Yep. Most smaller businesses struggle to justify the costs of regular certificates (because let's be honest, the certification is BS – certificate theft is a bigger threat than fraudulent registration), gods forbid a wildcard cert. EV are not even an option.
And if you want SSL for your private website, tough luck.
We'd all rather have EV. That's not the question. The problem is price. SSL certificates are simply too expensive. Reduce the price and you will see an increase in adoption.
I don't want to focus on and skewer certsimple; they're just one provider out of (likely) hundreds. I've never seen a cheap EV certificate from any of them.
(replying from old openid account due to rate limit)
I have no idea about StartSSL, but some cheaper EV providers Comodo immediately ask you to use a lawyer or CPA to write professional opinion letters.
This allows the CA to do less work according to the EV guidelines, but massively slows down the validation process and may incur additional fees unless you have an in-house legal team or CPA.
I know this is a little off-topic, but who is a good/trustworthy certificate provider with reasonable prices for certificates that are supported by Android and iOS browsers?
Given how often people check the company name in the address bar, and how easily you could found a company in some other country that uses a pretty similar name, I'm very doubtful that EV certificates are worth their price tag.
The only advantage I see for EV certificates is mandatory OCSP. But there's no technical reason why we cannot just have that for all certificates (now that OCSP stapling is widespread and OCSP no longer generates an unreasonable load for certifiers).
Google I'll grant, but Amazon's site is actually insecure, not only do they lack EV but they lack even "basic" SSL/HTTPS across the board. They deliver cookies via HTTP (without even flagging them HTTP only) and an attack can intercept/modify the HTTP page in order to redirect a user who hits the "login" button to a server controlled by the attacker (essentially turning the real Amazon.com page into a giant philishing attack on an insecure network).
Amazon should be ashamed of themselves in 2015. No assets let alone their home page should be non-HTTPS.
Yep. Actually you can even self-sign certificates and you'll probably be fine as long as it's not a production launch. For better or worse most users are just click through the browser warnings anyway.
Well a lot of free WiFi places trigger it because they use a man-in-the-middle HTTP(S) server to serve up the (utterly pointless) login screen. So I have to regularly click through the warning screen, even for www.google.com ...
People more understand that SSL prevents clear text transfer of data. People have been trained to understand that passwords and credit card data should use HTTPS. As long as you accomplish this, then any extra value is not seen by users.
Anyway, I doubt most users even check for the padlock and will gladly send their data trough HTTP. Even if they do chack, they'll have no idea what the green bar means.
I always hoped CAcert.org would have gotten us there sooner, but that never happened. Agreed letsencrypt.org will radically change the cert market. I have already stopped renewing some personal certs and am using CloudFlare free SSL with a self-signed cert on the origin.
> What exactly are you offering here other than reselling DigiCert?
1. We check your company registration, status, and DNS/whois and CSR while you apply - and before you pay.
2. Better CSR creation. There is no software to install, and no command line Q and A or clicking. You just paste a command onto your server, in either bash or pwoershell, then paste back the results.
3. We're massively faster than standard CAs. CertSimple deliver EV certificates in an average of 5 hours. The standard time for an EV cert is 7-10 days.
Thanks for the response, so really you're just improving a job that the CA should and could do better.
In your position I would fear that my business/model/product could be easily replaced by any other partner/reseller of a CA, or the CA themselves. Unless your intention is to build volume then either be acquired by a CA or become a CA yourself under somebody elses root?
(replying from old openid account due to rate limit)
No probs: I understand the cynicism: the SSL industry is dominated by sales and marketing giants that market snake oil like SGC and seal in search, I wouldn't trust any of them either.
There's not a lot of people who get UX and get crypto: I've got my name in RHEL and I've also built consumer facing web apps for Google and Microsoft. That's 17 years of pretty unique experience, and we launch new features every couple of weeks. If a CA tries to follow - and they will - bring it, we'll smoke them.
It's easy for me to forget especially when commenting here (HN) that not everybody knows what they are doing and I often undervalue services which bridge a knowledge gap when I have that knowledge.
Thinking again, yes I can see the "doing one/few things very well" working during what is going to be a major shift in the market, especially with the intended end goal.
> I've already ordered - who can I talk to about getting my company validated?
I'd propose the answer to that FAQ needs some sort of improvement, to appear less standoffish.
> DV SSL also allows someone to register '*.othercompany.com' wildcard and then create 'yourbank.com.othercompany.com' and have this domain name display a green lock in older browsers.
Wildcard certs only work one level down, when I looked into this Firefox was the last browser to remove support for doing multiple levels.
I'd say the EV provider should reject such a wildcard.
