News and Reviews > Mini-Reviews by Members

StartSSL.com Certificate Provider: Mini-Review

(1/5) > >>

mouser:
I want talk a little bit about about StartSSL.com, a company that provides SSL Certificates.  They actually do a lot of things under the umbrella of StartCom, but I'm only going to talk about SSL services here, and in particular, SSL Certificates for web sites.


https://www.startssl.com/


Preface: An Introduction to SSL Certificates

SSL Certificates are a source of much frustration for small companies and indie website operators.

The idea of SSL Certificates is a good one.  They offer a way for users who connect to your website to have some assurance that you are who you say you are -- that the person running the website they are connecting to is really the person in charge of the organization they say they are, and that they aren't being tricked by someone who has intercepted their connection to the web (man-in-the-middle style attacks).

But web browsers (firefox, internet explorer, chrome, opera, safari, etc.) have decided to combine this idea of verifying the identity of the company running a website with the mechanism for establishing a secure connection protocol from your browser to the website (https).  Secure connections can be very important in preventing neighbors and snoops from discovering your login passwords, etc. as you browse the web.

Unfortunately, the way that web browser makers have combined these features has results in a real dilemma for small developers and indie website administrators.

When a user tries to connect to a website using https, the web browser will check that the website has an SSL certificate from a "trusted" provider.  And while it's possible for anyone to create a (self-signed) key that enables their website to support encrypted communications, without a PURCHASED and VERIFIED certificate, users will receive a big warning when they connect, telling them that they are about to connect to a untrusted/unverified site.

Many web browsers make this "warning" overly scary and complex to deal with.  FireFox makes the user go through a bunch of hoops that will scare away most inexperienced visitors and have them running for the hills rather than try to connect to your website if you use a self-signed certificate.  They will assume something is wrong with your site or that it can't be trusted.

The answer seems clear then, for website developers: Purchase an SSL Certificate from a "trusted" provider.

Surely buying and using such a certificate can't be too expensive if we expect everyone to be doing this, right?  Don't make me laugh...


The SSL Certificate Provider Mafia

The SSL certificate provider industry feels like a mafia run extortion racket.  It is absolutely outrageous how expensive it is to get reasonably flexible and valid SSL certificates.

If you have one single website domain (let's say thesslmafia.com), and don't use any subdomains (i.e. don't use things like haters.thesslmafia.com), then you can actually purchase an SSL certificate for the relatively reasonable fee from most providers ($100-$300 per year).  Don't have that kind of money? Tough luck.

But where things get really truly ugly and evil is when you need more than one certificate, because you own more than one domain name, or use subdomains more frequently.  Now you are looking at $100-$300 PER DOMAIN NAME.  How's that for affordable?


Enter StartSSL.com

And now we come to StartSSL, a company making waves in the SSL Certificate business.  As Gothi[c] (the dc server admin) aptly put it: "StartSSL is taking on the SSL Certificate Mafia!"

What makes StartSSL different is that they charge you to validate your identity and company, and *NOT* to generate additional certificates for different domains and subdomains.  So once you pay for validation, which is a real bargain rate ($50 for personal validation and $50 on top if you want to validate that you are the owner of a particular company), you can generate as many domain and subdomain certificates (including wildcard *.domainname.com certificates) as you need.

To see how unusual this is, check out the wikipedia page comparing SSL Certificate providers:
http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers

Look at that chart under the columns for number of domains and subdomains included, and you'll start to get an idea of why StartSSL is so wonderful.  Almost every other provider is forcing you to pay through the nose for each domain and subdomain you need to add.

The cost of having to pay for additional certificates (and wildcard certificates) for DonationCoder.com is why we've not previously made the leap to using proper validated SSL certificates on this website.  We just couldn't afford it and refused to give in to the unfair charges demanded by certificate providers.

Until I found StartSSL..


The StartSSL Experience

When we moved servers recently I decided to check out StartSSL.com, and i've been incredibly impressed.

