
Ask HN: What's the best company to buy an SSL certificate from? - petecooper
I am embarking on an upcoming Magento e-commerce project, target demographic is security-aware business customers. The extended validation (green bar) SSL is -- in my view -- required for the website.<p>There was an Ask HN thread [1] from nearly three years ago that asked the same question, and a variety of answers were provided. On the one hand, there&#x27;s the &quot;don&#x27;t spend more than x&quot; on a certificate, and there&#x27;s the flip side of &quot;get a green bar, it&#x27;s worth it&quot;.<p>The specifics:<p>- site is running atop Magento 1.9 on LAMP, payments processed offsite by Braintree (i.e., no credit card details stored on the website)
- initially 1x IP address, hosted from a UK data centre
- static components may be served from a non-www subdomain (i.e., static.example.com) in future, which may be the same or different IP address<p>My questions:<p>1. Who&#x27;s worth shortlisting in 2014?
2. If you consider yourself a security-aware shopper, would you be dissuaded from purchasing from a site with standard (`non-green`, if you will) SSL?<p>Thank you in advance.<p>[1] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=3556796
======
powertower
Th problem with EV (green bar) certs is the Browser usually ends up checking
the certificate status via CRL or OCSP (URI is specified in the cert), which
can add an additional .5 to 10+ seconds before the page is displayed. More so
when the CA servers are down or the connection times out.

So if you do go for an EV cert, go for the one that has the best listed uptime
on it's CRL or OCSP servers.

Having said that, I would never spend more than $10 on a cert, and just use
the most standard/common "bundled" CA cert. No one will ever know. It will
have faster page loads. And those fake stories that EV certs increase
conversions are exactly that, fake, and misleading. No one will real world
experience has ever claimed to see a positive difference with EV certs.

The only problem with cheaper certs is you have to bundle the intermediary CA
certs...

[http://www.devside.net/wamp-server/installing-comodo-
positiv...](http://www.devside.net/wamp-server/installing-comodo-positivessl-
certificate-bundled-with-root-and-intermediate-ca-certificates-on-apache)

~~~
pbreit
Such bad advice given the inquiry. Obviously. Lot of OP's customers are going
to want the "best" certs (whatever that means). Or they're going to want
"they're name in green".

It's important to answer in the context of the question.

~~~
powertower
"So if you do go for an EV cert, _go for the one that has the best listed
uptime on it 's CRL or OCSP servers._"

[http://uptime.netcraft.com/perf/reports/performance/OCSP](http://uptime.netcraft.com/perf/reports/performance/OCSP)

How is the above bad advice, and not answering the context of the question?
What other possible qualification is there for "best" EV certs? They are all
"green bar". There is little else to them except price differences.

His customers are going to want a responsive page load time, none of them are
going to pull the certificate to make sure he went with a DigiCert EV instead
of a GeoTrust EV.

~~~
pbreit
I was responding mainly to: "I would never spend more than $10 on a cert" and
"No one will ever know" and "can add an additional .5 to 10+ seconds" and "Ev
stories are fake" and "no one with real world experience has ever had positive
experience".

Having worked with thousands of business in ecommerce I can guarantee you that
a large percentage will want their name to appear "like PayPal and Citibank".

------
kfreds
Pick one that can deliver the full certificate chain without using SHA-1.

The faster the web moves away from SHA-1 the better, and rewarding companies
that are already abstaining from SHA-1 contributes to our collective security,
in the case of HTTPS.

You should also do it for purely selfish reasons. Chrome is sunsetting SHA-1
for use in certificate signatures, and Chrome will eventually show SHA-1
certificates as insecure. See the link below.

[http://googleonlinesecurity.blogspot.se/2014/09/gradually-
su...](http://googleonlinesecurity.blogspot.se/2014/09/gradually-sunsetting-
sha-1.html)

~~~
Silhouette
_You should also do it for purely selfish reasons. Chrome is sunsetting SHA-1
for use in certificate signatures, and Chrome will eventually show SHA-1
certificates as insecure._

Referring specifically to this point, and not to your wider point about moving
away from SHA-1, "because one browser maker said so" is rarely a good reason
to do anything.

