Welcome Guest.   Make a donation to an author on the site September 03, 2014, 02:19:08 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Your Support Funds this Site: View the Supporter Yearbook.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: StartSSL.com Certificate Provider: Mini-Review  (Read 18916 times)
mouser
First Author
Administrator
*****
Posts: 33,295



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: December 19, 2010, 02:20:25 PM »

I want talk a little bit about about StartSSL.com, a company that provides SSL Certificates.  They actually do a lot of things under the umbrella of StartCom, but I'm only going to talk about SSL services here, and in particular, SSL Certificates for web sites.




Preface: An Introduction to SSL Certificates

SSL Certificates are a source of much frustration for small companies and indie website operators.

The idea of SSL Certificates is a good one.  They offer a way for users who connect to your website to have some assurance that you are who you say you are -- that the person running the website they are connecting to is really the person in charge of the organization they say they are, and that they aren't being tricked by someone who has intercepted their connection to the web (man-in-the-middle style attacks).

But web browsers (firefox, internet explorer, chrome, opera, safari, etc.) have decided to combine this idea of verifying the identity of the company running a website with the mechanism for establishing a secure connection protocol from your browser to the website (https).  Secure connections can be very important in preventing neighbors and snoops from discovering your login passwords, etc. as you browse the web.

Unfortunately, the way that web browser makers have combined these features has results in a real dilemma for small developers and indie website administrators.

When a user tries to connect to a website using https, the web browser will check that the website has an SSL certificate from a "trusted" provider.  And while it's possible for anyone to create a (self-signed) key that enables their website to support encrypted communications, without a PURCHASED and VERIFIED certificate, users will receive a big warning when they connect, telling them that they are about to connect to a untrusted/unverified site.

Many web browsers make this "warning" overly scary and complex to deal with.  FireFox makes the user go through a bunch of hoops that will scare away most inexperienced visitors and have them running for the hills rather than try to connect to your website if you use a self-signed certificate.  They will assume something is wrong with your site or that it can't be trusted.

The answer seems clear then, for website developers: Purchase an SSL Certificate from a "trusted" provider.

Surely buying and using such a certificate can't be too expensive if we expect everyone to be doing this, right?  Don't make me laugh...



The SSL Certificate Provider Mafia

The SSL certificate provider industry feels like a mafia run extortion racket.  It is absolutely outrageous how expensive it is to get reasonably flexible and valid SSL certificates.

If you have one single website domain (let's say thesslmafia.com), and don't use any subdomains (i.e. don't use things like haters.thesslmafia.com), then you can actually purchase an SSL certificate for the relatively reasonable fee from most providers ($100-$300 per year).  Don't have that kind of money? Tough luck.

But where things get really truly ugly and evil is when you need more than one certificate, because you own more than one domain name, or use subdomains more frequently.  Now you are looking at $100-$300 PER DOMAIN NAME.  How's that for affordable?



Enter StartSSL.com

And now we come to StartSSL, a company making waves in the SSL Certificate business.  As Gothi[c] (the dc server admin) aptly put it: "StartSSL is taking on the SSL Certificate Mafia!"

What makes StartSSL different is that they charge you to validate your identity and company, and *NOT* to generate additional certificates for different domains and subdomains.  So once you pay for validation, which is a real bargain rate ($50 for personal validation and $50 on top if you want to validate that you are the owner of a particular company), you can generate as many domain and subdomain certificates (including wildcard *.domainname.com certificates) as you need.

To see how unusual this is, check out the wikipedia page comparing SSL Certificate providers:
http://en.wikipedia.org/w...tificates_for_web_servers

Look at that chart under the columns for number of domains and subdomains included, and you'll start to get an idea of why StartSSL is so wonderful.  Almost every other provider is forcing you to pay through the nose for each domain and subdomain you need to add.

The cost of having to pay for additional certificates (and wildcard certificates) for DonationCoder.com is why we've not previously made the leap to using proper validated SSL certificates on this website.  We just couldn't afford it and refused to give in to the unfair charges demanded by certificate providers.

