42 comments

[ 5.0 ms ] story [ 93.6 ms ] thread
just got an essential SSL for $49.99 for a year, limit 10 per customer, half price. Also you can get an EV cert for $50-60.
(comment deleted)
(comment deleted)
Before you jump at this, research the reputation of your SSL certificate provider.

https://www.google.com/search?q=comodo+reputation

$50 is a pretty good price, the nearest competitor is charging about double that. Still, if you are going for a wildcard SSL certificate (and you already need one even if you just want to respond to www.example.com and example.com using https) then likely the $50 is a rounding error on your annual expenses. It's good to be frugal, and if you feel that comodo is good enough for you then this is as cheap as it gets.

actually you can get alphassl for $40-50 as well. Comodo is pretty good for the price range. You can pay a bit more for a GeoTrust or an arm and a leg for Thawte or VeriSign, but there is no difference between all these SSL. It's purely marketing BS.
> It's purely marketing BS.

It's worse than that. SSL certificates are simply just another racket, and they're a lot more expensive than domain names.

There is no added value from having a certificate from some authority or other beyond the knowledge that your bits are encrypted, the checks performed (even for the high end ones) are perfunctory and users put far more trust into little lock icons or green bars than is warranted.

That said, if your cert provider is hacked it can be a real pain.

I agree, although having one from a trusted authority is better than not having one. And customers come to expect that you have SSLs installed. Never mind if the data at rest is actually encrypted..
Their site has them at $149 (single domain certs are $49). StartSSL offers the wildcard ones at $59. Like Comodo, not everyone trusts them (however, browsers do). Would be delighted to learn of a cheaper wildcard cert.
Yes, even RSA had it's share of breaches. From a customer perspective, it'll show the lock even on mobile devices, which I've found others to be lacking in (looking at you, RapidSSL)
Had similar problems with RapidSSL (not the wildcards, the regular ones) and it turned out you have to include a cross root CA that chains to a Geotrust intermediate CA (my terminology may not be quite right, but it certainly worked for me). Its been a while since I did it but there's a pointer on how to get it done here: http://support.servertastic.com/rapidssl-and-geotrust-certif...
You don't need a wildcard for domain.com + www.domain.com. I've got several cheap (~$7) certificates that have both listed
The StartSSL free ones do this too, I have them on all my domains.
(comment deleted)
See mjpa: For most cases this should be covered by SubjectAltNames [1].

That means for simple cases you might even get away with free StartSSL certificates (ignoring the limitation to one year). If you ask for one for 'www.example.com' you'll get one with SubjectAltName example.com. Maybe (not sure) some $#^@# clients don't support that, though?

For personal stuff I'd still stick to this solution instead of shelling out $50.

1: http://stackoverflow.com/questions/5935369/ssl-how-do-common...

What about StartSSL at $60 for two years for wildcard and multiple domains?

https://www.startssl.com/?app=40

  Multiple Domains (UCC) 
  Wild Card Capability
Supported by all modern browsers.
I've tried to sign up a few times and I've never been able to, either my browsers crashed or timed out forever. I believe they also offer free SSLs
StartSSL uses client side certificates to authenticate you. Last time I checked this only worked in Firefox. Perhaps that is the reason for your crashing.
Client certificates should work in all modern browsers. We use them daily in Chrome, Safari, Mobile Safari, IE and Firefox.
Chrome is reliant on the host OS certificate stack, unfortunately Chrome and client certificates don't seem to work well on OS X for this reason. Safari works, however.
btw it fails on latest chrome and firefox on mac but works great on IE 8/9
It would be nice if they had any sort of flexibility in their identity validation. Not all of us keep identification cards with addresses on them[0] or a telephone number billed in a traditional manner[1].

0 - United States Passport Card, for instance.

1 - VoIP.

(comment deleted)
If they cannot reach you by phone, they can send you a snail mail with some code printed on it that you have to enter into their admin interface. Admittedly they should tell you about that before you try to register (I discovered it after I already paid, but it just took a few days and all-in-one it wasn't too bad).
I also recommend them. Cumbersome web interface, but the best prices and stills seems secure.
>* Supported by all modern browsers.*

Not quite. I've use StartSSL certs for a few things myself, and have found at least one browser that doesn't like them: IE on Windows Mobile 7.*. I've not tried IE10 on Windows Mobile 10 yet to see if they have changed the trust list in Windows Mobile 8.

(comment deleted)
Does anyone else feel like SSL certificates are a giant scam?

Companies like Microsoft are king-makers so they essentially get to pick and choose who gets to be a "trusted" certificate authority, and therefore we wind up with a competition-less market.

Many of these companies claim this excess cost (over the technical costs which are low) are the result of having to verify people are who they say they are. But in my experience, from buying certificates, certificate authorities never do this (or at least don't manually do it). In fact Amazon did far more verification when I signed up to AWS than any certificate authority ever has...

They also charge more for different kinds of certificates (e.g. like this "sale") even if their costs are identical. This is just a nonsense way to up-sell a product that already has a markup likely in the thousands of percentage.

Honestly any SSL certificate which costs more than $5~10 is a rip-off.

Yes.

Most Linux distributions I've used recently come with a pre-configured self-signed certificate called 'snakeoil'.

I'm not sure if the 5-10 number is really okay for a _decent_ validation process, but I'd argue that it's really, really a sign of a crappy industry if only StartSSL offers a free/cheap way to get a simple, low-trust certificate for your site.

If we leave the scope of ssl and enter code-signing I'm even less happy with the trend.. There was a nice write-up on the Windows 8 'market' a while ago which complained about that stuff, among other things.

We need to replace certs with DANE

DANE is basically SSL authentication via the cert in DNS

Get rid of third parties.

https://datatracker.ietf.org/wg/dane/charter/

Problem is it needs DNSSEC, but we are going to need that sooner or later anyway.

