

Why isn't there an easy to issue Free SSL CA? - willtheperson

Where is the SSL Certification Authority that is issuing SSL certificates that are trusted by all browsers without a yearly fee?<p>It's bad enough that startups differentiate pricing tiers with SSL, why do we make it so user un-friendly to secure their visit?
======
bigiain
<http://www.startssl.com/>

They've been doing it for years. So long as you get the intermediate CA cert
installed on the server, their free certs seem to work fine in as near as
practical "all browsers".

~~~
prashantmukesh
Do you have personal experience in using startssl? What are the limitations
with its free version? Looking to use an SSL certificate on my website to use
it within facebook app.

~~~
bigiain
No real limitations at all. They're genuine SSL/TLS certs, the "trick" is that
they're only validated by checking you can receive mail at an email address at
the domain in question, so while the encryption "works" - you don't get much
assurance of "authentication" from them. If I can somehow read mail sent to a
prashantmukesh.com email address, I'll be able to convince StartSSL to issue
me an SSL cert for it... This is mostly why this isn't such a good idea... It
also doesn't really matter, from the point of view of apps requiring https
connection - even apps/apis smart enough to check certs and their issuing
authorities aren't going to know the difference between an SSL cert that
required a Dun & Bradstreet check to acquire and one that only needed access
to a webmaster@example.com email account.

~~~
willtheperson
But that's my point really. Why does the site's owner need to be verified at
all?

I believe we should have a SSL cert that only enforces the encryption but
makes no claims about the server's owner or that any transaction is guaranteed
up to a specific dollar amount.

I know you can self sign, but when the browser shows the user the site is self
signed, they get nervous. Conversely, I could get a minimal identification req
SSL cert from Godaddy that doesn't alert the user, but I have to pay at least
$15 for that right.

My main issue or question is why SSL is paired with COMPANY/PERSON
identification? Why do I rely on the CA to verify a company is real? Why
aren't there 2 elements. One is encryption, one is identification. Encryption
is free to implement with no warnings in the browser. ID can cost money to pay
for the verification process.

Thoughts?

~~~
Piskvorrr
"Hello, I'm the target server; definitely not a MITM attacker, no way, not at
all." Without identification, this is as good as sending the data in plaintext
- for all you know, you may be communicating with a hostile proxy.

~~~
willtheperson
Ahh, good point. I wasn't clear.

By not requiring ID, I meant Company name, state, city, etc.

I'm realizing that what I'm wanting is to split the SSL cert into 2 aspects.
One provides security and endpoint verification. The other verifies the actual
person/company and potentially insures that any losses will be covered. It
seems like this is pretty much the idea of an EV cert (more verbose entity
ownership) but that costs a ton.

I don't know about you, but I don't use the SSL cert to verify the legitimacy
of a company. I do ensure it's there when sending sensitive information
though.

------
Piskvorrr
TANSTAAFL; moreover, Crypto Is Hard.

It follows that you can get _at best_ two out of these three: Free, Secure,
Easy.

------
ig1
How would you verify identity in a free but reliable manner ?

