

Ask HN: Is StartSSL worth the $0 price tag? - nZac

I am trying to secure a low traffic site but need a certificate. Is StartSSL a good option or should I spend money on another service?<p>I am helping a non-profit that has a very low budget and I want to be helpful without causing long-term ramifications (of which I am currently ignorant of).  Thanks for any help, this stuff is confusing and I am new to it!
======
lsc
I have a related, and broader question. Is there any difference, practically
speaking, between one CA and another, besides browser compatibility? Assuming
that it's accepted by browsers, is there any reason to go with a more
expensive provider that does a stronger verification of you rather than a
cheaper provider that just sends a confirm to an email in your domain whois?

------
dm2
No, they're not a company that I personally would suggest.

I highly recommend Comodo bought from NameCheap:
[https://www.namecheap.com/security/ssl-
certificates/comodo.a...](https://www.namecheap.com/security/ssl-
certificates/comodo.aspx)

Another heartbleed type incident could happen in the near future (lots of eyes
on that codebase now) and their strict policy will leave you choosing between
coughing up $35 per certificate or leaving your site vulnerable.

There has even been a large amount of discussion regarding removing them from
the trusted list of certificate authorities because most of their users can't
afford to revoke certificates and have no choice but to leave their sites
vulnerable.

~~~
logn
I also like Comodo+NameCheap. I once tried to buy Comodo elsewhere and the
cert activation process was much less friendly (they didn't recognize my
authorized whois email of record). Another nice perk I just realized,
NameCheap gives you the whole term of the cert from the time you activate the
cert, not from the time you purchase (maybe that's common though).

That said, I think the bad press StartSSL is getting is mostly undeserved. You
can either choose a free cert with the outside chance you'll want to pay to
revoke it, or just automatically pay up front every term. Probabilistically,
they still have the cheapest option. And are site admins who can't/won't pay
$35 really that likely to have a very secure server anyhow? That means they
would have never bought SSL anyhow without StartSSL.

------
samhamilton
We used them to secure internal only apps we ran, to stop staff getting used
to ignoring the warning pages if the certs are self-signed. Yer ok the signup
process is a pain but we had an amazing system admin who knew their stuff so
got up and running in no time.

------
TheLoneWolfling
Whatever happened with "StartSSL, please revoke me"?

~~~
dm2
"Sure, pay us $35."

I believe the exact quote during the Heartbleed incident was, "Dead serious."
[https://twitter.com/startssl/status/453631038883758080](https://twitter.com/startssl/status/453631038883758080)

~~~
TheLoneWolfling
I meant the fate of the person who posted his private key trying to work
around that more-than-issue. (as, IIRC, under the terms of being in the
Mozilla repository StartSSL was obligated to revoke certificates that were
known to be compromised)

------
jburwell
I have used them in the past with no issues for personal sites. What are your
concerns? In many aspects, a cert either "works" or it doesn't (in most cases,
a SSL trusts the cert without warning). Generate a private and CSR that meet
your security requirements (e.g. key length, cipher set, etc), submit it to
StartSSL, and verify the resulting cert. If it meets your specs and is trusted
by the SSL engines you use then you are good. If not, you will need to find
another CA.

~~~
nZac
My concern revolves around credibility. They took a beating after Heartbleed
regarding the cost of revocation for certificates/credentials affected. While
that is mostly a business decision on their end– it raises concerns about what
their business is about. Nothing is "free", it just might not cost currency.
"If you don't pay for the service, you are the service."

Since I don't have experience with them I am looking for some level of
assurance that they are a legitimate service. In my opinion it is difficult to
gain that assurance just from their website.

~~~
ansid
I have paid wildcard certs with them. Their site is weirdly designed and heavy
on the self-service, but I have no complaints about them. I have revoked certs
with them and everything has been reasonable.

That said, why does it matter if they're "credible"? Their certs are accepted
by pretty much every browser, OS and library, and they have a long track
record as a CA.

Regardless, as a business I have had business dealings with, let me assure you
they are a "legitimate service".

~~~
tarminian
I currently use them and have no issues. I'm a validated customer and they
take even the personal validations very seriously. They even check based on
domain names, if you have financial in your domain name, be prepared to be
questioned on why you are getting a free ssl certificate.

