Author Topic: The SSL certificate industry is a messy business (Read 22448 times)

wilfrednilsen · « **on:** February 14, 2008, 01:55 PM »

Not everyone is running an online banking business or selling merchandise online. Sometimes, an SSL certificate is used only to remove the warning in a browser.

For example, a reasonable certificate is needed if you run a home server or if you have a small business and simply want to give your friends/customers secure access to your server without having to tell everyone using your site that your self signed certificate is the cause of the nasty browser warning.

Why are certificates from VeriSign so freakin’ expensive?

Why do many of the "cheap" SSL providers not tell you they sell a chained certificate?

If you have any experience with "good and reasonable" certificate vendors, please join our forum and give us your thoughts. We have a thread where we would like to have an open discussion regarding "good and reasonable" certificate vendors. The forum is for the BarracudaDrive server, but you do not have to have this product to join our discussion group..

http://barracudaserv...is-a-messy-business/

mouser · « **Reply #1 on:** February 14, 2008, 02:23 PM »

Agreed!
I'd like to learn more about this as well.

housetier · « **Reply #2 on:** February 14, 2008, 04:49 PM »

I'll stick with cacert.org

jgpaiva · « **Reply #3 on:** February 14, 2008, 05:08 PM »

Why cacert, housetier?
From what i understand, it doesn't have any root certificate sign, and isn't included with browsers, thus it is as useful has having a certificate that isn't signed by a CA..

housetier · « **Reply #4 on:** February 15, 2008, 04:41 AM »

It is free

jgpaiva · « **Reply #5 on:** February 15, 2008, 04:48 AM »

I know it's free, but why go through the trouble of having your certificate signed by cacert, when it still won't get you rid of the anoying browser warnings?

techidave · « **Reply #6 on:** February 15, 2008, 05:03 AM »

I also would like to learn more about this. We tried creating one of those "free" certificates and now we have two certificate verifications to do. <sigh>

housetier · « **Reply #7 on:** February 15, 2008, 06:05 AM »

jgpaiva:
I decided for myself the trouble was worth it. In my case the decision was easy: either pay and have less hassle, or have "trouble" and pay less. Since I don't like to pay for stuff I can get for free, I decided to not pay. Likewise, I'd be unwilling to pay for software, operating systems or email services.

And I installed cacert's root certificate into my webbrowser, so I don't get as many warnings.

cacert's competitors are fighting very hard to keep cacert's root certificate excluded from software (i.e. firefox' built-in security token): their business relies on this.

I don't trust verisign more because they charge more; given their history with what they did to DNS, I am inclined to trust them less. Lucky for us all, there are many other CAs out there, many of which have their root certificates built into software packages, so one can get an easy to use certificate without paying too much.

techidave:
I'd suggest dropping one certificate if having two is a problem.

f0dder · « **Reply #8 on:** February 15, 2008, 06:52 AM »

housetier: I think the question being asked is "why use cacert instead of a self-signed certificate, when cacert's root cert isn't included with browsers?".

housetier · « **Reply #9 on:** February 15, 2008, 10:10 AM »

Using cacert as CA

is convenient for me, because I don't have to set up my own CA
is convenient for some visitors, because I know some of them will already have imported their root cert
makes no difference on the trust scale

Yeah that's much better than what I originally came up with

jgpaiva · « **Reply #10 on:** February 15, 2008, 10:16 AM »

I see house!

Thanks for the explanation

jared1999 · « **Reply #11 on:** February 22, 2008, 05:46 AM »

We use http://www.rapidssl.com/ at work, and have been very happy with their service. Certificates are not chained, prices are reasonable, and the registration process is very quick. They also have free trials.

If you need a certificate with more "weight" behind it you can get one from GeoTrust (RapidSSL is owned by GeoTrust), though I think that's unnecessary for most certificates.

fhayes · « **Reply #12 on:** February 22, 2008, 05:02 PM »

We also use RapidSSL for our home based business here and I have been very happy with them. At http://www.trustico.com/ you can get it for only $15/year. The whole process of getting and installing it was hassle free.

mouser · « **Reply #13 on:** November 30, 2010, 09:27 PM »

I think we are going to try StartSSL at DC soon. I will report on how well it goes. It looks like they have some neat features and so far i've been really impressed with them.