Now you have to understand that StartSSL is a small operation, with a website control panel that leaves much to be desired.  The website and control panel feel a bit clunky and slow and outdated, and can be confusing at times.  BUT they get the job done, and the services provided by StartSSL are great and unique.

I had no trouble at all getting verified and validated -- the process was extremely smooth and fast -- and after one personal phone call from Eddy Nigg, who is the face (and founder?) of StartCom to verify some information and scanned documents, we were able to generate certificates for the new DonationCoder.com server.

Verification Options and Classes

With all SSL Certificate providers, you have some options regarding the quality of the verification of your (and your site's) identity.  This is related to the idea of the SSL Certificate class.  In general, the higher the class, the more expensive it is, the more difficult it is to get (in terms of proving your identity to the Certificate Provider company), and the more sure a visitor can be that you and your site are who you say you are.

With all of the other certificate providers I have seen other than StartSSL, you pay a yearly fee for a specific certificate for a particular domain (or a collection of 1-5 domain names).  The cost will depend on the class and number of certificates you want.

StartSSL is different.  With StartSSL you can get a one year personal class 1 certificate, for free -- which I understand is good enough to remove the browser warnings about untrusted certificates that you get with a self-signed certificate.  The only limitation is that you can only get this free certificate with one email/domain/subdomain [NOTE: I am informed that I may be wrong about this limitation so you need to check on this].

What you probably want from StartSSL if you are serious about using SSL certificates for your small business, or if you have lots of domains/subdomains, is a class 2 (or above) verified certificate.  The way StartSSL works is that you pay about $50 to verify your personal identity, after which you can generate new class 2 certificates for any number of domains/subdomains over the course of a year (the certificates themselves actually last two years).  This should be enough to have browsers display your site as trusted when accessed through https and eliminate any extra steps they would otherwise have to take.  If you want, you can pay an additional $50 on top of the personal verification process to verify your business, which let's people know that they are dealing with the business associated with your website, rather than just a known person.  Again, certificates last two years, and you can generate as many different domain and subdomain (and wildcard) certificates as you want for a one year period, before you have to renew your verifications.  Again, it is the ability to generate many different certificates for different domains that makes StartSSL stand out apart from the crowd, and what makes it so useful for small companies.

StartSSL also offers (class 3?) extended validation certificates which cost $200 and require serious verification steps; the benefit is a green status bar in the user's browser windows -- something that giant companies like amazon.com might care about but small companies needn't worry about.  At DonationCoder.com we went with a $50 personal verification and $50 business verification and the process was painless.

A word on Eddy Nigg and the service at StartSSL

Generating and installing certificates can be a bit tricky.  But they are nothing compared to Code Signing.  StartSSL also lets you generate code signing certificates and I went through the process a couple of times while trying to learn how to do it.  At one point I (thought) I needed to revoke a certificate I had generated (unfortunately StartSSL only allows you to have one code signing certificate at a time, and I hope they change this).  There is a fee to revoke a certificate and I figured we were getting such a great deal that I just clicked to pay it and have the certificate revoked.  Imagine my surprise when I got a personal email from Eddy offering to help me figure out what was wrong.  Eventually he revoked the certificate without a charge(!) and continued to help me figure out my problem, which I was able to do and managed to get code signing to work (code signing is a matter for a separate post and is a complicated and questionable thing -- but it's great that you can do it with StartSSL).

Now I don't think one can expect this kind of personal service all the time from a small SSL certificate provider, I certainly didn't.  Maybe some of the companies selling certificates for $400 do have serious help desks for this kind of thing, I don't know, but I wouldn't be terribly surprised.  If you have that kind of money to throw around maybe you can find out.  But I was very impressed with how hands on and helpful Eddy was.  StartCom also has a pretty active forum where you can get help from other users (and you'll find Eddy on there as well!), which is a big help when you run into trouble..