CertSimple argues (https://certsimple.com/blog/wildcard-ev-certificate) the EV restriction on wildcards is to prevent google.com.fraud.ru from getting an EV certificate. The single-level wildcard restriction already prevents that.
Are you running antivirus software? Some AV software runs your traffic through a MITM SHA-1 certificate (we see the question crop up fairly regularly on ServerFault) to theoretically protect your web surfing.
The real reason you won’t sell domain validated X.509 certificates is that the Let’s Encrypt project¹ will give them away for free (by automatic means) come November, which will wipe out the market for them.
This is just the “sour grapes” rationalization from CertSimple.
(replying from old openid account due to rate limit)
Let's Encrypt want to do EV too - they've also asked CertSimple for help previously to do it. it's significantly more work than automating DV again (which has already been done) are CertSimple are far ahead of the entire SSL industry when it comes to speedy EV validation.
Encrypting something with a public key, without knowing who that public key belongs to, largely defeats the purpose of encryption.
> Your passport, for example, doesn't prove that you're a
> nice person. Communicating this to end users is a
> challenge: even network engineers have been confused by this.
This just seems like a straw man argument. I can't say that I've encountered either a network engineer or even an end user (s/EV/green icon) who thinks that an EV says anything about the quality of the company they're working with. End users accept that it means 'more secure'. Network engineers of average ability or above do, in fact, know better.
(replying from old openid account due to rate limit)
There's a specific person that's well known on HN that mentioned a pirate site had an EV cert at Edge conf, implying they shouldn't have been able to get one. They have a registered business, and a real address in London, and the EV cert simply assures that identity.
Most people in network ops have very little idea of EV,so I don't think naming individuals is productive.
Like many others here, I am not persuaded by these arguments.
A even better reason for CertSimple to not support DV certs is that it is simply impossible to complete on price with the big guys. And will be even more difficult once Let's Encrypt launches.
The text ends "Launching a web app? Get a high-assurance SSL certificate and still launch on time."
The moment you're deploying an _app_, you've already solved the hard problem that certificates are meant to help with. Just activate certificate pinning and you get a lot more security to boot.
CAs "help" in the case where you're navigating to a site via a URL bar and you have no other stored information to help identify them. An app is stored on your device already, and doesn't have a URL bar so you don't need to care about the colour of the lock icon.
Of course, in a world of apps and certificate pinning, the business model for CAs looks even more questionable than on the web. In theory, your bank's site should show a green lock and if you click on a phishing link, you get a nasty red one. In practice, you'll see red on your bank's page every now and then when they forget to renew their certificate and, to quote security researcher Peter Gutmann: "The only place you're guaranteed never to see a certificate error is on a phishing site. They don't use SSL at all, and people still visit them."
_web app_, not _app_. Which commonly refers to web pages (accessed in the browser) that are an application, not an app that runs directly on the device. For native apps, certificate pinning is the right thing to do.
The point of SSL is that traffic can't be snooped easily, and regardless of EV or domain validated, that works just as fine. EV is just another scam to charge more. It has no added value, just a nice green bar, which is a topping marketing scam.
Come on, how many non-IT people can anyone think of who cares if there's green in the address bar? AT MOST they check for the padlock. The companies who get an EV certificate are doing it to check off a box, not because their customers have demanded it.
It's wishful thinking on the certificate providers to hope for people to want SSL certificates to actually prove identity.
61 comments
[ 2.8 ms ] story [ 126 ms ] threadAnd if you want SSL for your private website, tough luck.
Yes, see my response to the price point above.
I have no idea about StartSSL, but some cheaper EV providers Comodo immediately ask you to use a lawyer or CPA to write professional opinion letters.
This allows the CA to do less work according to the EV guidelines, but massively slows down the validation process and may incur additional fees unless you have an in-house legal team or CPA.
Still waiting for a cert request they flagged "for check within 2-3 hours" two weeks ago…
We're also doing some future work to make EV more affordable. I'll have more to announce in the next month.
In the meantime, EV works out to be around $20 a month, which is not significantly different to what you pay for GitHub Enterprise or Trello.
That's why the jurisdiction is shown in the address bar. However it'd be worth seeing how effective that is.
We didn't renew our EV SSL and went to a domain validated SSL. Our number of daily orders actually went up (this is probably just company growth.)
Amazon should be ashamed of themselves in 2015. No assets let alone their home page should be non-HTTPS.
Anyway, I doubt most users even check for the padlock and will gladly send their data trough HTTP. Even if they do chack, they'll have no idea what the green bar means.
> Our CA, DigiCert, does the final checks before issuing your certificate, so you should speak to them directly.
