

Why we don't sell domain validated SSL certificates - nailer
https://certsimple.com/blog/domain-validated-ssl

======
rocky1138
We'd all rather have EV. That's not the question. The problem is price. SSL
certificates are simply too expensive. Reduce the price and you will see an
increase in adoption.

~~~
creshal
Yep. Shit, if we were a customer of certsimple, we wouldn't have SSL _at all_
for 99% of our sites because we couldn't afford it.

~~~
rocky1138
I don't want to focus on and skewer certsimple; they're just one provider out
of (likely) hundreds. I've never seen a cheap EV certificate from any of them.

~~~
BillinghamJ
StartSSL's EV certs are pretty darn reasonable.

~~~
creshal
OTOH, their support is pretty much shit.

Still waiting for a cert request they flagged "for check within 2-3 hours" two
weeks ago…

------
shiftpgdn
This is pretty silly. Customers don't care or know what EV SSLs are and the
level of functional security is no different.

We didn't renew our EV SSL and went to a domain validated SSL. Our number of
daily orders actually went up (this is probably just company growth.)

~~~
ceejayoz
Hell, even Amazon.com and Google.com can't be bothered to go EV.

~~~
UnoriginalGuy
Google I'll grant, but Amazon's site is actually insecure, not only do they
lack EV but they lack even "basic" SSL/HTTPS across the board. They deliver
cookies via HTTP (without even flagging them HTTP only) and an attack can
intercept/modify the HTTP page in order to redirect a user who hits the
"login" button to a server controlled by the attacker (essentially turning the
real Amazon.com page into a giant philishing attack on an insecure network).

Amazon should be ashamed of themselves in 2015. No assets let alone their home
page should be non-HTTPS.

------
bbrazil
> DV SSL also allows someone to register '*.othercompany.com' wildcard and
> then create 'yourbank.com.othercompany.com' and have this domain name
> display a green lock in older browsers.

Wildcard certs only work one level down, when I looked into this Firefox was
the last browser to remove support for doing multiple levels.

~~~
colinbartlett
So they could just register *.com.othercompany.com.

~~~
ceejayoz
I'd say the EV provider should reject such a wildcard.

CertSimple argues ([https://certsimple.com/blog/wildcard-ev-
certificate](https://certsimple.com/blog/wildcard-ev-certificate)) the EV
restriction on wildcards is to prevent google.com.fraud.ru from getting an EV
certificate. The single-level wildcard restriction already prevents that.

~~~
nailer
EV requirements reject all wildcards: the EV applicant must specifically list
all domain names.

Re: your edit: as the other poster notes, the DV cert would have to be for
'*.com.fraud.ph'. That's entirely possible though.

------
carl_
letsencrypt.org will demolish the DV market and there's already minimal profit
without extreme volumes, so lets be honest about this.

> Our CA, DigiCert, does the final checks before issuing your certificate, so
> you should speak to them directly.

What exactly are you offering here other than reselling DigiCert?

~~~
nailer
> What exactly are you offering here other than reselling DigiCert?

1\. We check your company registration, status, and DNS/whois and CSR while
you apply - and before you pay.

2\. Better CSR creation. There is no software to install, and no command line
Q and A or clicking. You just paste a command onto your server, in either bash
or pwoershell, then paste back the results.

3\. We're massively faster than standard CAs. CertSimple deliver EV
certificates in an average of 5 hours. The standard time for an EV cert is
7-10 days.

And a bunch more. See
[https://certsimple.com/about](https://certsimple.com/about)

~~~
carl_
Thanks for the response, so really you're just improving a job that the CA
should and could do better.

In your position I would fear that my business/model/product could be easily
replaced by any other partner/reseller of a CA, or the CA themselves. Unless
your intention is to build volume then either be acquired by a CA or become a
CA yourself under somebody elses root?

~~~
mikemaccana
(replying from old openid account due to rate limit)

No probs: I understand the cynicism: the SSL industry is dominated by sales
and marketing giants that market snake oil like SGC and seal in search, I
wouldn't trust any of them either.

There's not a lot of people who get UX and get crypto: I've got my name in
RHEL and I've also built consumer facing web apps for Google and Microsoft.
That's 17 years of pretty unique experience, and we launch new features every
couple of weeks. If a CA tries to follow - and they will - bring it, we'll
smoke them.

Your final point is accurate.

~~~
carl_
Hah yeah cynical is fair.

It's easy for me to forget especially when commenting here (HN) that not
everybody knows what they are doing and I often undervalue services which
bridge a knowledge gap when I have that knowledge.

Thinking again, yes I can see the "doing one/few things very well" working
during what is going to be a major shift in the market, especially with the
intended end goal.

> I've already ordered - who can I talk to about getting my company validated?

I'd propose the answer to that FAQ needs some sort of improvement, to appear
less standoffish.

