

Ask HN: Are there *any* unbiased SSL review sites? - ccleve

I need to buy a wildcard SSL certificate. I took a look at some of the rating sites like sslreview.com, sslshopper.com, bestsslcertificate.com, all of which appear to be owned by an SSL issuer -- in other words, totally biased and filled with fake reviews. What's a developer to do?
======
jp
Here you go.

<http://www.structure.no/site/ssl-primer>

------
nickf
What exactly are you looking for in the review? (I'd note that sslshopper.com
isn't owned by any CA as far as I'm aware - though it probably has fake
reviews.)

Certs are really broken down into 3 validation 'standards' and 3 'types' of
certificate. Some types aren't available in certain validation standards.

Most certificates are technically and functionally identical. The exception
being the EV certificates which activate the 'green bar' UI in most modern
browsers.

EV - Extended Validation Those you'll pay more for and wait longer to get -
and in some cases (dependent on your status as a corporation) you may not be
able to get one at all. They are more expensive, but many CAs and resellers
have offers on making them more cost-effective. Available as single-domain or
multi-domain only. 1-2 year duration.

OV - Organisation or 'business' Validation Full business information is
checked and confirmed, usually a telephone call is required from the CA to
you. Those business details are signed into the certificate - though the
browsers don't really display them in any meaningful sense like EV. Available
as single, wildcard and multi-domain.

DV - Domain Validation Issued solely on the basis of you 'proving' you control
a domain. The method for doing this is usually an email to an administrative
contact or WHOIS contact at your domain. A few CAs offer some other mechanisms
using DNS or HTTP. Nothing identifying you beyond your domain name appears in
the certificate - but from a user point of view they won't really see the
difference. Available as single, wildcard and multi-domain.

Firstly decide if the green EV chrome is important to you or not. If not, then
either of the other two validation levels will work fine. It's really then
deciding which type you need.

Single domain - covers a single FQDN, sometimes including the 'www' if you
request it for 'domain.com', which is useful. Wildcard - covers all subdomains
of a domain, like * .domain.com. Useful if you plan on deploying over many
subdomains. UCC/Multi-domain - covers multiple separate FQDNs, from different
TLDs/ccTLDs. Used often with Exchange, or if you have several ccTLDs on the
same site, like domain.com, domain.net, domain.co.uk

Finally, the CA choice. Honestly, there's not a lot of difference. When the
cert is correctly installed, you won't have issues in most major browsers and
mobiles with any of them. You can pay for the brand (Symantec) and you can pay
for extra 'frills' (warranty, logos). That's your call.

Go for any one of the major CAs (Symantec, Comodo, GoDaddy if you can stomach
them, Entrust) and you'll not have an issue. You might want to check what
their policy is on re-issues if you move hosts or tend to lose all your
configurations often! Resellers for those may offer better pricing. There are
a number of 'SSL aggregators' who offer products from all CAs together. Check
any offers they have. If you really don't want to pay, try StartCom. Eddy runs
a great company, and aside from some potential issues you might see with older
platforms or older mobile devices, you can't go wrong for free!

* Disclaimer - I work for a major CA, but I've tried not to push them. Email on profile if you've further questions.

