
$50 comodo wildcard SSLs (while they last) - aioprisan
http://www.namecheap.com/promos/2012/black-friday-cyber-monday-deals.aspx
======
UnoriginalGuy
Does anyone else feel like SSL certificates are a giant scam?

Companies like Microsoft are king-makers so they essentially get to pick and
choose who gets to be a "trusted" certificate authority, and therefore we wind
up with a competition-less market.

Many of these companies claim this excess cost (over the technical costs which
are low) are the result of having to verify people are who they say they are.
But in my experience, from buying certificates, certificate authorities never
do this (or at least don't manually do it). In fact Amazon did far more
verification when I signed up to AWS than any certificate authority ever
has...

They also charge more for different kinds of certificates (e.g. like this
"sale") even if their costs are identical. This is just a nonsense way to up-
sell a product that already has a markup likely in the thousands of
percentage.

Honestly any SSL certificate which costs more than $5~10 is a rip-off.

~~~
ck2
We need to replace certs with DANE

DANE is basically SSL authentication via the cert in DNS

Get rid of third parties.

<https://datatracker.ietf.org/wg/dane/charter/>

Problem is it needs DNSSEC, but we are going to need that sooner or later
anyway.

~~~
drostie
In the meantime, for SSL on team projects which are not yet released-to-the-
public, there is a web-of-trust certificate issuer called CAcert.org which can
be installed on relevant machines and used. At one point they were trying to
pass an audit and get into Firefox, so perhaps someday they can become a
default for web browsers. If they cannot, then perhaps a sufficiently
motivated group could set up a similar authority.

Ideally, the flow would be much simpler than even CACert has made it; you ask
for a certificate for drostie.org, the CA does a WHOIS for the administrative
contact for that domain; the CA sends an email to that domain name containing
a link to confirm the request; if you visit the link then you can upload a
public key and perhaps even generate a private key (via client-side
javascript, of course -- you don't want to send such things to the server).

I don't know whether you could make it pass a security audit and get into
major browsers -- but I like the idea that this could be much more user-
friendly than it is.

------
jacquesm
Before you jump at this, research the reputation of your SSL certificate
provider.

<https://www.google.com/search?q=comodo+reputation>

$50 is a pretty good price, the nearest competitor is charging about double
that. Still, if you are going for a wildcard SSL certificate (and you already
need one even if you just want to respond to www.example.com and example.com
using https) then likely the $50 is a rounding error on your annual expenses.
It's good to be frugal, and if you feel that comodo is good enough for you
then this is as cheap as it gets.

~~~
mjpa
You don't need a wildcard for domain.com + www.domain.com. I've got several
cheap (~$7) certificates that have both listed

~~~
StavrosK
The StartSSL free ones do this too, I have them on all my domains.

------
vampirechicken
In the olden days (circa 1995) there were precious few Cert providers
(Verisign, Thawte, and few others) and they vetted you, because SSL certs are
about trust, not about encryption. As a result, Certs were bloody expensive.

In order to get the cert for dsac.dla.mil (the computer shop inside the US
Defense Logistics Agency) we provided reference to the act of Congres
establishing the DLA, and then the command chain that proved that my boss had
the rights/responsibility for the SSL cert for the domain.

The process could take weeks, but in the end you could trust that the server
on the other end was who they claimed to be.

Fast forward tot he internet boom, and everybody needed a cert, and there
folks realized that generating certs was physically easy, and could be
lucrative, so they started selling cheaper and cheaper certs. but you can't
vet an organization for 29.95, so that aspect of SSL Certs was conveniently
forgotten as the masses rushed onto the web.

Everybody thinks SSL Certs are about the encryption. We know that the Cert
only establishes the identity of the other party. The encryption is performed
using a key which is shared after the cert is used to establish trust.

So now, people are starting to realize that cheap certs don't provide trust,
and we're seeing $1500 vetted certs again, and browsers that change colors to
signify trust levels.

However, to make this personal, I have a Comodo cert that I got for free with
domain registration at namecheap, and a bunch of browsers don't want to trust
it.

So I'm stuck between not having revenues to buy a super-cert, and having
people refuse to use my app because their browser is saying my app's cert
isn't trustworthy, and they aren't technical enough to override the warning.

So will these $50 wildcard certs fare any better?

~~~
nickf
_...and a bunch of browsers don't want to trust it._ This shouldn't be the
case. My email is on my profile if you want to email me any details you can -
I'll get this solved!

~~~
vampirechicken
Thanks to nickf I learned that I'd omitted certs in the chain when I did the
installation. all is well now. Thanks nickf!

------
ck2
What about StartSSL at $60 for two years for wildcard and multiple domains?

<https://www.startssl.com/?app=40>

    
    
      Multiple Domains (UCC) 
      Wild Card Capability
    

Supported by all modern browsers.

~~~
techsupporter
It would be nice if they had any sort of flexibility in their identity
validation. Not all of us keep identification cards with addresses on them[0]
or a telephone number billed in a traditional manner[1].

0 - United States Passport Card, for instance.

1 - VoIP.

~~~
mguillemot
If they cannot reach you by phone, they can send you a snail mail with some
code printed on it that you have to enter into their admin interface.
Admittedly they should tell you about that before you try to register (I
discovered it after I already paid, but it just took a few days and all-in-one
it wasn't too bad).

------
mattvot
All sold out now.

So frustrating to get to the end of your order to get the message that the
coupon has expired.

~~~
aioprisan
they run every 3 hours

------
aioprisan
just got an essential SSL for $49.99 for a year, limit 10 per customer, half
price. Also you can get an EV cert for $50-60.

~~~
aioprisan
that is, a wildcard SSL

------
dutchbrit
Andddddd it's gone..