Summary

There is a near-criminal racket going on in the world of SSL Certificate Providers; most providers charge outrageous rates for inflexible certificates that force you to keep buying additional certificates for each domain you own.

Within this vast wasteland of greed, StartSSL stands out as a beacon of hope for small developers and website owners.  Bravo!  :up:


More Info

For information about SSL Certificate providers see:


* StartSSL Homepage
* Earlier DonationCoder.com forum thread on SSL Certificate Providers
* Nice Wikipedia chart comparing provider costs/features
* SSLShopper Certificiate Provider Wizard (and reviews, including of startssl)

NOTE: I have no relation to StartSSL; I am just a satisfied customer.

f0dder:
But web browsers (firefox, internet explorer, chrome, opera, safari, etc.) have decided to combine this idea of verifying the identity of the company running a website with the mechanism for establishing a secure connection protocol from your browser to the website (https).  Secure connections can be very important in preventing neighbors and snoops from discovering your login passwords, etc. as you browse the web.-mouser (December 19, 2010, 02:20 PM)
--- End quote ---
Hm, "web browsers have decided"? SSL, which offers both confidentiality and authenticity, was in place - web browsers simply chose to use the standard rather than inventing some new and fancy scheme.

I agree that SSL certificates is a b*tch, though, and that the CAs are a rotten charge-trough-the-nose mafia - it's a disgusting business. I'm surprised that (if?) startSSL is part of the OS/browser pre-accepted authorities, since their services sound almost too good to be true.

As for the warnings browsers do on self-signed certificates, well, I'm afraid that they do have to be somewhat severe. Outside of special services, or corporate intrawebs (where you can usually manage rolling out custom corporate CA certs to the invididual machines anyway), self-signed certs would usually be a sign of something bad going on. Regular users can't be expected to understand WHAT this is all about, and even less to verify certificate fingerprints, so not complaining loudly about self-signed certs == free lunch for man-in-middle attacksers.

The real problem is how expensive certificates are, and how you're charged for them (paying extra for "real verification" and "stronger encryption", not to mention the horrible domain fees; all the CAs I've been looking at previously easily classify as con-men), not to mention that security isn't all that hot anyway (good old social engineering skills against the CAs). But the mechanism itself isn't to blame, and I honestly can't think of a decent security infrastructure that doesn't depend on CAs.

mouser:
As for the warnings browsers do on self-signed certificates, well, I'm afraid that they do have to be somewhat severe
--- End quote ---

I don't really agree with you, though i see the point you are making.

But I see this as in the same vein as the false positive virus warnings that antivirus programs sometimes give -- if they don't understand it then they just scare the user, and the one who loses is the small developer who can't afford to grease the wheels to get their programs (or websites) certified as trusted.  I guess my complaint is not the warnings in isolation, it's the combination of the severe scary warnings combined with how expensive it has been to get flexible proper certificates.

I suppose for website certificates, now that there is a way to get free and cheap proper ssl certificates, it's not such a big deal and I shouldn't blame the browsers too much.  But I just think the warnings that browsers put up are far too misleadingly severe.  There are lots of ways that a website can be infected and made to do bad things, and the LEAST likely of those is to have a man in the middle attack that forges an ssl certificate.  Unless you are controlling inter-ballistic missles over the web, i just think ssl certificate forgeries are the least of your realistic concerns, and the browser warnings should reflect that.

HOWEVER, as i said before, given that it's now possible to generate verified certificates for free/cheaply, i guess the solution is just to use these instead of self-signed ones.

Gothi[c]:
I'm surprised that (if?) startSSL is part of the OS/browser pre-accepted authorities, since their services sound almost too good to be true.

--- End quote ---

They work just fine in newer browsers.
IE6 might still complain about it for example.
Works great here in FF3

mouser:
Here's a thread on the StartSSL forum about programs and services that trust StartSSL certificates:
https://forum.startcom.org/viewtopic.php?f=15&t=1802

Navigation

[0] Message Index

[#] Next page