What exactly are you offering here other than reselling DigiCert?
1. We check your company registration, status, and DNS/whois and CSR while you apply - and before you pay.
2. Better CSR creation. There is no software to install, and no command line Q and A or clicking. You just paste a command onto your server, in either bash or pwoershell, then paste back the results.
3. We're massively faster than standard CAs. CertSimple deliver EV certificates in an average of 5 hours. The standard time for an EV cert is 7-10 days.
And a bunch more. See https://certsimple.com/about
In your position I would fear that my business/model/product could be easily replaced by any other partner/reseller of a CA, or the CA themselves. Unless your intention is to build volume then either be acquired by a CA or become a CA yourself under somebody elses root?
No probs: I understand the cynicism: the SSL industry is dominated by sales and marketing giants that market snake oil like SGC and seal in search, I wouldn't trust any of them either.
There's not a lot of people who get UX and get crypto: I've got my name in RHEL and I've also built consumer facing web apps for Google and Microsoft. That's 17 years of pretty unique experience, and we launch new features every couple of weeks. If a CA tries to follow - and they will - bring it, we'll smoke them.
Your final point is accurate.
It's easy for me to forget especially when commenting here (HN) that not everybody knows what they are doing and I often undervalue services which bridge a knowledge gap when I have that knowledge.
Thinking again, yes I can see the "doing one/few things very well" working during what is going to be a major shift in the market, especially with the intended end goal.
> I've already ordered - who can I talk to about getting my company validated?
I'd propose the answer to that FAQ needs some sort of improvement, to appear less standoffish.
Wildcard certs only work one level down, when I looked into this Firefox was the last browser to remove support for doing multiple levels.
CertSimple argues (https://certsimple.com/blog/wildcard-ev-certificate) the EV restriction on wildcards is to prevent google.com.fraud.ru from getting an EV certificate. The single-level wildcard restriction already prevents that.
Re: your edit: as the other poster notes, the DV cert would have to be for '*.com.fraud.ph'. That's entirely possible though.
Related: http://security.stackexchange.com/questions/73476/why-is-ava... and http://serverfault.com/questions/699005/google-chrome-says-m...
Anyone who's tried to use something.else.s3.amazonaws.com as an Amazon S3 bucket URL will have found that this is FUD.
Wildcards are single-level - <star>.example.com won't cover <star>.<star>.example.com.
This is just the “sour grapes” rationalization from CertSimple.
① https://www.letsencrypt.org/
Let's Encrypt want to do EV too - they've also asked CertSimple for help previously to do it. it's significantly more work than automating DV again (which has already been done) are CertSimple are far ahead of the entire SSL industry when it comes to speedy EV validation.
Encrypting something with a public key, without knowing who that public key belongs to, largely defeats the purpose of encryption.
This just seems like a straw man argument. I can't say that I've encountered either a network engineer or even an end user (s/EV/green icon) who thinks that an EV says anything about the quality of the company they're working with. End users accept that it means 'more secure'. Network engineers of average ability or above do, in fact, know better.
There's a specific person that's well known on HN that mentioned a pirate site had an EV cert at Edge conf, implying they shouldn't have been able to get one. They have a registered business, and a real address in London, and the EV cert simply assures that identity.
Most people in network ops have very little idea of EV,so I don't think naming individuals is productive.
See 'Do DV or EV SSL certificates mean this is a good company?' at https://certsimple.com/blog/are-ev-ssl-certificates-worth-it
A even better reason for CertSimple to not support DV certs is that it is simply impossible to complete on price with the big guys. And will be even more difficult once Let's Encrypt launches.
The moment you're deploying an _app_, you've already solved the hard problem that certificates are meant to help with. Just activate certificate pinning and you get a lot more security to boot.
CAs "help" in the case where you're navigating to a site via a URL bar and you have no other stored information to help identify them. An app is stored on your device already, and doesn't have a URL bar so you don't need to care about the colour of the lock icon.
Of course, in a world of apps and certificate pinning, the business model for CAs looks even more questionable than on the web. In theory, your bank's site should show a green lock and if you click on a phishing link, you get a nasty red one. In practice, you'll see red on your bank's page every now and then when they forget to renew their certificate and, to quote security researcher Peter Gutmann: "The only place you're guaranteed never to see a certificate error is on a phishing site. They don't use SSL at all, and people still visit them."
The point of SSL is that traffic can't be snooped easily, and regardless of EV or domain validated, that works just as fine. EV is just another scam to charge more. It has no added value, just a nice green bar, which is a topping marketing scam.
It's wishful thinking on the certificate providers to hope for people to want SSL certificates to actually prove identity.