

Ask HN: Which SSL Cert to Buy? - dpapathanasiou

For past projects, I've always used GeoTrust, because of their combination of price and browser acceptance.<p>Today I noticed that GoDaddy, Entrust.net, and instantssl are all cheaper.<p>Does anyone have any experience with those three?<p>I.e., is there any reason I shouldn't just use a $30 per year SSL cert from GoDaddy?
======
mdasen
A lot of this is merely price discrimination. Some people won't find out about
cheaper certificates and will pay lots more money for something from GeoTrust.
GeoTrust actually _owns_ RapidSSL (<http://www.rapidssl.com/ssl-certificate-
about/index.htm>). NameCheap is reselling those RapidSSL branded certificates
for less than RapidSSL.com is selling them. RapidSSL.com is, in turn, selling
certificates for less than GeoTrust. And they're all signed by the Equifax
root certificate!

Single root certificates are a better option and the RapidSSL certificate that
NameCheap is selling for $10 is single root and run and signed by the same
people as GeoTrust. Do go with a single root as it makes life easier.

~~~
bseo
Namecheap offers free PositiveSSL certificates, as well as a free whois
masking option. You must register or transfer a domain there to get it, but
it's not tied to the domain you buy, so you could buy a new domain and use the
free cert on an older one.

~~~
olefoo
Don't use whois masking services, it effectively gives a third party ownership
of the domain in question and most certainly does violate the ICANN rules
about truthful and accurate registration information.

~~~
bseo
I've used whois protection services for years (and for thousands of domains),
there's never been a problem for me.

When the whois protection service is provided by the registrar you used to
register the domain, how is that third party ownership? They already have a
lot of control over the domain.

I don't know about ICANN rules on the matter, however I think they would have
pressured registrars to stop offering such services, if that was the case.

If you have further information/links on the subject, please elaborate.

~~~
olefoo
<http://www.dynadot.com/resource/article/qa.html?aid=0>

TL;DR: you can do it, but understand the risks you are taking. The whois
record is the authoritative record of domain ownership, if your name (or
company name) isn't on it, then if there is a dispute, you lose.

~~~
bseo
That post uses Domains by Proxy as an example, which is an awful service.
Towards the end of the article, Dynadot explains the whois protection service
THEY offer themselves. That's what Namecheap (and other registrars) does and
it's what I've always used.

I can tell you for a fact that I receive a lot less email spam at the email
address I use for whois, because Namecheap changes the address (which forwards
to mine) listed every other day. Also I don't get any snail mail junk,
although this was never a big issue.

------
arete
I usually buy the RapidSSL cert from NameCheap, $10.95/y or less for longer
periods. It's single root (unchained) and signed by a very well supported CA
cert. The only downside is no subjAltName (which lets you do both www.foo.com
and foo.com).

All you really need to know is what the root CA is, because some certs (even
expensive ones like Thawte's EV) are signed by newer CAs that aren't present
in older browsers, mobile devices, etc. Also extra "features" like > 1024 bit
keys often cost more.

~~~
dpapathanasiou
Thanks, I'd never heard of NameCheap before.

I see that they resell GeoTrust at $47/year (which is a nice discount from the
$250/year I'd been expecting to pay), but what's the difference between that
and their own $9/year certs?

~~~
simonk
Basically brandname, which logo you get to put on your site.

------
what
No experience, but there was a recent Ask HN about the same. This response
says something about GoDaddy's certificates vs more expensive ones:
<http://news.ycombinator.com/item?id=1308619>

Not sure if that helps you any.

~~~
dpapathanasiou
Thanks for the link; I did a search before posting, and the only other thread
I found was more than 400+ days old.

I don't understand the chaining issue described, but I can research that a bit
more.

It makes sense there's some sort of catch with GoDaddy, since their certs are
orders of magnitude cheaper than the others (everyone else is $150+ per year).

~~~
what
I think the chaining issue is just that it takes more work for you to setup.
But maybe someone who knows what they're talking about can give you more info.

------
olefoo
> is there any reason I shouldn't just use a $30 per year SSL cert from
> GoDaddy?

GoDaddy uses an intermediate certificate which means you need to install, not
just your cert, but also all of the certs back to the root. It's a minor
annoyance, except for the fact that they don't tell you about it until after
you buy the cert.

------
andymoe
It depends on what you want to do with it. For a basic cert for a web site
GoDaddy is fine but remember to generate a CRS with of 2048bit
(<http://help.godaddy.com/article/5619>) at least and not the older default of
1024 since some newer mobile devices will not like that. If you want it to
work on ALL mobile devices you may have issues with GoDaddy anyway. Something
about the chain of trust - it's been a while.

I would recommend you do your homework by checking out GeoTrust (here is a kb
article from them <http://bit.ly/9HMsqp>) - If you are unsure, call them. If
anyone has worked with ActiveSync and mobile devices perhaps you can remind me
of some of the other issues.

------
melvinram
Yes,you shouldn't pay $30 per year for SSL cert from GoDaddy because you can
get it for $12.99 if you just search on Google for Godaddy SSL

<http://www.google.com/search?q=godaddy+ssl>

------
anto1ne
if you're looking for cheap, why not go for <http://www.startssl.com/> ? it's
completely free and works on all recent browser, and most older ones too.

~~~
soyelmango
I agree on using startssl, and especially because of their ethos of how they
charge: you only pay for the verification process, and after that, SSLs are
free because they're automatic.

Also, startssl's founder is the best ambassador - send a help request, and
he'll answer in no time.

------
robertss
It depends a lot on what kind of site you are trying to secure, but a cheap
certificate works in many cases. Browser acceptance really isn't an issue with
major providers. I would just be sure to check out some reviews for the
provider that you want to go with: <http://www.sslshopper.com/certificate-
authority-reviews.html>

------
drmeers
I use <http://www.rapidsslonline.com/rapidssl-certificates.php> (~$15/year)
and haven't had any problems.

<https://www.servertastic.com/rapidssl/> look similar.

------
aschobel
We use <http://www.digicert.com/> since we need a SAN (SubjAltName). SAN lets
you do *.domain.com and domain.com

Weird surprise, Android does NOT support SAN. DigiCert gave us a root cert for
free with our wildcard.

------
dedalus
I use Comodo to buy a domain specific cert for $30 and wildcard for $300. But
that may be due to my company being a reseller of comodo certs..

~~~
wowik
Yes, normally they are three times more expensive