Google has an irritating habit of deciding it knows best for the entire world,
but often it gets that call wrong and winds up degrading the experience for
people who aren't in its chosen group of blessed users. The Firefox team are
similarly arrogant at times.

However, in the real world, large organisations also use browsers to access
intranet sites, and their requirements -- particularly with regards to
security -- may be different to users surfing the public Web. Developers do
need to do things with sites that aren't fully configured yet or are in
transition from one system to another even if those things might not be a good
idea when surfing the public Web. And so on.

So, I urge you to support good practices by making solid technical arguments
for them. For example, in this case you could explain or link to information
about why the SHA-1 issue matters for those who don't know. Please don't
promote browser makers as authoritative sources of best practices instead,
because often they aren't.

~~~
IgorPartola
Correction: two browser vendors who between them have more than half of the
browser share. And the solid technical argument is that SHA-1 is no longer
considered secure.

~~~
Silhouette
They don't have a majority on any site I run, but even if they did, that
wouldn't be the point. Decisions about technical matters -- and _particularly_
about security policies -- should be made on the basis of evidence, not
appeals to authority.

For example, instead of saying "it's a good idea to do this because Google
will show scary messages", it would be more helpful to link to a site with a
test tool and explanatory information about the underlying issue, such as this
one:

[https://shaaaaaaaaaaaaa.com/](https://shaaaaaaaaaaaaa.com/)

~~~
bad_user
I fond appeals to authority OK, given that if 50% of market share wouldn't be
on board, _nobody_ would consider adopting it.

~~~
Silhouette
Anyone serious about security would, and they'd be doing it _now_ , not in a
few months just because Google decided to show some different pixels on a
screen from that date.

------
michaelbuckbee
To the point of EV certs, if you haven't checked in a while the browser
vendors have _really_ started to de-emphasize non EV (standard certs).

Here's a visual comparison I put together:

[https://www.expeditedssl.com/pages/visual-security-
browser-s...](https://www.expeditedssl.com/pages/visual-security-browser-ssl-
icons-and-design.html)

How you feel about this probably centers around whether you view SSL more as a
cryptographic means of securing a connection (stopping traffic snooping) or if
you view the SSL+Browser iconography as a means of site identification
(stopping phishing attacks).

~~~
citadelgrad
Thanks for sharing this. It's really interesting to see exactly how each
browser handles both standard and EV certificates.

------
iancarroll
My startup is actually centered around this. If anyone wants to purchase a
certificate through me, I'll happily give you the lowest rates I can. ($25 EV
or $40 wildcard)

Our homepage is [https://certly.io](https://certly.io), shoot me an email at
ian@certly.io

~~~
wpietri
I am an early adopter, but the blank home page and blank blog are a little too
early for my tastes.

~~~
iancarroll
We haven't launched yet, and won't be for a while. I'll probably write a post
or two about the development soon.

~~~
wzy
Can you at least create a "Coming soon" page with a signup form?

~~~
iancarroll
Yeah, I'm redoing the homepage now but CloudFront takes a while to clear the
cache.

------
AdamGibbins
1\. DigiCert. They're not the cheapest, but they really have their stuff
together. Their support is awesome (speedy, technically competent, and human).
They're also proactive about identifying issues with your certs, they handled
the heartbleed incident perfectly - reissued for free with no issues.

2\. No

~~~
listic
Wow, one needs a super premium $595 "Wildcard Plus™" plan to secure an entire
domain. Is this normal or a blatant ripoff?

~~~
jacquesm
It's a rip-off but plenty of people think it is normal so I'm not sure what to
answer your question with.

I think the whole certificate business is a rip-off, the only thing that
'green bar/lock icon/whatever' says is that someone at some point in time was
able to pay some low dollar amount, but not who, what amount and if they're
trustworthy in any way.

------
madhurjain
[https://www.startssl.com](https://www.startssl.com)

2 Years wildcard for $59.90

~~~
thesimon
They charge for reissuing certs though.
[https://news.ycombinator.com/item?id=7557764](https://news.ycombinator.com/item?id=7557764)

~~~
mmastrac
That's not a good reason to skip over them. Unless you expect multiple
Heartbleed-severity bugs to be exposed in two years you are still way ahead.
Just don't lose your private key.

~~~
UnoriginalGuy
You actually only need a single one to make it cheaper to go elsewhere, they
charged $25/revocation, which brings the price up to $85 which no longer makes
them the most cost effective.