Until I found StartSSL..



The StartSSL Experience

When we moved servers recently I decided to check out StartSSL.com, and i've been incredibly impressed.

Now you have to understand that StartSSL is a small operation, with a website control panel that leaves much to be desired.  The website and control panel feel a bit clunky and slow and outdated, and can be confusing at times.  BUT they get the job done, and the services provided by StartSSL are great and unique.

I had no trouble at all getting verified and validated -- the process was extremely smooth and fast -- and after one personal phone call from Eddy Nigg, who is the face (and founder?) of StartCom to verify some information and scanned documents, we were able to generate certificates for the new DonationCoder.com server.

Verification Options and Classes

With all SSL Certificate providers, you have some options regarding the quality of the verification of your (and your site's) identity.  This is related to the idea of the SSL Certificate class.  In general, the higher the class, the more expensive it is, the more difficult it is to get (in terms of proving your identity to the Certificate Provider company), and the more sure a visitor can be that you and your site are who you say you are.

With all of the other certificate providers I have seen other than StartSSL, you pay a yearly fee for a specific certificate for a particular domain (or a collection of 1-5 domain names).  The cost will depend on the class and number of certificates you want.

StartSSL is different.  With StartSSL you can get a one year personal class 1 certificate, for free -- which I understand is good enough to remove the browser warnings about untrusted certificates that you get with a self-signed certificate.  The only limitation is that you can only get this free certificate with one email/domain/subdomain [NOTE: I am informed that I may be wrong about this limitation so you need to check on this].

What you probably want from StartSSL if you are serious about using SSL certificates for your small business, or if you have lots of domains/subdomains, is a class 2 (or above) verified certificate.  The way StartSSL works is that you pay about $50 to verify your personal identity, after which you can generate new class 2 certificates for any number of domains/subdomains over the course of a year (the certificates themselves actually last two years).  This should be enough to have browsers display your site as trusted when accessed through https and eliminate any extra steps they would otherwise have to take.  If you want, you can pay an additional $50 on top of the personal verification process to verify your business, which let's people know that they are dealing with the business associated with your website, rather than just a known person.  Again, certificates last two years, and you can generate as many different domain and subdomain (and wildcard) certificates as you want for a one year period, before you have to renew your verifications.  Again, it is the ability to generate many different certificates for different domains that makes StartSSL stand out apart from the crowd, and what makes it so useful for small companies.

StartSSL also offers (class 3?) extended validation certificates which cost $200 and require serious verification steps; the benefit is a green status bar in the user's browser windows -- something that giant companies like amazon.com might care about but small companies needn't worry about.  At DonationCoder.com we went with a $50 personal verification and $50 business verification and the process was painless.

A word on Eddy Nigg and the service at StartSSL

Generating and installing certificates can be a bit tricky.  But they are nothing compared to Code Signing.  StartSSL also lets you generate code signing certificates and I went through the process a couple of times while trying to learn how to do it.  At one point I (thought) I needed to revoke a certificate I had generated (unfortunately StartSSL only allows you to have one code signing certificate at a time, and I hope they change this).  There is a fee to revoke a certificate and I figured we were getting such a great deal that I just clicked to pay it and have the certificate revoked.  Imagine my surprise when I got a personal email from Eddy offering to help me figure out what was wrong.  Eventually he revoked the certificate without a charge(!) and continued to help me figure out my problem, which I was able to do and managed to get code signing to work (code signing is a matter for a separate post and is a complicated and questionable thing -- but it's great that you can do it with StartSSL).

Now I don't think one can expect this kind of personal service all the time from a small SSL certificate provider, I certainly didn't.  Maybe some of the companies selling certificates for $400 do have serious help desks for this kind of thing, I don't know, but I wouldn't be terribly surprised.  If you have that kind of money to throw around maybe you can find out.  But I was very impressed with how hands on and helpful Eddy was.  StartCom also has a pretty active forum where you can get help from other users (and you'll find Eddy on there as well!), which is a big help when you run into trouble..