For this to be truly safe, we need DANE and to stop using .com/.net/.org as the US government will (demonstrably) hijack those as required without due process.

DANE + DNSSEC + soverign TLDd might solve this problem - emphasis on might.

In the meantime, for SSL on team projects which are not yet released-to-the-public, there is a web-of-trust certificate issuer called CAcert.org which can be installed on relevant machines and used. At one point they were trying to pass an audit and get into Firefox, so perhaps someday they can become a default for web browsers. If they cannot, then perhaps a sufficiently motivated group could set up a similar authority.

Ideally, the flow would be much simpler than even CACert has made it; you ask for a certificate for drostie.org, the CA does a WHOIS for the administrative contact for that domain; the CA sends an email to that domain name containing a link to confirm the request; if you visit the link then you can upload a public key and perhaps even generate a private key (via client-side javascript, of course -- you don't want to send such things to the server).

I don't know whether you could make it pass a security audit and get into major browsers -- but I like the idea that this could be much more user-friendly than it is.

Companies like Microsoft are king-makers so they essentially get to pick and choose who gets to be a "trusted" certificate authority, and therefore we wind up with a competition-less market.

Not really. Each browser and OS has it's own benchmark to be included as a root CA, and it's certainly not a 'pick and choose' thing. There are clearly defined rules for each, most of them relying on an independent audit to either WebTrust or an ETSI standard - neither of which are particularly 'easy' or 'cheap'. You're welcome to go and get an audit, set up your CA infrastructure and apply to MS and become a 'trusted' CA. Then you just have to repeat that for all the other big software/OS vendors, and then wait a few years till those versions in which you're included are in wide distribution (or not, as things like Windows have an auto-update mechanism and the auto-update of Firefox and the like are making the process much easier!).

Many of these companies claim this excess cost

There is an inherent cost in the verification of some certificates. Sometimes, it's just an automated domain-verification. Certificates are often sold on the level of verification performed - and in some cases the browsers treat these differently and display different UI chrome as a result.

(over the technical costs which are low)

Again, not really. It's certainly not a low cost to have an infrastructure to pass one of the aforementioned audits. Not only that, there are some significant costs in supporting the revocation infrastructure - especially if you happen to have a certificate on a high-traffic site (think Twitter, any of Apple/Microsoft/Amazon etc.) You'll have to support both a CRL infrastructure (TB a day of transfer) and an OCSP infrastructure (not as much transfer, but not 'just' static files). We're taking tens to hundreds of thousands of hits/second.

But in my experience, from buying certificates, certificate authorities never do this

Ignoring that the plural of 'anecdote' is not 'evidence', I'd say that there certainly are certificates where the ordering process is very simple and has nothing more than a domain-ownership confirmation. There's probably more verification in the payment end. However, getting an EV certificate does contain a significant verification process that sadly isn't the easiest. Code-signing certs tend to require a bit more in the way of ID verification also.

Honestly any SSL certificate which costs more than $5~10 is a rip-off

If you don't want to pay 'extortionate' costs for a certificate, try offers like this - or as someone else suggested below, StartCom - Eddy runs a great company and gives away a lot of certificates and charges minimal costs for the rest. 'Course, we should always buy things based on what we think they should cost, not what they actually do...

Disclaimer: I work for a CA. Just wanting to add a viewpoint from the 'other side'. I won't disagree we're a reasonably un-liked industry in places (HN especially!). There are a few misconceptions, though.

Yes I do, although in fairness my experience has been that Verisign and Thawte at least will ring the number you provide at some stage. I guess they also do a Companies House[0] lookup in the UK as they request related details IIRC.

What's more of a scandal is that Verisign at least 'license' their EV certificates to be used on a given number of servers [1]. Now if the 'service' provided is identity verification, that practice is the real scam.

[0] http://www.companieshouse.gov.uk/

[1] http://www.verisign.co.uk/ssl/ssl-information-center/ssl-bas...

All sold out now.

So frustrating to get to the end of your order to get the message that the coupon has expired.

In the olden days (circa 1995) there were precious few Cert providers (Verisign, Thawte, and few others) and they vetted you, because SSL certs are about trust, not about encryption. As a result, Certs were bloody expensive.

In order to get the cert for dsac.dla.mil (the computer shop inside the US Defense Logistics Agency) we provided reference to the act of Congres establishing the DLA, and then the command chain that proved that my boss had the rights/responsibility for the SSL cert for the domain.

The process could take weeks, but in the end you could trust that the server on the other end was who they claimed to be.

Fast forward tot he internet boom, and everybody needed a cert, and there folks realized that generating certs was physically easy, and could be lucrative, so they started selling cheaper and cheaper certs. but you can't vet an organization for 29.95, so that aspect of SSL Certs was conveniently forgotten as the masses rushed onto the web.

Everybody thinks SSL Certs are about the encryption. We know that the Cert only establishes the identity of the other party. The encryption is performed using a key which is shared after the cert is used to establish trust.

So now, people are starting to realize that cheap certs don't provide trust, and we're seeing $1500 vetted certs again, and browsers that change colors to signify trust levels.

However, to make this personal, I have a Comodo cert that I got for free with domain registration at namecheap, and a bunch of browsers don't want to trust it.

So I'm stuck between not having revenues to buy a super-cert, and having people refuse to use my app because their browser is saying my app's cert isn't trustworthy, and they aren't technical enough to override the warning.

So will these $50 wildcard certs fare any better?

...and a bunch of browsers don't want to trust it. This shouldn't be the case. My email is on my profile if you want to email me any details you can - I'll get this solved!
Thanks to nickf I learned that I'd omitted certs in the chain when I did the installation. all is well now. Thanks nickf!