Heck for $99 you can buy a Comodo "EssentialSSL" wildcard, which grants you
unlimited re-issue (plus you don't have to deal with StartSSL's terrible UI):

[https://comodosslstore.com/essentialssl-
wildcard.aspx](https://comodosslstore.com/essentialssl-wildcard.aspx)

------
mrweasel
I honestly don't think it matter much where you buy your certificates. In the
end it the same product, plus or minus some service you may of may not care
about.

Should your certificate provider do something stupid you can switch to a new
provider in 30 minutes, assuming you don't pick EV.

The EV certificates look good, but that's about it. They do come with at least
two disadvantages:

1\. If your company name is different from the domain name it's going to look
weird. We dropped having a EV because we're not interested in having the name
of our parent/holding company in the address bar.

2\. If you later switch back to a regular SSL certificate is going to look
suspicious to your regular customers.

That being said, we use Trustzone
([http://www.trustzone.com](http://www.trustzone.com)). They provide
GlobalSign SSL certificates at a reasonable price. I like that they email us,
or call if we don't react, a few months before our certificates expire. We
also have our own account manager who helps with new certificates and
renewals. It's extremely nice just be able to call someone.

------
agwa
Check out my startup, SSLMate: [https://sslmate.com](https://sslmate.com).
What sets SSLMate apart is that we're working on making SSL certificate
management extremely easy on Linux servers. You buy certs from the command
line in a single step that takes a minute or less and automates important
details like bundling the chain certificate. You can set up a cron job for
automatic renewals. Even well-run sites have been known to forget or botch
cert renewals, and we want to put an end to that by automating everything.
Many features are in the pipeline and will be announced in the coming weeks.

Regarding EV certs, they're not worth the extra money and inconvenience. They
provide no additional security, and the assurance they provide visitors is
highly questionable (e.g. see shiftpgdn's comment about how switching to a
non-EV cert resulted in absolutely no change in order metrics:
[https://news.ycombinator.com/item?id=8344666](https://news.ycombinator.com/item?id=8344666)).

~~~
iurisilvio
I didn't found pricing information about your certs. I even tried to register
to find these prices, but you asked me for my credit card. Sorry.

~~~
agwa
It's on the home page:

Standard: $15.95/year

Wildcard: $149.95/year

But thanks for the feedback; I'll make this more prominent.

------
ayrx
Just to address point 2. No. Those who say yes probably do not understand what
EV certs actually do.

You get the exact same level of security from EV and non-EV certs. The whole
"extended validation" criteria is pretty handwavy and varies from CA to CA.
Paying more for that warm, fuzzy feeling isn't worth it.

~~~
tkeith
Who are you to say that, for him, giving his customers a "warm fuzzy feeling"
isn't worth paying a few hundred dollars? It could easily increase revenue far
more than that.

------
hackuser
Don't EV certs create a net increase in security risk (if any web users
understood what they were supposed to mean)? I'm not expert in these issues,
but I've always doubted their security value:

EV certs are supposed to communicate certainty[1] to typical web users about
identity, confidentiality, and integrity. But, if I understand correctly,
obtaining EV certs in someone else's name (or something close enough to fool
web users) is possible without great cost, and so that message of high
security is misleading. If EV certs were believed by end users, wouldn't we
merely be creating a social engineering security hole? Competent thieves also
would use EV certs and increase trust in their websites too.

Thankfully, I've never met an end user without technical knowledge who
understood what an EV cert was. I do know what they are and I don't trust them
more than regular certs (which is not much for identity, but I do as
protection against low-cost confidentiality and integrity attacks).

[1] Re: "certainty": I know EV certs are supposed to be more secure and not
perfectly secure, and that there is no perfect or 'certain' security. However,
few end users understand the latter, and of the ones that do few would take
the time to learn the degree of increased security EV provides. We shouldn't
say, 'trust the green bar' unless we expect people to do it.