Summary

There is a near-criminal racket going on in the world of SSL Certificate Providers; most providers charge outrageous rates for inflexible certificates that force you to keep buying additional certificates for each domain you own.

Within this vast wasteland of greed, StartSSL stands out as a beacon of hope for small developers and website owners.  Bravo!  thumbs up



More Info

For information about SSL Certificate providers see:




NOTE: I have no relation to StartSSL; I am just a satisfied customer.
« Last Edit: December 21, 2010, 11:19:06 AM by mouser » Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: December 19, 2010, 06:41:53 PM »

But web browsers (firefox, internet explorer, chrome, opera, safari, etc.) have decided to combine this idea of verifying the identity of the company running a website with the mechanism for establishing a secure connection protocol from your browser to the website (https).  Secure connections can be very important in preventing neighbors and snoops from discovering your login passwords, etc. as you browse the web.
Hm, "web browsers have decided"? SSL, which offers both confidentiality and authenticity, was in place - web browsers simply chose to use the standard rather than inventing some new and fancy scheme.

I agree that SSL certificates is a b*tch, though, and that the CAs are a rotten charge-trough-the-nose mafia - it's a disgusting business. I'm surprised that (if?) startSSL is part of the OS/browser pre-accepted authorities, since their services sound almost too good to be true.

As for the warnings browsers do on self-signed certificates, well, I'm afraid that they do have to be somewhat severe. Outside of special services, or corporate intrawebs (where you can usually manage rolling out custom corporate CA certs to the invididual machines anyway), self-signed certs would usually be a sign of something bad going on. Regular users can't be expected to understand WHAT this is all about, and even less to verify certificate fingerprints, so not complaining loudly about self-signed certs == free lunch for man-in-middle attacksers.

The real problem is how expensive certificates are, and how you're charged for them (paying extra for "real verification" and "stronger encryption", not to mention the horrible domain fees; all the CAs I've been looking at previously easily classify as con-men), not to mention that security isn't all that hot anyway (good old social engineering skills against the CAs). But the mechanism itself isn't to blame, and I honestly can't think of a decent security infrastructure that doesn't depend on CAs.
Logged

- carpe noctem
mouser
First Author
Administrator
*****
Posts: 33,295



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: December 19, 2010, 07:03:28 PM »

Quote
As for the warnings browsers do on self-signed certificates, well, I'm afraid that they do have to be somewhat severe

I don't really agree with you, though i see the point you are making.

But I see this as in the same vein as the false positive virus warnings that antivirus programs sometimes give -- if they don't understand it then they just scare the user, and the one who loses is the small developer who can't afford to grease the wheels to get their programs (or websites) certified as trusted.  I guess my complaint is not the warnings in isolation, it's the combination of the severe scary warnings combined with how expensive it has been to get flexible proper certificates.

I suppose for website certificates, now that there is a way to get free and cheap proper ssl certificates, it's not such a big deal and I shouldn't blame the browsers too much.  But I just think the warnings that browsers put up are far too misleadingly severe.  There are lots of ways that a website can be infected and made to do bad things, and the LEAST likely of those is to have a man in the middle attack that forges an ssl certificate.  Unless you are controlling inter-ballistic missles over the web, i just think ssl certificate forgeries are the least of your realistic concerns, and the browser warnings should reflect that.

HOWEVER, as i said before, given that it's now possible to generate verified certificates for free/cheaply, i guess the solution is just to use these instead of self-signed ones.
Logged
Gothi[c]
DC Server Admin
Charter Honorary Member
***
Posts: 855



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #3 on: December 19, 2010, 08:34:49 PM »

Quote
I'm surprised that (if?) startSSL is part of the OS/browser pre-accepted authorities, since their services sound almost too good to be true.

