

Ask HN: What SSL Cert Provider Do You Use? - strooltz

Being that SSL has been getting a fair amount of attention lately do to the Instagram debacle (http://techcrunch.com/2010/11/18/yet-another-hot-startup-leaves-a-gaping-security-hole-in-its-iphone-app/) and Firesheep exploit (http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/) I thought it might be interesting to spawn a discussion on SSL providers out there.<p>I typically use GeoTrust quick SSL for most E-Commerce applications but I was wondering what were some of the pluses and minuses (cost, support, time to deployment, etc) users in the community had experienced.
======
irons
I use and like StartSSL for class one validation, which is free, though the
class one certs are only for single hosts. (Don't forget to load the
intermediate certificate in the web server config, or Firefox will act like
there's no root cert loaded.)

Class two validation, supporting wildcart certs, is available, but requires
high-resolution documentation of personal identity, resubmitted annually and
kept on file outside my legal jurisdiction (Startcom is based in Israel),
until seven years after the certificate's eventual expiration or revocation,
which rounds up to forever.

I admire Start's model of charging only for actions that require human
intervention, like identity validation, but I can't bring myself to have faith
that their current trustworthiness precludes being acquired or compromised in
the distant future. It's aggravating that organizational validation (for
wildcard or EV certs) is layered on top of individual validation, meaning that
an individual's ID always has to be on file.

~~~
pudquick
And $50/2yr for wildcards from StartSSL is nothing to sneeze at! Very nice
recommendation, will definitely be checking them out.

------
WALoeIII
If you are concerned for speed, you want to go with one of the "big boys" to
get a cert that is closer to the root the browser trusts. The more
intermediate certificates you have to supply, the more the client has to
download to complete hand-shake, and you should strive to keep it under 4k to
avoid overflowing the initial TCP window (which would then require another
round-trip).

~~~
jbyers
No need to go with the big boys, just go with the unchained boys. RapidSSL /
GeoTrust offer unchained certs that are teeny (< 2K) compared to GoDaddy (4K+,
2 chain certs) and others.

------
trizk
In order of preference:

1) GeoTrust 2) Comodo 3) Thawte

Although many cert providers tout wide browser acceptance, you may find
discrepancies in production. Be careful. GeoTrust has excellent customer
service, decently priced certs, and an automated/expedited process. No
affiliation.

------
bluedevil2k
GoDaddy makes SSL certs really easy if you have the domain registered with
then too. Hot tip: type "ssl cert" into google and click on their ad instead
of going straight to their site - $12 vs $49. If you have your domain name,
it's basically as easy as upload your CSR text, download your cert. Could be
done in about 5 mins.

Of course, that raises a question I have...what's the difference, if any,
between their cheap ssl certa and their $99 "premium" ones?

~~~
guac
I believe the "premium" ones are extended validation (EV) certificates. These
give the green bar on newer browsers.

The $12 ones just validate domain ownership and not organization identity. I
believe they also ignore the Organization and Organizational unit fields in
your CSR and replace it with the common name in the certificate they issue.

------
chaosmachine
NameCheap gives out free "Comodo PositiveSSL" certificates when you register a
domain, so that's what I'm using.

------
callmeed
I use GoDaddy mainly because of cost. Never really had a problem with them.

~~~
irons
I stopped using GoDaddy when Bob Parsons started opining in public about
national politics. I'd rather pay an extra couple bucks a year than support
that nut. Though where certs are concerned, StartSSL also has the benefit of
being cheaper.

------
bunchesofdonald
Why do we have to have ssl cert providers? I understand when you're doing
ecommerce, it makes sense. But for a website that is just trying to do SSL to
get past firesheep, or simply because they are transmitting sensitive
information, doesn't it make sense to allow them to just encrypt their
traffic?

To answer the actual question, we use godaddy.

~~~
cmelbye
The certificates are unverified by a trusted certificate authority, so anyone
can perform a man-in-the-middle attack by providing a different certificate to
clients, allowing the bad guy to decrypt the information.

(edit: clarified wording)

~~~
Sephr
It wouldn't be like that if you're using a self-signed cert.