~~~
iancarroll
Could you explain more about obtaining it under someone else's name? There are
many checks in place to prevent this.

~~~
hackuser
> Could you explain more about obtaining it under someone else's name? There
> are many checks in place to prevent this.

Here's what I know, which is not conclusive but possibly persuasive, and as I
say below, I've never seen someone call the checks effective: 1) In my
experience obtaining regular certs, the identity verification looked
ineffective (though I wasn't trying to fool anyone). 2) Regarding both EV and
regular certs, I've read several times about ineffectiveness of the
verification, and I've never seen someone say otherwise. 3) Finally, effective
verification is hard and manually intensive; it's hard to believe it's
economical or practical for the large volume of certs issued.

~~~
iancarroll
Organizationally validated certificates do not require a lot of paperwork or
manual validation. The effectiveness of the verification is still a topic for
discussion. However the last point is dubious at best, as CAs make >$30-40 per
certificate and validation takes max 30 minutes spread out over a day or two
(typically).

I will say there are very few maliciously issued EV certificates.

~~~
hackuser
Thanks for responding. I get the sense that you have some expertise in this
field? As I said above, I don't, so if you do please forgive any ignorance on
my part:

> CAs make >$30-40 per certificate and validation takes max 30 minutes spread
> out over a day or two (typically).

$30-40 isn't much, and 30 minutes doesn't seem nearly sufficient to reliably
verify someone's identity.

> I will say there are very few maliciously issued EV certificates.

How do we know? And is there a lower fraud rate for EV certs than for standard
certs? (Probably there is little fraud in any set of business transactions --
otherwise nobody would participate -- but I don't think that's what you mean.)

~~~
iancarroll
Sorry for the late reply:

> 30 minutes doesn't seem nearly sufficient to reliably verify someone's
> identity.

It's actually not that long of a process once you read over the CPS's of a few
CAs and the EV baseline.

> How do we know? Ah, the golden question! Hopefully CT (certificate
> transparency) will sort this out within the next 3 years. My statement _is_
> an assumption but any high level fraud (e.g. Google/MSFT) is caught
> immediately (chrome pinning/reporting and internal CA logs, if you're not
> DigiNotar). I don't know about small companies though.

I don't think there's ever been a maliciously issued EV cert _in the context
of_ the ComodoHacker and other very public hacks. They typically have tighter
internal controls, that I know (e.g. RAs have very limited EV issuance power)
but I have no numbers. :(

You should note that EV implies DV validation, so to, without hacking,
maliciously issue a certificate an attacker would probably settle for a DV
cert.

------
IgorPartola
startssl.com gives out free certs to individuals. This is great for personal
projects, blogs, etc. Otherwise I use Namecheap and their $9 certs. I have not
found a great wildcard cert provider yet (why all certs are not wildcard by
default is beyond me).

------
cheald
1\. I use Namecheap, generally their resold Comodo offerings. No complaints.

2\. No. An EV cert is nice little warm fuzzies, but the absence of it doesn't
really tell me anything useful that would dissuade me from making a purchase.

------
junto
And cue the SSL resellers and affiliates!

3\. 2. 1. Go!

------
corford
Hard to beat [http://gogetssl.com](http://gogetssl.com) price wise. I'd get a
Comodo Positive SSL Wildcard so you can use it for the main site and the
static sub-domain. That way one cheap cert covers everything and it's SHA-2.

------
thesimon
1\. In terms of pricing, [https://www.gogetssl.com](https://www.gogetssl.com)
seems good. I haven't used it personally, but $27.85 for an EV in the first
year seems quite nice. Namecheap is good, too, but a bit more expensive.

2\. Yes

~~~
wbond
Where do you see an option for an EV at $27.85 on that site? I'm seeing prices
that start at $110 a year for 2 years. [https://www.gogetssl.com/extended-
validation/](https://www.gogetssl.com/extended-validation/)

~~~
thesimon
[https://www.gogetssl.com/business-validation/comodo-
instants...](https://www.gogetssl.com/business-validation/comodo-instantssl/)

------
nnrocks
I recently purchased an ev cert for one the my client in Netherland from
[https://www.cheapsslshop.com](https://www.cheapsslshop.com)

they are good with price and service, you may give them a try.