They work just fine in newer browsers.
IE6 might still complain about it for example.
Works great here in FF3
Logged
mouser
First Author
Administrator
*****
Posts: 33,295



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: December 19, 2010, 08:44:26 PM »

Here's a thread on the StartSSL forum about programs and services that trust StartSSL certificates:
https://forum.startcom.or...topic.php?f=15&t=1802
Logged
mahesh2k
Supporting Member
**
Posts: 1,408



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: December 20, 2010, 05:52:59 PM »

Okay mouser this is too noob question but other than transaction sites what types of sites should go for SSL ?
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: December 21, 2010, 05:18:10 AM »

Okay mouser this is too noob question but other than transaction sites what types of sites should go for SSL ?
Anything that handles user login, really smiley
Logged

- carpe noctem
Renegade
Charter Member
***
Posts: 11,213



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #7 on: December 21, 2010, 05:24:14 AM »

I noticed that I got a warning on an XP computer at a hotel. Their certificates aren't in some older computers.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
phitsc
Honorary Member
**
Posts: 989



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #8 on: December 23, 2010, 05:29:05 AM »

Gmail has the 'Always use https' setting. Does the donationcoder forum have that?
Logged

Renegade
Charter Member
***
Posts: 11,213



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #9 on: December 23, 2010, 05:54:21 AM »

Gmail has the 'Always use https' setting. Does the donationcoder forum have that?

No. If you check the address bar, you'll see HTTP.

For most web sites, using HTTPS all the time is a waste of resources. HTTPS uses SSL, which uses encryption, which is a lot of math, which is expensive for the CPU and memory.

Now that hardware is a lot cheaper, using HTTPS all the time is more economical and viable for a lot of sites.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
phitsc
Honorary Member
**
Posts: 989



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #10 on: December 23, 2010, 06:15:52 AM »

No. If you check the address bar, you'll see HTTP.

Well, mine says https right now.

Not using https as a means to protect the environment. Never thought about that ...
Logged

Renegade
Charter Member
***
Posts: 11,213



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #11 on: December 23, 2010, 06:48:37 AM »

No. If you check the address bar, you'll see HTTP.

Well, mine says https right now.

Not using https as a means to protect the environment. Never thought about that ...

Go to the address bar then delete that 's'. You'll see DC works that way too.

Nobody really ever didn't use HTTPS (SSL) for environmental reasons. It's always been about $$$. Well, if you read in the tech community 10 years ago or whenever. I have never read a single instance of someone doing it for environmental reasons, though that is a valid concern. IDCs consume a massive amount of power.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
phitsc
Honorary Member
**
Posts: 989



see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #12 on: December 23, 2010, 06:51:14 AM »

Go to the address bar then delete that 's'. You'll see DC works that way too.

I understand that. My initial question was actually just if there's a way to force donationcoder to always use https (well, without wanting to discuss if it makes sense or not).
Logged

Renegade
Charter Member
***
Posts: 11,213



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #13 on: December 23, 2010, 06:56:50 AM »

Posting from http://www.donationcoder....ic=24939.0;num_replies=11 at the moment. smiley

I should also mention that in the distant past client CPU was also a concern. It takes longer for a client to render from HTTPS than it does from HTTP.

It's been quite a while, so I don't remember about whether or not bandwidth plays an issue there. Stoic Joker might know better about that than me. (It's been a while, so he may have forgotten as well, but it would be nice if he could chime in as I'd be interested as well in the historical aspect there.)

CPU has actually come into the picture more in the last couple years with the Atom processor as it really is a massively underpowered chip. The problem is that a lot of people still think that a 'netbook' is a real computer in the modern age, and they aren't. They are hacked down computers that throw back 5+ years or more. (I'm being generous there.) Netbooks are now very common with price points well under $500. They're dirt cheap. (That's another topic though and I'm really drifting here...)

Anyways, I hope that kind of helps put HTTPS in a historical perspective.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
Renegade
Charter Member
***
Posts: 11,213



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #14 on: December 23, 2010, 06:57:45 AM »

Go to the address bar then delete that 's'. You'll see DC works that way too.

I understand that. My initial question was actually just if there's a way to force donationcoder to always use https (well, without wanting to discuss if it makes sense or not).

I think there is a Firefox addin that does that.

