Ask HN: What's the best company to buy SSL certificates from? - cioc
======
ofutur
Get the best SSL cert for the job...

If you just want to secure a login page for your own personal use, get a free
cert from StartSSL.

If you need to give access to the page to more people, it's best to get a
cheap cert from Comodo, etc. because they're compatible with more mobile
devices. Don't spend more than $15

If you intend on selling something from the site, I'd recommend getting some
form of company validation on top of the standard domain validation which is
performed when buying cheaper certs. GeoTrust, Comodo, Globalsign, etc. can
help. It should cost less than $100.

The best certs to get to re-assure your customers are the EV ones. No need to
go full Verisign and waste ton of money on them, you can get them cheap-ish
from Globalsign, Comodo and Geotrust resellers.

If you're getting a cert generated by an established certificate authority, it
doesn't really matter who you buy it from. Aim for the best price for the
level of support that you want to get.

------
ck2
Don't feed the SSL cartel

Free SSL cert accepted by all modern browsers
<https://www.startssl.com/?app=1>

They are owned and operated by <http://www.startcom.org/>

~~~
mike-cardwell
startssl.com is part of the cartel you don't want to feed... Yes, they offer
free certificates, but only in order to market their paid certificates.

FWIW, I use free certs from startssl.com myself.

If you _really_ want to avoid the "cartel", use cacert.org or a self signed
cert.

~~~
saiko-chriskun
I will use cacert as soon as they're part of the standard cert group on all
the major browsers :P

------
jvdh
StartSSL.com offers free yearly simple SSL certificates, and are supported by
all major browsers. If you want higher-grade, you'll have to pay. They're very
open about wanting to provide free simple certificates for everyone.

~~~
jorangreef
Re: StartSSL see [http://www.belshe.com/2012/02/04/rethinking-ssl-for-
mobile-a...](http://www.belshe.com/2012/02/04/rethinking-ssl-for-mobile-apps)

~~~
maaku
That's disingenuous. You should be bundling your CA cert with your cert
anyway, which would avoid that problem.

~~~
forgotusername
Neither the linked article nor any of the parent comments talk about
certificate chaining, which seems to be what you're referring to.

Also, please check the definition of 'disingenuous', it's massively overused
on Hacker News (often in a completely incorrect context).

~~~
maaku
jorangreef said "RE StartSSL..." then pointed to an article about the problems
of SSL w.r.t mobile apps. Since this is in reply to a very positive post about
StartSSL, the obvious inference is that his linked article provides some
evidence on why one wouldn't want to use StartSSL. But that's pure FUD because
the _only_ mention of StartSSL in the whole article is that they close their
connections so two more TCP connections are required to authenticate the
cert... but anyone worth their salt would be bundling in the CA cert anyway,
obviating the need for those connections.

I don't know what your beef is with 'disingenuous,' but that's exactly what I
meant.

~~~
forgotusername
OCSP isn't an optional step involved only if you don't present your CA's
intermediary certificate, it's in addition to it. The whole point of it is "I
have this guy with these legit looking credentials you issued, do you still
stand by them?".

You can't work around that with chaining, it can only be disabled from client
code, or by having the CA issue a cert that doesn't include an OCSP address
(doubt any do this now, given the number of legit certs issued to attackers in
the past 2 years).

------
8ig8
FWIW, Stripe recommends DigiCert: <https://stripe.com/help/ssl>

> _We recommend DigiCert — their certificates have very wide acceptance (for
> example, Facebook uses a DigiCert certificate). Other options include
> NameCheap and GoDaddy. They have slightly lower acceptance but their basic
> certificates cost $10 to $20._

~~~
pasbesoin
FB's been switching over the VeriSign -- at least, in my neck of the woods. I
pay attention to certs, so I noticed this and took some time to somewhat
reassure myself that no MITM was going on. (If I'm wrong, someone please tell
me!)

------
finnw
I cannot recommend Comodo.

I paid for one of their certificates (through a re-seller) but they refused to
issue it on the grounds that they could not verify my phone number. It was
true that it was not in the directories they referred to, but they did not
make that clear before selling the certificate.

I would have made a chargeback, but was paranoid about them informing other
CAs of the fact - it would be a disaster if I was never able to get another
SSL certificate.

------
conanite
Side question: what's the best company for SSL certificates where you're
hosting multiple distinct domains for various clients on the same server? I've
read about SAN certs, but I haven't found any documentation ...

~~~
jd
As far I know the only thing that works reliably is to get multiple IPs and
multiple (wildcard) SSL certificates. You can try to save a little money by
getting startssl certificates (free) or by using SSL host headers (multiple
SSL on one IP address), but it doesn't work on all browsers so you end up
wasting time explaining to your customers why they get an error when they
access their site.

~~~
rickard
What is "SSL host headers"? Is it wildcard certs, as Microsoft describes them
on
[http://www.microsoft.com/technet/prodtechnol/WindowsServer20...](http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true)
?

~~~
zumda
I think he meant "Server Name Indication"
<https://en.wikipedia.org/wiki/Server_Name_Indication>

If there is more than one site hosted on a single IP, the client sends a
request for the SSL certificate. In the "old" way, the client didn't say to
which domain it wants to connect (it only told that after the SSL connection
was established), so the server didn't know which certificate to send.

The problem has been solved with SNI, but it isn't universally supported
(yet), though we are close (namely IE on XP). With SNI the client basically
sends the server to which domain it wants to open a secure connection, so the
server can serve the correct certificate.

------
ibejoeb
Also, you might be interested in the trust relationships between the major
CAs.

\- <https://www.eff.org/files/colour_map_of_CAs.pdf>

\- <https://www.eff.org/files/DefconSSLiverse.pdf>

------
charliesome
I like Gandi. You get a free SSL certificate for a year with your domain, and
it's $12 a year after that.

