Ask HN: What SSL Cert Provider Do You Use?
Being that SSL has been getting a fair amount of attention lately do to the Instagram debacle (http://techcrunch.com/2010/11/18/yet-another-hot-startup-leaves-a-gaping-security-hole-in-its-iphone-app/) and Firesheep exploit (http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/) I thought it might be interesting to spawn a discussion on SSL providers out there.
I typically use GeoTrust quick SSL for most E-Commerce applications but I was wondering what were some of the pluses and minuses (cost, support, time to deployment, etc) users in the community had experienced.
33 comments
[ 4.0 ms ] story [ 36.4 ms ] threadhttps://www.geocerts.com
I've bought and installed about a dozen different certificates from them, even some of the high-ticket ones that need a background check during the application stage.
Interface is good, price is right. No complaints.
To answer the actual question, we use godaddy.
(edit: clarified wording)
Because the web has a broken security model.
By default, the only way that a web browser can know that the site gave it the right cert (as opposed to someone intercepting the connection with their own cert), is if it's signed by one of a couple hundred "trusted" providers who are supposed to be careful to not give certs to the wrong people.
Something like [Perspectives](http://www.cs.cmu.edu/~perspectives/) should be much more secure and can be more decentralized, but unfortunately isn't included with any default browser installs. It can't provide the same link to a meatspace identity, but you very rarely care about that (basically just for ecommerce) and it could be used in conjunction with a CA-based system for that anyway.
Also see "Proper placement of "trust logos" can make a huge difference in conversion rate." :
http://conversionvoodoo.com/blog/2010/07/proper-placement-of...
Class two validation, supporting wildcart certs, is available, but requires high-resolution documentation of personal identity, resubmitted annually and kept on file outside my legal jurisdiction (Startcom is based in Israel), until seven years after the certificate's eventual expiration or revocation, which rounds up to forever.
I admire Start's model of charging only for actions that require human intervention, like identity validation, but I can't bring myself to have faith that their current trustworthiness precludes being acquired or compromised in the distant future. It's aggravating that organizational validation (for wildcard or EV certs) is layered on top of individual validation, meaning that an individual's ID always has to be on file.
Of course, that raises a question I have...what's the difference, if any, between their cheap ssl certa and their $99 "premium" ones?
The $12 ones just validate domain ownership and not organization identity. I believe they also ignore the Organization and Organizational unit fields in your CSR and replace it with the common name in the certificate they issue.
Their identification verification process is fully automated now( phone + web ), so most certificates are issued within a few hours of CSR submission.
It's all about the conversion rate, basically.
"Seals" used to be quite popular some years ago (e.g. TrustE seal and the BBB Seal), but they seem to get less press these days, so I wonder how important they are for conversions.
Has Aunt Millie really heard of Verisign ? May actually have heard of GoDaddy though due to the advertising.
We have done A/B testing on Verisign seals vs no seals vs generic "Secure Site" seals we created. There is a statistically significant increase in conversions with the Verisign seal vs the other two options.
1) GeoTrust 2) Comodo 3) Thawte
Although many cert providers tout wide browser acceptance, you may find discrepancies in production. Be careful. GeoTrust has excellent customer service, decently priced certs, and an automated/expedited process. No affiliation.
Wildcard certs are expensive last I checked, but simply too useful to ignore.
http://www.gandi.net
http://www.softlayer.com