topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday December 10, 2024, 10:10 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: The SSL certificate industry is a messy business  (Read 22439 times)

wilfrednilsen

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 22
    • View Profile
    • Donate to Member
The SSL certificate industry is a messy business
« on: February 14, 2008, 01:55 PM »
Not everyone is running an online banking business or selling merchandise online. Sometimes, an SSL certificate is used only to remove the warning in a browser.

For example, a reasonable certificate is needed if you run a home server or if you have a small business and simply want to give your friends/customers secure access to your server without having to tell everyone using your site that your self signed certificate is the cause of the nasty browser warning.

Why are certificates from VeriSign so freakin’ expensive?

Why do many of the "cheap" SSL providers not tell you they sell a chained certificate?

If you have any experience with "good and reasonable" certificate vendors, please join our forum and give us your thoughts. We have a thread where we would like to have an open discussion regarding "good and reasonable" certificate vendors. The forum is for the BarracudaDrive server, but you do not have to have this product to join our discussion group..

http://barracudaserv...is-a-messy-business/

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #1 on: February 14, 2008, 02:23 PM »
Agreed!
I'd like to learn more about this as well.

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #2 on: February 14, 2008, 04:49 PM »
I'll stick with cacert.org

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #3 on: February 14, 2008, 05:08 PM »
Why cacert, housetier?
From what i understand, it doesn't have any root certificate sign, and isn't included with browsers, thus it is as useful has having a certificate that isn't signed by a CA..

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #4 on: February 15, 2008, 04:41 AM »
It is free :)

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #5 on: February 15, 2008, 04:48 AM »
I know it's free, but why go through the trouble of having your certificate signed by cacert, when it still won't get you rid of the anoying browser warnings?

techidave

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,045
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #6 on: February 15, 2008, 05:03 AM »
I also would like to learn more about this.  We tried creating one of those "free" certificates and now we have two certificate verifications to do.  <sigh>

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #7 on: February 15, 2008, 06:05 AM »
jgpaiva:
I decided for myself the trouble was worth it. In my case the decision was easy: either pay and have less hassle, or have "trouble" and pay less. Since I don't like to pay for stuff I can get for free, I decided to not pay. Likewise, I'd be unwilling to pay for software, operating systems or email services.

And I installed cacert's root certificate into my webbrowser, so I don't get as many warnings.

cacert's competitors are fighting very hard to keep cacert's root certificate excluded from software (i.e. firefox' built-in security token): their business relies on this.

I don't trust verisign more because they charge more; given their history with what they did to DNS, I am inclined to trust them less. Lucky for us all, there are many other CAs out there, many of which have their root certificates built into software packages, so one can get an easy to use certificate without paying too much.


techidave:
I'd suggest dropping one certificate if having two is a problem. :)


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #8 on: February 15, 2008, 06:52 AM »
housetier: I think the question being asked is "why use cacert instead of a self-signed certificate, when cacert's root cert isn't included with browsers?".
- carpe noctem
« Last Edit: February 15, 2008, 08:10 AM by f0dder »

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #9 on: February 15, 2008, 10:10 AM »
Using cacert as CA
  • is convenient for me, because I don't have to set up my own CA
  • is convenient for some visitors, because I know some of them will already have imported their root cert
  • makes no difference on the trust scale

Yeah that's much better than what I originally came up with :)

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #10 on: February 15, 2008, 10:16 AM »
 :) I see house!

Thanks for the explanation ;)

jared1999

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 9
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #11 on: February 22, 2008, 05:46 AM »
We use http://www.rapidssl.com/ at work, and have been very happy with their service. Certificates are not chained, prices are reasonable, and the registration process is very quick. They also have free trials.

If you need a certificate with more "weight" behind it you can get one from GeoTrust (RapidSSL is owned by GeoTrust), though I think that's unnecessary for most certificates.

fhayes

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 19
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #12 on: February 22, 2008, 05:02 PM »
We also use RapidSSL for our home based business here and I have been very happy with them.  At http://www.trustico.com/ you can get it for only  $15/year. The whole process of getting and installing it was hassle free.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #13 on: November 30, 2010, 09:27 PM »
I think we are going to try StartSSL at DC soon.  I will report on how well it goes.  It looks like they have some neat features and so far i've been really impressed with them.

