - and they will - bring it, we'll smoke them.

Your final point is accurate.

Hah yeah cynical is fair.

It's easy for me to forget especially when commenting here (HN) that not everybody knows what they are doing and I often undervalue services which bridge a knowledge gap when I have that knowledge.

Thinking again, yes I can see the "doing one/few things very well" working during what is going to be a major shift in the market, especially with the intended end goal.

> I've already ordered - who can I talk to about getting my company validated?

I'd propose the answer to that FAQ needs some sort of improvement, to appear less standoffish.

Thanks for the tip. The FAQ entry certainly wasn't meant to be standoffish, but I've edited it - what do you think?
Thanks for that. I'll be keeping an eye on that one.
> DV SSL also allows someone to register '*.othercompany.com' wildcard and then create 'yourbank.com.othercompany.com' and have this domain name display a green lock in older browsers.

Wildcard certs only work one level down, when I looked into this Firefox was the last browser to remove support for doing multiple levels.

So they could just register *.com.othercompany.com.
I'd say the EV provider should reject such a wildcard.

CertSimple argues (https://certsimple.com/blog/wildcard-ev-certificate) the EV restriction on wildcards is to prevent google.com.fraud.ru from getting an EV certificate. The single-level wildcard restriction already prevents that.

EV requirements reject all wildcards: the EV applicant must specifically list all domain names.

Re: your edit: as the other poster notes, the DV cert would have to be for '*.com.fraud.ph'. That's entirely possible though.

(comment deleted)
(comment deleted)
Are you running antivirus software? Some AV software runs your traffic through a MITM SHA-1 certificate (we see the question crop up fairly regularly on ServerFault) to theoretically protect your web surfing.

Related: http://security.stackexchange.com/questions/73476/why-is-ava... and http://serverfault.com/questions/699005/google-chrome-says-m...

(comment deleted)
Click the 'https' in Chrome's address bar and look into the certificate details. Chances are something is MITMing you.
(comment deleted)
(comment deleted)
The real reason you won’t sell domain validated X.509 certificates is that the Let’s Encrypt project¹ will give them away for free (by automatic means) come November, which will wipe out the market for them.

This is just the “sour grapes” rationalization from CertSimple.

https://www.letsencrypt.org/

(replying from old openid account due to rate limit)

Let's Encrypt want to do EV too - they've also asked CertSimple for help previously to do it. it's significantly more work than automating DV again (which has already been done) are CertSimple are far ahead of the entire SSL industry when it comes to speedy EV validation.

Encrypting something with a public key, without knowing who that public key belongs to, largely defeats the purpose of encryption.

> Your passport, for example, doesn't prove that you're a > nice person. Communicating this to end users is a > challenge: even network engineers have been confused by this.

This just seems like a straw man argument. I can't say that I've encountered either a network engineer or even an end user (s/EV/green icon) who thinks that an EV says anything about the quality of the company they're working with. End users accept that it means 'more secure'. Network engineers of average ability or above do, in fact, know better.

(replying from old openid account due to rate limit)

There's a specific person that's well known on HN that mentioned a pirate site had an EV cert at Edge conf, implying they shouldn't have been able to get one. They have a registered business, and a real address in London, and the EV cert simply assures that identity.

Most people in network ops have very little idea of EV,so I don't think naming individuals is productive.

See 'Do DV or EV SSL certificates mean this is a good company?' at https://certsimple.com/blog/are-ev-ssl-certificates-worth-it

Like many others here, I am not persuaded by these arguments.

A even better reason for CertSimple to not support DV certs is that it is simply impossible to complete on price with the big guys. And will be even more difficult once Let's Encrypt launches.

The text ends "Launching a web app? Get a high-assurance SSL certificate and still launch on time."

The moment you're deploying an _app_, you've already solved the hard problem that certificates are meant to help with. Just activate certificate pinning and you get a lot more security to boot.

CAs "help" in the case where you're navigating to a site via a URL bar and you have no other stored information to help identify them. An app is stored on your device already, and doesn't have a URL bar so you don't need to care about the colour of the lock icon.

Of course, in a world of apps and certificate pinning, the business model for CAs looks even more questionable than on the web. In theory, your bank's site should show a green lock and if you click on a phishing link, you get a nasty red one. In practice, you'll see red on your bank's page every now and then when they forget to renew their certificate and, to quote security researcher Peter Gutmann: "The only place you're guaranteed never to see a certificate error is on a phishing site. They don't use SSL at all, and people still visit them."

A web app is an application on the web ie accessible through a web browser.
_web app_, not _app_. Which commonly refers to web pages (accessed in the browser) that are an application, not an app that runs directly on the device. For native apps, certificate pinning is the right thing to do.
Nice advertisement post! (sarcasm)

The point of SSL is that traffic can't be snooped easily, and regardless of EV or domain validated, that works just as fine. EV is just another scam to charge more. It has no added value, just a nice green bar, which is a topping marketing scam.

Come on, how many non-IT people can anyone think of who cares if there's green in the address bar? AT MOST they check for the padlock. The companies who get an EV certificate are doing it to check off a box, not because their customers have demanded it.

It's wishful thinking on the certificate providers to hope for people to want SSL certificates to actually prove identity.