17 comments

[ 2.4 ms ] story [ 50.4 ms ] thread
Design is good.

However, your on-sale price for Comodo PositiveSSL Wildcard is $ 6.95 more expensive than Comodo’s own offering [1] [2].

[1] https://comodosslstore.com/positivessl-wildcard.aspx

[2] http://cl.ly/image/210I2n2R000Y

Thanks for the comment. Yes, you are absolutely right. Wildcard SSL is currently cheaper from Comodo because they have a promotion themselves.

However, Business validated certificate is still significantly cheaper from us: $65.95 vs $99.95 [1]. Standard certificate is few dollars cheaper too.

[1] http://i.imgur.com/FoVTH80.png

I'm a SSL certificates newbie. What's the added value of using a SSL reseller, instead of buying directly from Comodo?
Price and support. We want our customers to be satisfied.
To be honest, I expect someone trying to sell me a SSL certificate to be using an EV certificate on their own site.
To be honest, I don't get your comment. Neither does GetSSL use a EV cert nor is the usage of EV certs limited to resellers.
Exactly. Get one cert per domain including one subdomain for free, get as much as you can handle for $60 per 2 years. Compatible with every modern OS (so no old Windows XP). That offer can't really beat that.
It works on my Windows XP. Not just Firefox/Chrome which have their own SSL libraries but old IE8 too.

If IE6 is broken, I can accept that even on a large website.

Correct, Windows XP works fine with the latest Service Packs etc. Android supports it since version 2.x.
Despite all the hubbub about spying by the NSA and Huawei, an Israeli company would be the absolute last* one that I would trust with my company's security.

Alas, SSL, along with the DNS system, is just a massive internet racket.

(*) Of course I exaggerate, but only slightly.

Just another guy who talks about SSL without knowing the basics. I don't know what annoys me more: Someone how completely ignores cryptology and its security features or these guys who have such a dangerously low knowledge that they spread bullshit the whole day.

In fact, you don't have to trust StartSSL at all. They securely give you a valid cert while you don't have to reveal your private key at any time. Your private key is either generated manually on your sever by yourself or within the browser, on client side.

The important points are: StartSSL is trusted by all modern browsers and systems and they are cheap. There is nothing more to care about. In fact, _any_ trusted CA could be attacked and generate certs for man-in-the-middle attacks.

So, stop your stupid prejudice here. Actually, a CA from the Netherlands got known for being corrupted some years ago.

You are absolutely right that I didn't have to reveal my "prejudice" here.

For that I apologize.

However, you are mistaken that I don't have to trust StartSSL, or any CA at all. In requesting a certificate, I am siginalling that I require a method by which an unknown party can reasonably verify that they are indeed dealing with me. If I am already well known, and a target of attack, it doesn't matter which CA I deal with, every one is potential source of vulnerability. However, if I am not broadly known, and seeking out deals on certificates, and not investing in an EV certificate (why just get a padlock, get the snazzy green bar!), what exactly is the purpose of me investing in a certificate? Well, you're paying for your customers to have faith that whatever faith they have in you is not misplaced, or more precisely no bad guys will get their credit card number which they are sending to you, along with their personal details.

This whole idea behind SSL, https, and ultimately DNS is a broken. And yes, my response was naive enough to be read naively. For that I'm sorry. But this particular post is probably not the place to discuss these shortcomings...

As you said, the hierarchical system is somehow broken. You are just paying to get a cert that is trusted by the browser and therefore looks fine for the user. Also you get some insurance thing and maybe a nice button to place in your web shop. That's all. The main point is using some encryption without throwing a warning message and gain some level of security.

Also, the "potential source of vulnerability" has nothing to do with how big you are.

SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

> SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

Which is why a _comprehensive_ history of when, how, and why CA root certs were added to various browsers, and the politicking behind it, would be quite illuminating.

Recall it was only around 2000 when the US relaxed export restrictions somewhat on cryptographic software. [1] So given that sensitive fact, the policy, and architecture of systems such as browser security should be questioned, especially because a select few are making essentially free money selling green address bars.

[1] http://en.wikipedia.org/wiki/Key_size#Symmetric_algorithm_ke...

Website copy (the text) needs a bit of polish. I clicked around a bit to find out a bit more about you, and went "eek".

Otherwise, I really like the layout of the site. It's simple and easy.