

Ask HN: Where should someone buy a SSL certificate? - mihok

There always seems to be talk about some SSL cert service (VeriSign) that has been hacked or gone under. I&#x27;m trying to buy my first SSL certificate and there are so many options out there that its hard to know which one, what are the risks? Is any certificate authority okay? Will self signed certs be good enough?<p>Clearly the issue is the man-in-the-middle attack, which I have a high level understanding of, and makes every CA susceptible to the same attack if they are compromised.. but are there good CA&#x27;s that people have had experience with? Is it less safe to get a wildcard cert than individual certs for each domain?<p>Thanks HN
======
sillysaurus3
If you're worried about certain governments MITMing you, the answer is that
it's hopeless to rely on SSL to provide protection.

I don't know a good recommendation. I just wanted to clarify that SSL provides
no protection in that particular case.

~~~
mihok
Makes sense, does that in turn mean that SSL is really a 'hopeless' cause and
using self-signed just for the image of 'https' showing in the location bar on
a browser enough? Seems like a pointless exercise to me knowing that someone
somewhere (government or not) could still access it

~~~
sillysaurus3
Just to clarify, I think using some reliable and trustworthy SSL cert vendor
is the way to go. It just won't protect you from the aforementioned parties.
Nothing will at this point.

SSL protects you and your users from many other attack vectors, and is
important. It wasn't my intention to argue against SSL, just to point out the
truth of our modern day situation.

------
jipy9
I used StartSSL class 1 certificate for my app (unherd.co). Its free and valid
for one year. Here is a good guide that might be of help -
[https://konklone.com/post/switch-to-https-now-for-
free?hn](https://konklone.com/post/switch-to-https-now-for-free?hn)

~~~
akg_67
I also used StartSSL class 1 for my site (peercube.com) and will highly
recommend the help link you provided for getting and installing the
certificate.

------
fsk
My domain registrar (namecheap) offers SSL certificates cheap.

All you need is for your domain to show up with the little special icon in the
browser when you use https. Other than that, it doesn't matter. Get the
cheapest one that browsers recognize.

~~~
Patrick_Devine
I just bought a Comodo PositiveSSL Wildcard cert from them last week. It was a
little confusing, but they were quite responsive when I pointed out some bugs
in the registration service. I would definitely recommend them.

------
clinton_sf
StartCom/StartSSL thwarted a recent hack attack, according to:
[http://www.informationweek.com/attacks/how-startcom-
foiled-c...](http://www.informationweek.com/attacks/how-startcom-foiled-
comodohacker-4-lessons/d/d-id/1100043)

Their due diligence on verifying who is requesting the cert probably helped;
but I've seen some people complain that it's not a quick/easy process:
[http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_sta...](http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_)

------
ch215
You get a standard SSL certificate free for a year with domain names at
Gandi.net. I think I'm also right in saying transfers are included. Can't
really vouch for their security but from what I have read the company's "no
bullshit" approach is right up my alley. The riseup.net collective recommend
them too.

~~~
euantorano
+1 on Gandi.net from me too. Got several domains/SSL certs from them. The base
(free) SSL certificate is pretty basic, but they also offer higher levels of
security at a cost.

------
ancarda
>Will self signed certs be good enough?

For public consumption, no. For anything internal, yes.