But no. There isn't. Not out of the box.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
mouser
First Author
Administrator
*****
Posts: 33,295



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #15 on: February 13, 2011, 08:59:43 AM »

Just a quick heads up: I don't know what this means but all of the new beta browsers (FF4, IE9, Chrome10) seem to not be setup to trust certificates from StartSSL, leading to dire end-of-world warnings when you try to access https on our site.

Needless to say im filled with some rage at this whole f*cking SSL clusterf*ck scam that is designed to scare you away from any site on the web that isn't owned by some giant corporation.  I will update as I learn more about what is going on.

Maybe it's something we have misconfigured..


See below -- all seems good now.
« Last Edit: February 20, 2011, 07:25:16 PM by mouser » Logged
Josh
Charter Honorary Member
***
Posts: 3,329



View Profile Give some DonationCredits to this forum member
« Reply #16 on: February 13, 2011, 09:07:50 AM »

http://img810.imageshack.us/f/chromeg.png/
Logged

Strength in Knowledge
Renegade
Charter Member
***
Posts: 11,213



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #17 on: February 13, 2011, 09:12:15 AM »

Just a quick heads up: I don't know what this means but all of the new beta browsers (FF4, IE9, Chrome10) seem to not be setup to trust certificates from StartSSL, leading to dire end-of-world warnings when you try to access https on our site.

Needless to say im filled with some rage at this whole f*cking SSL clusterf*ck scam that is designed to scare you away from any site on the web that isn't owned by some giant corporation.  I will update as I learn more about what is going on.

Maybe it's something we have misconfigured..


The entire security industry is a bloody sham. SSL does one thing. And the browsers cow-tow to security BS. If a certificate provides proper SSL connectivity, it shouldn't be flagged like that. They're simply vampires. Pure and simple.

I doubt you have anything misconfigured. The only thing misconfigured is the security industry. Grrr...  Angry
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
mouser
First Author
Administrator
*****
Posts: 33,295



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: February 20, 2011, 07:24:55 PM »

UPDATE:

After talking with Eddy and trying again today, the problem appears fixed!
I don't know enough about ssl certificates to know why it wasn't working a week or two ago but is working now, but all appears well currently.  Thmbsup Thmbsup Thmbsup
Logged
erikts
Supporting Member
**
Posts: 145


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #19 on: June 20, 2011, 10:41:55 PM »

Perhaps it is important news. I read in The Register that StartCom, which operates StartSSL, suffered a security breach that occurred last Wednesday.

Web authentication authority suffers security breach
Logged
superboyac
Charter Member
***
Posts: 5,663


Is your software in my list?

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #20 on: December 18, 2011, 02:54:33 PM »

Thanks mouser!  If you approve, I'm in!  I'll start using this very soon.
Logged

f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #21 on: December 18, 2011, 03:08:34 PM »

Perhaps it is important news. I read in The Register that StartCom, which operates StartSSL, suffered a security breach that occurred last Wednesday.
It matters if the breach is big enough and handled unprofessionally enough - *cough* DigiNotarw *cough* smiley
Logged

- carpe noctem
jeffshead
Participant
*
Posts: 1

View Profile Give some DonationCredits to this forum member
« Reply #22 on: June 14, 2012, 11:25:56 AM »

Mouser,

Right now, I use GeoTrust Quick SSL's for all of my websites but they are actually issued to each domain so my personal name is no where on the certs.

I host several websites as a hobby so none of them are registered businesses. Since I cannot provide any organizational documentation, does that mean my first and last name will appear on each domain's cert instead of just the domains' names? I do not want that  Sad
Logged
PixelPaul
Participant
*
Posts: 1

View Profile Give some DonationCredits to this forum member
« Reply #23 on: March 16, 2014, 04:10:27 AM »

GeoTrust is who i was using too, but i think comodo is kinda coming in and being the best now, i always need to talk to their support for help and every time i get some really good service from them and quick.not to mention the price. i found there here for under $5 http://www.ssltrust.com.au/comodo-ssl-certificates.html

if you can't provide organisation details for a certificate you just get a domain verify one and they just have the domain name in the cert info if anyone ever looks.
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.059s | Server load: 0.03 ]