Preface: An Introduction to SSL Certificates
SSL Certificates are a source of much frustration for small companies and indie website operators.
The idea of SSL Certificates is a good one. They offer a way for users who connect to your website to have some assurance that you are who you say you are -- that the person running the website they are connecting to is really the person in charge of the organization they say they are, and that they aren't being tricked by someone who has intercepted their connection to the web (man-in-the-middle style attacks).
But web browsers (firefox, internet explorer, chrome, opera, safari, etc.) have decided to combine this idea of verifying the identity of the company running a website with the mechanism for establishing a secure connection protocol from your browser to the website (https). Secure connections can be very important in preventing neighbors and snoops from discovering your login passwords, etc. as you browse the web.
Unfortunately, the way that web browser makers have combined these features has results in a real dilemma for small developers and indie website administrators.
When a user tries to connect to a website using https, the web browser will check that the website has an SSL certificate from a "trusted" provider. And while it's possible for anyone to create a (self-signed) key that enables their website to support encrypted communications, without a PURCHASED and VERIFIED certificate, users will receive a big warning when they connect, telling them that they are about to connect to a untrusted/unverified site.
Many web browsers make this "warning" overly scary and complex to deal with. FireFox makes the user go through a bunch of hoops that will scare away most inexperienced visitors and have them running for the hills rather than try to connect to your website if you use a self-signed certificate. They will assume something is wrong with your site or that it can't be trusted.
The answer seems clear then, for website developers: Purchase an SSL Certificate from a "trusted" provider.
Surely buying and using such a certificate can't be too expensive if we expect everyone to be doing this, right? Don't make me laugh...
The SSL Certificate Provider Mafia
The SSL certificate provider industry feels like a mafia run extortion racket. It is absolutely outrageous how expensive it is to get reasonably flexible and valid SSL certificates.
If you have one single website domain (let's say thesslmafia.com), and don't use any subdomains (i.e. don't use things like haters.thesslmafia.com), then you can actually purchase an SSL certificate for the relatively reasonable fee from most providers ($100-$300 per year). Don't have that kind of money? Tough luck.
But where things get really truly ugly and evil is when you need more than one certificate, because you own more than one domain name, or use subdomains more frequently. Now you are looking at $100-$300 PER DOMAIN NAME. How's that for affordable?
And now we come to StartSSL, a company making waves in the SSL Certificate business. As Gothi[c] (the dc server admin) aptly put it: "StartSSL is taking on the SSL Certificate Mafia!"
What makes StartSSL different is that they charge you to validate your identity and company, and *NOT* to generate additional certificates for different domains and subdomains. So once you pay for validation, which is a real bargain rate ($50 for personal validation and $50 on top if you want to validate that you are the owner of a particular company), you can generate as many domain and subdomain certificates (including wildcard *.domainname.com certificates) as you need.
To see how unusual this is, check out the wikipedia page comparing SSL Certificate providers:
Look at that chart under the columns for number of domains and subdomains included, and you'll start to get an idea of why StartSSL is so wonderful. Almost every other provider is forcing you to pay through the nose for each domain and subdomain you need to add.
The cost of having to pay for additional certificates (and wildcard certificates) for DonationCoder.com is why we've not previously made the leap to using proper validated SSL certificates on this website. We just couldn't afford it and refused to give in to the unfair charges demanded by certificate providers.
Until I found StartSSL..
The StartSSL Experience
When we moved servers recently I decided to check out StartSSL.com, and i've been incredibly impressed.
Now you have to understand that StartSSL is a small operation, with a website control panel that leaves much to be desired. The website and control panel feel a bit clunky and slow and outdated, and can be confusing at times. BUT they get the job done, and the services provided by StartSSL are great and unique.
I had no trouble at all getting verified and validated -- the process was extremely smooth and fast -- and after one personal phone call from Eddy Nigg, who is the face (and founder?) of StartCom to verify some information and scanned documents, we were able to generate certificates for the new DonationCoder.com server.
