Ask HN: Where should someone buy a SSL certificate?

22 points by mihok ↗ HN
There always seems to be talk about some SSL cert service (VeriSign) that has been hacked or gone under. I'm trying to buy my first SSL certificate and there are so many options out there that its hard to know which one, what are the risks? Is any certificate authority okay? Will self signed certs be good enough?

Clearly the issue is the man-in-the-middle attack, which I have a high level understanding of, and makes every CA susceptible to the same attack if they are compromised.. but are there good CA's that people have had experience with? Is it less safe to get a wildcard cert than individual certs for each domain?

Thanks HN

14 comments

[ 3.1 ms ] story [ 32.5 ms ] thread
If you're worried about certain governments MITMing you, the answer is that it's hopeless to rely on SSL to provide protection.

I don't know a good recommendation. I just wanted to clarify that SSL provides no protection in that particular case.

Makes sense, does that in turn mean that SSL is really a 'hopeless' cause and using self-signed just for the image of 'https' showing in the location bar on a browser enough? Seems like a pointless exercise to me knowing that someone somewhere (government or not) could still access it
Just to clarify, I think using some reliable and trustworthy SSL cert vendor is the way to go. It just won't protect you from the aforementioned parties. Nothing will at this point.

SSL protects you and your users from many other attack vectors, and is important. It wasn't my intention to argue against SSL, just to point out the truth of our modern day situation.

>Will self signed certs be good enough?

For public consumption, no. For anything internal, yes.

My domain registrar (namecheap) offers SSL certificates cheap.

All you need is for your domain to show up with the little special icon in the browser when you use https. Other than that, it doesn't matter. Get the cheapest one that browsers recognize.

I just bought a Comodo PositiveSSL Wildcard cert from them last week. It was a little confusing, but they were quite responsive when I pointed out some bugs in the registration service. I would definitely recommend them.
(comment deleted)
You get a standard SSL certificate free for a year with domain names at Gandi.net. I think I'm also right in saying transfers are included. Can't really vouch for their security but from what I have read the company's "no bullshit" approach is right up my alley. The riseup.net collective recommend them too.
+1 on Gandi.net from me too. Got several domains/SSL certs from them. The base (free) SSL certificate is pretty basic, but they also offer higher levels of security at a cost.
Thanks for the recommendation. I can confirm that you get a free one-year cert whether the domain has been registered at Gandi or transferred in.
I used StartSSL class 1 certificate for my app (unherd.co). Its free and valid for one year. Here is a good guide that might be of help - https://konklone.com/post/switch-to-https-now-for-free?hn
I used the same certificate from StartSSL and got an A- grade from SSL Labs.
I also used StartSSL class 1 for my site (peercube.com) and will highly recommend the help link you provided for getting and installing the certificate.