A comparison chart from Wikipedia: http://en.wikipedia....ates_for_web_servers

« Last Edit: November 30, 2010, 10:35 PM by mouser »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #14 on: November 30, 2010, 10:55 PM »
I think we are going to try StartSSL at DC soon.  I will report on how well it goes.  It looks like they have some neat features and so far i've been really impressed with them.

A comparison chart from Wikipedia: http://en.wikipedia....ates_for_web_servers

app103 recommended them to me. I am using one of their certs on my webmail server now, and it seems fine.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #15 on: November 30, 2010, 10:58 PM »
damn app is ahead of me once again.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #16 on: November 30, 2010, 11:21 PM »
I've always wondered about certificates.  How are they useful?  What additional level of protection do they provide?  For me as an end user, it's been nothing but a nuisance.  But I don't know enough about them to criticize them.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #17 on: December 01, 2010, 02:43 AM »
I've always wondered about certificates.  How are they useful?  What additional level of protection do they provide?  For me as an end user, it's been nothing but a nuisance.  But I don't know enough about them to criticize them.
In addition to just enabling SSL/TLS encrypt, a certificate allows a site to verify to a user that it is who it says it is. For a cert to be automatically accepted by your browser, it has to be signed by one of the system-accepted top-level cert authorities (verisign or a bunch of others). A cert includes a fingerprint, and this can be used to detect whether the server has been compromised and had a new cert installed, if there's a man-in-the-middle snooping, etc.

The system is definitely not perfect, since false certificates can be made if just one of the cert authorities are rotten, or slacks on verification procedures - and there's been some cert attacks on certs made with MD5 hashes. But it's hard to do much better, really.
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #18 on: December 01, 2010, 04:58 AM »
+1 with f0dder.

They're better than nothing, but far from being a panacea.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #19 on: December 01, 2010, 05:16 AM »
For really secure scenarios, I'd want to store the certificate fingerprint and verify it client-side, so I know nobody has tampered with the server I'm connecting to - but it's a bit impractical doing this for webbrowsing. And if you do that, you need an updating mechanism since certs eventually will need updating.

Bonus effect of doing cert fingerprint validation: you can verify that a certificate is good without depending on a CA, which means self-signed certs become a very real possibility.
- carpe noctem

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #20 on: December 01, 2010, 07:07 AM »
damn app is ahead of me once again.

No doubt. I can't count how many times I read posts from app103 here or on Facebook and and up following links all over the place. She's a wealth of cool, new information.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #21 on: December 01, 2010, 10:10 AM »
damn app is ahead of me once again.

No doubt. I can't count how many times I read posts from app103 here or on Facebook and and up following links all over the place. She's a wealth of cool, new information.

+1 x 10E2! April is definitely one of the 'go to' members at DC.

Be really cool if somebody had a paid blogging position they could offer her. She's better than some of the recognized "names" out there.

Any corporate, techsite, or publishing lurkers reading this?

« Last Edit: December 01, 2010, 10:12 AM by 40hz »

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #22 on: December 01, 2010, 10:48 AM »
40hz is right.  A while back, I was thinking about all the helpful people here who are very knowledgeable and the programmers are excellent.  It's a great mix of friendliness and good, practical help.  I wish I could create an itunes like store for people here so that it could be a one-stop shop for PC stuff.  Good advice, good solutions, easy to navigate, no fuss.  Maybe sometime in the future, I don't know.  With Google becoming increasingly unreliable and chaotic there's a need for easy, hassle free PC solutions.  And I would love it if some of the people here could make a comfortable living providing their expert-level services to folks out there.  I strongly feel we have some special talent on this board.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #23 on: December 06, 2010, 11:20 PM »
I've been really impressed with StartSSL so far.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: The SSL certificate industry is a messy business
« Reply #24 on: December 06, 2010, 11:24 PM »
I've been really impressed with StartSSL so far.

The website is a shambles as far as design goes, but the certs work. So far the cert I'm using on my private webmail site is smooth. Haven't had a single user comment on it.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker