
How Symantec upsells Internet Explorer 5 SSL support in 2015 - nailer
https://certsimple.com/blog/sgc-ssl-certificates
======
richardwhiuk
Worth noting that CertSimple is a competitor of Symantec, and can't offer SGC
certificates, so they are basically whinging that their competitor is
marketing their certificates on a feature people don't need.

That's basically par for the course when selling to businesses, especially
where non-technical people are in a position of deciding whether to buy, and
which vendor to chose from.

It'd also be nice if HackerNews wasn't quite so populated with thinly veiled
ads for companies disguised as blog posts.

~~~
nailer
We sell SSL certificates and we're quite proud of it.

> can't offer SGC certificates

We could sell SGC products today if we wanted to - we have the API keys, a
partner account with another certificate provider (not Digicert), and a node
module written for the relevant REST API. We don't want to.

> are basically whinging that their competitor is marketing their certificates
> on a feature people don't need.

Marketing certificates on a feature people don't need - and making it seem as
if they need it - is wrong.

> That's basically par for the course when selling to businesses, especially
> where non-technical people are in a position of deciding whether to buy, and
> which vendor to chose from.

Being common does not make it right.

If you think it does: what's the name of your startup? Your bio is empty, and
I think most of HN would be interested in knowing the name of a business that
thinks this is OK.

Furthermore it's not 'par for the course': many other CAs don't sell IE5
support as hard as Symantec does. Here's DigiCert writing against SGC (we use
DigiCert as our CA) [https://www.digicert.com/sgc-ssl-
certificates.htm](https://www.digicert.com/sgc-ssl-certificates.htm), here's
their competitor GoDaddy writing against SGC:
[http://agrihortico.com/freedownloads/SGC.pdf](http://agrihortico.com/freedownloads/SGC.pdf)

~~~
dogecoinbase
_what 's the name of your startup? Your bio is empty, and I think most of HN
would be interested in knowing the name of a business that thinks this is OK._

Ugh, seriously? I was vaguely fine with the blog post before (though it is a
bit advertisement-y for HN in context), but this is reprehensible (at least in
the context of judging companies by the stances their employees take...).

~~~
javert
It's also reprehensible to say that it's OK for companies to cheat their
cusomters. I don't think the CertSimple guy was _actually_ trying to boycott
that guy's company, he was trying to make a point.

~~~
lanaius
I read it as a mixed call to boycott (and shaming) together with an appeal to
CertSimple's expertise; "I don't see you actually having any startups, and
thus your opinion is meaningless. If you do have a startup you certainly are a
bad startup."

~~~
nailer
It's a simple statement that companies shouldn't cheat their customers, nor
should we support companies (including HN startups) that think it is OK to
cheat their customers.

------
JoblessWonder
I think this is less malicious and more lazy... Isn't this just a super-
outdated marketing webpage for a certain global market that was never taken
down or redirected to the updated version?

I'm able to load the site, but when I click on __any __of the menu options I
'm given a redesigned site with an updated version of the SSL options. [1] I
thought it might be a regional thing since this was in Asia-Pacific so I
switched the "aa" to "uk" and that tab doesn't even exist anymore. [2]

Although I was only able to get to a few pages before my browser session was
blacklisted as well. Sigh. Pretty annoying. [3] Luckily it is cookie based and
not IP based. (I don't think it needs to be said but I have no relation to
Symantec or Certsimple.)

[1] [http://www.symantec.com/en/aa/ssl-
certificates/?inid=aa_ghp_...](http://www.symantec.com/en/aa/ssl-
certificates/?inid=aa_ghp_cont1_vrsnsslcerts)

[2] [http://www.symantec.com/en/uk/page.jsp?id=how-ssl-
works&tabI...](http://www.symantec.com/en/uk/page.jsp?id=how-ssl-
works&tabID=3#)

[3] I'm now greeted with: Access Denied You don't have permission to access
"[http://www.symantec.com/"](http://www.symantec.com/") on this server.

~~~
nailer
Yeah it's weird: some locales for 'Introduction to SSL' have the old copy,
some have a newer version with SGC removed.

(edit: removed ref to Secure Site Pro page - as yuhong points out below, it
looks like the Pro product has been redefined to be non-SGC now)

~~~
yuhong
But notice there is no mention of SGC anymore, and instead they mention ECDSA
now. And you can only actually get SGC by getting a SHA1 certificate.

------
coldcode
VeriSign, GeoTrust, Thawte and RapidSSL are all Symnantec? What a racket.
Clever work, Certsimple.

~~~
nailer
Yes: [http://www.netcraft.com/wp-
content/uploads/2010/05/certauth_...](http://www.netcraft.com/wp-
content/uploads/2010/05/certauth_all4.png)

And thanks!

------
mey
For those doing their own research. This is some data I pulled together last
year.

[https://docs.google.com/spreadsheets/d/1jzZqGzvtHe4egYNnp1L4...](https://docs.google.com/spreadsheets/d/1jzZqGzvtHe4egYNnp1L4-df_avGjEqMZiv0FWFP4d4E/edit?usp=sharing)

~~~
nailer
Nice! The main point of CertSimple is 80 second EV application process
(including generating the CSR) and EV issuance in an average of five hours -
this could be a worthwhile addition to the the 'Notes' column.

------
nailer
Author here.

Asides from the 'Introduction to SSL' page mentioned in the article, there's a
few other places Symantec mention SGC/IE5 support, including
[http://www.symantec.com/ssl-certificates/](http://www.symantec.com/ssl-
certificates/) \- the 1st and 3rd products include SGC/IE5 support and are
more expensive than the equivalent (non 'Pro') products without SGC/IE5
support.

Hopefully this results in Symantec (and the resellers who use their marketing
materials) making it clear that SGC technology only applies to very old
browsers, rather than Symantec sending a nastygram to my office.

~~~
yuhong
They at least have finally began to switch to marketing ECDSA certificates as
the main difference now, especially as SHA1 certs becomes obsolete. Last time
I checked Symantec's site I actually have to specifically look for SGC to find
this stuff now.

~~~
vtlynch
You are right Yuhong. Symantec's "Pro" products used to advertise SGC, now
they are using ECDSA instead.

------
yuhong
Thawte have at least began hiding the SGC option. Also note that Netscape
Step-Up (not to be confused with MS SGC) depends on insecure renegotiation,
which is disabled in many servers now (I have a few pcaps I did with Netscape
4 showing this, and I really should factor the 512-bit RSA keys in some of
them at some point). Another trivia is when VeriSign began selling EV certs in
2007 they only sold it with SGC, even though it was becoming obsolete even
back then.

------
merb
SSL will never be good, Encryption which only a few can afford is mostly not
good. Also most SSL Providers have their seat in USA, which also means that we
NEVER knew if the encryption could be decrypted. Encryption which will be held
by any "bigger" company will also have this flaw, even from germany or any
other european company (any company in any country will have that flaw). The
only encryption that would work, would be self made encryption, which is
barely supported by browsers. [http://en.wikipedia.org/wiki/DNS-
based_Authentication_of_Nam...](http://en.wikipedia.org/wiki/DNS-
based_Authentication_of_Named_Entities#Applications)

~~~
fmela
Regarding your first point, the people at
[https://letsencrypt.org/](https://letsencrypt.org/) are working to address
that.

~~~
Grue3
letsencrypt.org seems to be the new GNU Hurd or Duke Nukem Forever.