Verification Options and Classes
With all SSL Certificate providers, you have some options regarding the quality of the verification of your (and your site's) identity. This is related to the idea of the SSL Certificate class. In general, the higher the class, the more expensive it is, the more difficult it is to get (in terms of proving your identity to the Certificate Provider company), and the more sure a visitor can be that you and your site are who you say you are.
With all of the other certificate providers I have seen other than StartSSL, you pay a yearly fee for a specific certificate for a particular domain (or a collection of 1-5 domain names). The cost will depend on the class and number of certificates you want.
StartSSL is different. With StartSSL you can get a one year personal class 1 certificate, for free -- which I understand is good enough to remove the browser warnings about untrusted certificates that you get with a self-signed certificate. The only limitation is that you can only get this free certificate with one email/domain/subdomain [NOTE: I am informed that I may be wrong about this limitation so you need to check on this].
What you probably want from StartSSL if you are serious about using SSL certificates for your small business, or if you have lots of domains/subdomains, is a class 2 (or above) verified certificate. The way StartSSL works is that you pay about $50 to verify your personal identity, after which you can generate new class 2 certificates for any number of domains/subdomains over the course of a year (the certificates themselves actually last two years). This should be enough to have browsers display your site as trusted when accessed through https and eliminate any extra steps they would otherwise have to take. If you want, you can pay an additional $50 on top of the personal verification process to verify your business, which let's people know that they are dealing with the business associated with your website, rather than just a known person. Again, certificates last two years, and you can generate as many different domain and subdomain (and wildcard) certificates as you want for a one year period, before you have to renew your verifications. Again, it is the ability to generate many different certificates for different domains that makes StartSSL stand out apart from the crowd, and what makes it so useful for small companies.
StartSSL also offers (class 3?) extended validation certificates which cost $200 and require serious verification steps; the benefit is a green status bar in the user's browser windows -- something that giant companies like amazon.com might care about but small companies needn't worry about. At DonationCoder.com we went with a $50 personal verification and $50 business verification and the process was painless.
A word on Eddy Nigg and the service at StartSSL
Generating and installing certificates can be a bit tricky. But they are nothing compared to Code Signing. StartSSL also lets you generate code signing certificates and I went through the process a couple of times while trying to learn how to do it. At one point I (thought) I needed to revoke a certificate I had generated (unfortunately StartSSL only allows you to have one code signing certificate at a time, and I hope they change this). There is a fee to revoke a certificate and I figured we were getting such a great deal that I just clicked to pay it and have the certificate revoked. Imagine my surprise when I got a personal email from Eddy offering to help me figure out what was wrong. Eventually he revoked the certificate without a charge(!) and continued to help me figure out my problem, which I was able to do and managed to get code signing to work (code signing is a matter for a separate post and is a complicated and questionable thing -- but it's great that you can do it with StartSSL).
Now I don't think one can expect this kind of personal service all the time from a small SSL certificate provider, I certainly didn't. Maybe some of the companies selling certificates for $400 do have serious help desks for this kind of thing, I don't know, but I wouldn't be terribly surprised. If you have that kind of money to throw around maybe you can find out. But I was very impressed with how hands on and helpful Eddy was. StartCom also has a pretty active forum where you can get help from other users (and you'll find Eddy on there as well!), which is a big help when you run into trouble..
There is a near-criminal racket going on in the world of SSL Certificate Providers; most providers charge outrageous rates for inflexible certificates that force you to keep buying additional certificates for each domain you own.
Within this vast wasteland of greed, StartSSL stands out as a beacon of hope for small developers and website owners. Bravo!
For information about SSL Certificate providers see:
- StartSSL Homepage
- Earlier DonationCoder.com forum thread on SSL Certificate Providers
- Nice Wikipedia chart comparing provider costs/features
- SSLShopper Certificiate Provider Wizard (and reviews, including of startssl)
NOTE: I have no relation to StartSSL; I am just a satisfied customer.