------
fookyong
I use GeoCerts

<https://www.geocerts.com>

I've bought and installed about a dozen different certificates from them, even
some of the high-ticket ones that need a background check during the
application stage.

Interface is good, price is right. No complaints.

------
bdwalter
We use digicert and have been super happy with them.

~~~
barake
Also using digicert. We're a nonprofit and they cut us a nice deal on a
wildcard cert.

~~~
WettowelReactor
Non profit here as well and we get great rates from Digicert.

------
paulgerhardt
StartSSL (<http://www.startssl.com/>) is super rad. Basic certs are free;
wildcards are only $50; their validation isn't a joke; and they are a trusted
CA on Firefox, Safari, and IE.

------
coryl
Check your hosting company, they may have a deal to resell certificates and
may provide installation for you. I got a certificate significantly cheaper
than listed on the GeoTrust site.

------
kitt
I use servertastic <https://www.servertastic.com/ssl-certificates/> usually
with the RapidSSL one: <https://www.servertastic.com/order/rapidssl/>
Servertasic resells from a large number of SSL providers. Avoid GoDaddy to
avoid the cert chaining headache.

------
christefano
Most of the certificates I use are self-signed. For the others, I get them
through Gandi (a 1-year certificate is included with each domain registration)
and my webhost, SoftLayer (they resell RapidSSL certificates for $20 a year).

<http://www.gandi.net>

<http://www.softlayer.com>

------
dp7531
I've used RapidSSL for domains I registered through Namecheap, since they
offer them for around $10, and had good experiences thus far.

~~~
jonknee
Same here. A step up from GoDaddy as there's no cert chaining. It's surprising
how much cheaper it is through NameCheap than directly from RapidSSL ($10 vs
$79).

------
zdw
Myself. I run my own CA for internal use and sign all my own certs, and
occasionally those for customers. This works only because I generally control
all the devices that the certs will be used on - I wouldn't use this on public
facing sites.

Wildcard certs are expensive last I checked, but simply too useful to ignore.

------
aresant
From a conversion rate standpoint not much seems to beat verisign - although
GoDaddy SSL seems to be making gains.

Also see "Proper placement of "trust logos" can make a huge difference in
conversion rate." :

[http://conversionvoodoo.com/blog/2010/07/proper-placement-
of...](http://conversionvoodoo.com/blog/2010/07/proper-placement-of-trust-
logos-can-make-a-huge-difference-in-conversion-rate/)

------
haploid
Verisign. They are probably the most expensive CA available, but they are
absolutely worth it if you ever intend to provide secure user sessions to the
proverbial Aunt Millie.

Their identification verification process is fully automated now( phone + web
), so most certificates are issued within a few hours of CSR submission.

~~~
irons
How does Aunt Millie distinguish Verisign certs from those of any competitor
with good browser support? Are we just covering the case that she might be
using Netscape 3, or is there another angle I'm not seeing?

~~~
haploid
It has nothing to do with browser support, although that has been an issue in
the past. It has everything to do with Aunt Millie "feeling secure" when she
sees the Verisign Secure Seal moreso than, say, the Godaddy Badge.

It's all about the conversion rate, basically.

~~~
krf
Can you back your assertion up with some evidence ?

"Seals" used to be quite popular some years ago (e.g. TrustE seal and the BBB
Seal), but they seem to get less press these days, so I wonder how important
they are for conversions.

Has Aunt Millie really heard of Verisign ? May actually have heard of GoDaddy
though due to the advertising.

~~~
haploid
Not linkable evidence, no, although Verisign has their own collection of user
stories claiming huge conversion increases in their marketing literature.

We have done A/B testing on Verisign seals vs no seals vs generic "Secure
Site" seals we created. There is a statistically significant increase in
conversions with the Verisign seal vs the other two options.