A comparison chart from Wikipedia: http://en.wikipedia....ates_for_web_servers

Renegade · « **Reply #14 on:** November 30, 2010, 10:55 PM »

I think we are going to try StartSSL at DC soon. I will report on how well it goes. It looks like they have some neat features and so far i've been really impressed with them.

A comparison chart from Wikipedia: http://en.wikipedia....ates_for_web_servers
-mouser (November 30, 2010, 09:27 PM)

app103 recommended them to me. I am using one of their certs on my webmail server now, and it seems fine.

mouser · « **Reply #15 on:** November 30, 2010, 10:58 PM »

damn app is ahead of me once again.

superboyac · « **Reply #16 on:** November 30, 2010, 11:21 PM »

I've always wondered about certificates. How are they useful? What additional level of protection do they provide? For me as an end user, it's been nothing but a nuisance. But I don't know enough about them to criticize them.

f0dder · « **Reply #17 on:** December 01, 2010, 02:43 AM »

I've always wondered about certificates. How are they useful? What additional level of protection do they provide? For me as an end user, it's been nothing but a nuisance. But I don't know enough about them to criticize them.
-superboyac (November 30, 2010, 11:21 PM)

In addition to just enabling SSL/TLS encrypt, a certificate allows a site to verify to a user that it is who it says it is. For a cert to be automatically accepted by your browser, it has to be signed by one of the system-accepted top-level cert authorities (verisign or a bunch of others). A cert includes a fingerprint, and this can be used to detect whether the server has been compromised and had a new cert installed, if there's a man-in-the-middle snooping, etc.

The system is definitely not perfect, since false certificates can be made if just one of the cert authorities are rotten, or slacks on verification procedures - and there's been some cert attacks on certs made with MD5 hashes. But it's hard to do much better, really.

40hz · « **Reply #18 on:** December 01, 2010, 04:58 AM »

+1 with f0dder.

They're better than nothing, but far from being a panacea.

f0dder · « **Reply #19 on:** December 01, 2010, 05:16 AM »

For really secure scenarios, I'd want to store the certificate fingerprint and verify it client-side, so I know nobody has tampered with the server I'm connecting to - but it's a bit impractical doing this for webbrowsing. And if you do that, you need an updating mechanism since certs eventually will need updating.

Bonus effect of doing cert fingerprint validation: you can verify that a certificate is good without depending on a CA, which means self-signed certs become a very real possibility.

Renegade · « **Reply #20 on:** December 01, 2010, 07:07 AM »

damn app is ahead of me once again.
-mouser (November 30, 2010, 10:58 PM)

No doubt. I can't count how many times I read posts from app103 here or on Facebook and and up following links all over the place. She's a wealth of cool, new information.

40hz · « **Reply #21 on:** December 01, 2010, 10:10 AM »

damn app is ahead of me once again.
-mouser (November 30, 2010, 10:58 PM)

No doubt. I can't count how many times I read posts from app103 here or on Facebook and and up following links all over the place. She's a wealth of cool, new information.
-Renegade (December 01, 2010, 07:07 AM)

+1 x 10E2! April is definitely one of the 'go to' members at DC.

Be really cool if somebody had a paid blogging position they could offer her. She's better than some of the recognized "names" out there.

Any corporate, techsite, or publishing lurkers reading this?

superboyac · « **Reply #22 on:** December 01, 2010, 10:48 AM »

40hz is right. A while back, I was thinking about all the helpful people here who are very knowledgeable and the programmers are excellent. It's a great mix of friendliness and good, practical help. I wish I could create an itunes like store for people here so that it could be a one-stop shop for PC stuff. Good advice, good solutions, easy to navigate, no fuss. Maybe sometime in the future, I don't know. With Google becoming increasingly unreliable and chaotic there's a need for easy, hassle free PC solutions. And I would love it if some of the people here could make a comfortable living providing their expert-level services to folks out there. I strongly feel we have some special talent on this board.

mouser · « **Reply #23 on:** December 06, 2010, 11:20 PM »

I've been really impressed with StartSSL so far.

Renegade · « **Reply #24 on:** December 06, 2010, 11:24 PM »

I've been really impressed with StartSSL so far.
-mouser (December 06, 2010, 11:20 PM)

The website is a shambles as far as design goes, but the certs work. So far the cert I'm using on my private webmail site is smooth. Haven't had a single user comment on it.