------
roustem
I used [https://www.ssl2buy.com/](https://www.ssl2buy.com/) in the past few
months and it worked well.

~~~
nreece
+1 for ssl2buy. Bought a wildcard cert[1] from them for a special price.

[1] [https://www.ssl2buy.com/ssl-discount-offers](https://www.ssl2buy.com/ssl-
discount-offers)

------
guyinblackshirt
I've been happy with cheapsslsecurity.com, they are resellers but they offer
_huge_ discounts compared to the actual issuers.

------
petecooper
Thank you, everyone - this thread has been enormously helpful to me. I am
grateful for your time, attention and input.

------
jacquesm
Make sure you get an SHA2 certificate as google is deprecating the SHA1
certificates over the next months.

------
julie1
SSL certs are an untrusty ransom based on the tyranny of bad UI.

FF, and chrome and IE are totally ok with login/pass passing in clear over
http, which is wrong. But when you don't have a certificate signed with by one
of the root certificate in your wallet it screams to death. (Which is totally
in hierarchy of risk WTF).

Your wallet contains organization that should have been shut down according to
the rules of SSL: we normally cannot trust any authority that even once or for
good reasons emitted a joker certificate to make a MITM (or helped people
doing so).
[https://news.ycombinator.com/item?id=2138565](https://news.ycombinator.com/item?id=2138565)

In your web browser default certificates list you find microsoft. in 2007,
they put in IE for the Ben Ali gvt a special certificate to be able to do a
MITM on the tunisian opponents. (ofc those using ff would see a warning).

MS did not emit the certificate, but for them who can issue SSL certificates
that's clear not right to provide a SSL joker root certificate in its web
browser used for MITM (without your nice little icon you care about to get
red).

MS is still in my list of trustful SSL certificates. How can you trust them.
If they could betray once for a few money (tunisia had less money as a state
than MS, google, whatever country) they have incentive to redo it again.

Knowing MS has gone through the death penalty, other SSL issuers can now have
an incentive to do the same.

SSL central certificate are NOT to be trusted anymore. We have proofed once a
company in our "trustfull" wallets betrayed without consequence. So betraying
is OK.

My recommandations: \- Ever dane (but that is a combinat) or the new
technology google is secretly working on (maybe mozilla too), \- set a cookie
on http landing page ssl_cert_on=bool \- if not present redirect to
[http://www/my_cert](http://www/my_cert) \- give a link to your self signed
certificate on your domain so that your user add it its wallet securely (must
be a js or a MIME extension to set so that IE/FF/google open at the "add this
certificate to your wallet page" \- correct the world and FF/Chrome/IE mess by
providing a way for the user to read the mess of the X509 certificate (for
which domain this cert is valid, the fingerprint) \- correct the world another
time by explaining to your customers it is normal they should not trust this
special web page or this certificate and give them links for them to check
your allegation, (knowledge and tools) \- provide another secured way to
access your cert fingerprint (DNS SEC TXT record for instance, snail mails,
flying carrier, PGP mails...) \- and make a rant on how much security UI/UX is
so much sucking and poorly thought that it is the major security hole nowadays
and how all security guru giving us advice on how to code to "secure" code
should be regarded as cons that should be imprisoned.

Then, now that you corrected the whole "what gone wrong with central
authoriy"'s mess, you can very easily make your free self signed cert secure
certificates and sleep on your 2 ears because your customers are now
understanding security the right way.

If you understood nothing of the text above, just buy a normal certificate to
whoever you want. You will be "safe" according to the green icon, and this is
all that matters in the real world.

------
avinassh
1\. Namecheap according to me.

2\. Yes.

------
cosmeen
get this
[http://puu.sh/bGSOF/3809882b0c.png](http://puu.sh/bGSOF/3809882b0c.png)

------
minhdanh72
1\. cheapsslsecurity.com 2\. Yes

------
logub
Geotrust work better for us.

------
asaddhamani
1\. SSLS.com is rather nice.

2\. Yes.

~~~
asaddhamani
I can't edit now, but I thought by non-green, OP meant a self-signed
certificate. Didn't realize OP was referring to EV certificates. I don't have
a problem with buying from domains without EV certificates as long as the
certificate is valid.

------
tosh
DigiCert

------
middleclick
No love for Gandi?

~~~
lobster_johnson
Gandi looks good, especially if one already use them for DNS. We intend to
start using them for SSL.

~~~
ngrilly
Same here. Gandi is an interesting solution.

~~~
lobster_johnson
Curious: What do you mean by interesting?