~~~
agwa
They say you also get a free 1-year certificate with domain name renewals,
implying that if you renew your domains for 1 year you can get a perpetual
stream of free certs.

------
hencq
Slightly off topic, but how are people using SSL with App Engine? Last time I
checked they didn't support SSL on your own domain. I'm not sure if this is
similar for e.g. Heroku. I presume most non-trivial apps would have some kind
of secure login.

~~~
18pfsmt
Looks like it went into testing last October [1], otherwise people have been
using their appspot subdomains.

[1][http://googleappengine.blogspot.com/2011/10/app-engine-
ssl-f...](http://googleappengine.blogspot.com/2011/10/app-engine-ssl-for-
custom-domains-in.html)

------
leftnode
I get mine through DNSimple. I'm sure they're a reseller for another company,
but $20 a year for a single domain SSL and $100 a year for wildcard.

~~~
dangrossman
That's expensive. The same GeoTrust RapidSSL certificate is $9.95/year through
Namecheap, for example.

------
crististm
I can imagine the SSL cert sellers laughing at those buying them. How is it
that money can BUY TRUST is beyond my comprehension.

~~~
nodata
Well how can you trust a company you have never dealt with before? It used to
be that SSL certificates were a mark of insurance, proof that they had thought
about securing your data in transmission, and proof that someone had validated
the company as being real (like an auditor should). Nowadays points 1 and 3
are no longer true.

------
XERQ
We've used Comodo certs for our projects, given out for free by our provider
SSD Nodes (<http://www.webhostingtalk.com/showthread.php?t=1122631>). I think
the certs by themselves are $9-10/year if you decided to get them on your own.

------
georgelawrence
A little off topic, but I'm thinking of using CloudFlare's "Easiest SSL
Ever"... Is anyone here using it?

[http://blog.cloudflare.com/easiest-ssl-ever-now-included-
aut...](http://blog.cloudflare.com/easiest-ssl-ever-now-included-
automatically-w)

~~~
traxtech
Not yet, but that's my plan :) I'll setup CloudFlare soon, for the "go live"
of my new startup this month.

------
charliepark
I get ours through our registrar (who also does our sideproject hosting),
DreamHost. They have $15/year certificates (via Comodo), and you automatically
get both the root and the www. subdomain of the certificate, included in the
price.

------
citricsquid
What's your goal? There are all types of certificates, some cheap and some
expensive. If you're aiming for cheap, companies like Namecheap and GoDaddy
sell them for peanuts but they're "cheap" certificates, not with bells and
whistles.

~~~
Mavyrk
Is there a chance you could elaborate on this some? What would some example
"bells and whistles" be with regards to SSL certs?

~~~
XERQ
Verisign EV certs get the green text along with the name of the company in the
browser (ex: <https://paypal.com>)

More information: [http://www.verisign.com/ssl/ssl-information-
center/extended-...](http://www.verisign.com/ssl/ssl-information-
center/extended-validation-ssl-certificates/index.html)

~~~
gnu8
All EV certificates provide that feature, not just the ones sold by Verisign.
Are you a paid shill of Verisign?

In general, no one should ever do business with Verisign, due to their
practice of domain slamming, their Site Finder misfeature, and other shady
practices.

~~~
GFischer
Do they still do that? Thanks for pointing that out though, I found this:

[http://www.theregister.co.uk/2002/05/14/verisign_hit_with_sl...](http://www.theregister.co.uk/2002/05/14/verisign_hit_with_slamming_lawsuit/)

through Wikipedia:

<http://en.wikipedia.org/wiki/Domain_name_scams#cite_note-6>

"VeriSign was sued in 2002 for their actions in sending ambiguous emails
informing people, often incorrectly, that their domain was about to expire and
inviting them to click on a link to renew it. Renewing the domain resulted in
the registration company being transferred to VeriSign from the previous
registrar."

~~~
smountcastle
Verisign cannot do that anymore since they no longer operate a registrar
(Network Solutions was spun-off/sold-off).

~~~
GFischer
Ok, I didn't know that. What I should investigate is whether the same people
that authorized those shady tactics are still in charge there (or whether that
culture persists).

------
shocks
I use <http://exoware.net/> They're a small company, but they care and they do
a good job so we get along just fine. SSL starts at £15 a year and goes up.
£70 per year for a wildcard.

------
plaes
I use cacert.org (free) on my private stuff. Unfortunately they are not
included with Mozilla, so leaning towards startssl.com for my public project.

------
ibejoeb
I like <https://www.alphassl.com/>. It's one hop down the chain from the
Global Sign root.

------
josephb
NameCheap has been great for me, for SSL certificates and domains.

------
blakdawg
startssl.com is free.

------
getsat
Digicert is ballin'. Using them on a few sites.

------
oblasco
Comodo with PositiveSSL is bargain for 9$ USD

------
foobarbazetc
Ignore anyone in this thread telling you to use StartSSL.

When you care about your cert (validated, EV, etc): DigiCert. When you don't
care that much: RapidSSL from Namecheap.

The end.

~~~
RyanMcGreal
> Ignore anyone in this thread telling you to use StartSSL.

Why? What's wrong with it?

------
dshep
I had a good experience with StartCom.

------
tyrelb
name.com

------
qedeshbala
I would definitely advice to you startssl.com, they offer free ssl
certificates.