~~~
nailer
Thanks for the tip. The FAQ entry certainly wasn't meant to be standoffish,
but I've edited it - what do you think?

------
teddyh
The _real_ reason you won’t sell domain validated X.509 certificates is that
the Let’s Encrypt project¹ will give them away for free (by automatic means)
come November, which will wipe out the market for them.

This is just the “sour grapes” rationalization from CertSimple.

① [https://www.letsencrypt.org/](https://www.letsencrypt.org/)

~~~
mikemaccana
(replying from old openid account due to rate limit)

Let's Encrypt want to do EV too - they've also asked CertSimple for help
previously to do it. it's significantly more work than automating DV again
(which has already been done) are CertSimple are far ahead of the entire SSL
industry when it comes to speedy EV validation.

Encrypting something with a public key, without knowing who that public key
belongs to, largely defeats the purpose of encryption.

------
red_admiral
The text ends "Launching a web app? Get a high-assurance SSL certificate and
still launch on time."

The moment you're deploying an _app_, you've already solved the hard problem
that certificates are meant to help with. Just activate certificate pinning
and you get a lot more security to boot.

CAs "help" in the case where you're navigating to a site via a URL bar and you
have no other stored information to help identify them. An app is stored on
your device already, and doesn't have a URL bar so you don't need to care
about the colour of the lock icon.

Of course, in a world of apps and certificate pinning, the business model for
CAs looks even more questionable than on the web. In theory, your bank's site
should show a green lock and if you click on a phishing link, you get a nasty
red one. In practice, you'll see red on your bank's page every now and then
when they forget to renew their certificate and, to quote security researcher
Peter Gutmann: "The only place you're guaranteed never to see a certificate
error is on a phishing site. They don't use SSL at all, and people still visit
them."

~~~
detaro
_web app_, not _app_. Which commonly refers to web pages (accessed in the
browser) that are an application, not an app that runs directly on the device.
For native apps, certificate pinning is the right thing to do.

------
StavrosK
Given how often people check the company name in the address bar, and how
easily you could found a company in some other country that uses a pretty
similar name, I'm very doubtful that EV certificates are worth their price
tag.

~~~
creshal
The _only_ advantage I see for EV certificates is mandatory OCSP. But there's
no technical reason why we cannot just have that for all certificates (now
that OCSP stapling is widespread and OCSP no longer generates an unreasonable
load for certifiers).

------
wouterinho
For those wondering what EV stands for:
[https://en.wikipedia.org/wiki/Extended_Validation_Certificat...](https://en.wikipedia.org/wiki/Extended_Validation_Certificate)

------
GrinningFool
> Your passport, for example, doesn't prove that you're a > nice person.
> Communicating this to end users is a > challenge: even network engineers
> have been confused by this.

This just seems like a straw man argument. I can't say that I've encountered
either a network engineer or even an end user (s/EV/green icon) who thinks
that an EV says anything about the quality of the company they're working
with. End users accept that it means 'more secure'. Network engineers of
average ability or above do, in fact, know better.

~~~
mikemaccana
(replying from old openid account due to rate limit)

There's a specific person that's well known on HN that mentioned a pirate site
had an EV cert at Edge conf, implying they shouldn't have been able to get
one. They have a registered business, and a real address in London, and the EV
cert simply assures that identity.

Most people in network ops have very little idea of EV,so I don't think naming
individuals is productive.

See 'Do DV or EV SSL certificates mean this is a good company?' at
[https://certsimple.com/blog/are-ev-ssl-certificates-worth-
it](https://certsimple.com/blog/are-ev-ssl-certificates-worth-it)

------
colinbartlett
Like many others here, I am not persuaded by these arguments.

A even better reason for CertSimple to not support DV certs is that it is
simply impossible to complete on price with the big guys. And will be even
more difficult once Let's Encrypt launches.

------
tallanvor
Come on, how many non-IT people can anyone think of who cares if there's green
in the address bar? AT MOST they check for the padlock. The companies who get
an EV certificate are doing it to check off a box, not because their customers
have demanded it.

It's wishful thinking on the certificate providers to hope for people to want
SSL certificates to actually prove identity.

------
nailer
Author here. This should hopefully be pretty self explanatory. If you're
interested in how Edge shows DV certificates, see
[https://certsimple.com/images/blog/edge-vs-ie-ev-vs-dv-
ssl.p...](https://certsimple.com/images/blog/edge-vs-ie-ev-vs-dv-ssl.png)

~~~
ajonit
Is there any entity which is working towards bringing down the cost of EV
SSLs? They seem to be ridiculously priced as of now.

~~~
creshal
Yep. Most smaller businesses struggle to justify the costs of _regular_
certificates (because let's be honest, the certification is BS – certificate
theft is a bigger threat than fraudulent registration), gods forbid a
_wildcard_ cert. EV are not even an option.

And if you want SSL for your private website, tough luck.

