Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Which SSL Cert to Buy?
29 points by dpapathanasiou on May 4, 2010 | hide | past | web | favorite | 23 comments
For past projects, I've always used GeoTrust, because of their combination of price and browser acceptance.

Today I noticed that GoDaddy, Entrust.net, and instantssl are all cheaper.

Does anyone have any experience with those three?

I.e., is there any reason I shouldn't just use a $30 per year SSL cert from GoDaddy?

A lot of this is merely price discrimination. Some people won't find out about cheaper certificates and will pay lots more money for something from GeoTrust. GeoTrust actually owns RapidSSL (http://www.rapidssl.com/ssl-certificate-about/index.htm). NameCheap is reselling those RapidSSL branded certificates for less than RapidSSL.com is selling them. RapidSSL.com is, in turn, selling certificates for less than GeoTrust. And they're all signed by the Equifax root certificate!

Single root certificates are a better option and the RapidSSL certificate that NameCheap is selling for $10 is single root and run and signed by the same people as GeoTrust. Do go with a single root as it makes life easier.

"GeoTrust actually owns RapidSSL (http://www.rapidssl.com/ssl-certificate-about/index.htm). NameCheap is reselling those RapidSSL branded certificates for less than RapidSSL.com is selling them. RapidSSL.com is, in turn, selling certificates for less than GeoTrust. And they're all signed by the Equifax root certificate!"

Crazy! I'm glad I asked here first.

Namecheap offers free PositiveSSL certificates, as well as a free whois masking option. You must register or transfer a domain there to get it, but it's not tied to the domain you buy, so you could buy a new domain and use the free cert on an older one.

Don't use whois masking services, it effectively gives a third party ownership of the domain in question and most certainly does violate the ICANN rules about truthful and accurate registration information.

I've used whois protection services for years (and for thousands of domains), there's never been a problem for me.

When the whois protection service is provided by the registrar you used to register the domain, how is that third party ownership? They already have a lot of control over the domain.

I don't know about ICANN rules on the matter, however I think they would have pressured registrars to stop offering such services, if that was the case.

If you have further information/links on the subject, please elaborate.


TL;DR: you can do it, but understand the risks you are taking. The whois record is the authoritative record of domain ownership, if your name (or company name) isn't on it, then if there is a dispute, you lose.

That post uses Domains by Proxy as an example, which is an awful service. Towards the end of the article, Dynadot explains the whois protection service THEY offer themselves. That's what Namecheap (and other registrars) does and it's what I've always used.

I can tell you for a fact that I receive a lot less email spam at the email address I use for whois, because Namecheap changes the address (which forwards to mine) listed every other day. Also I don't get any snail mail junk, although this was never a big issue.

I usually buy the RapidSSL cert from NameCheap, $10.95/y or less for longer periods. It's single root (unchained) and signed by a very well supported CA cert. The only downside is no subjAltName (which lets you do both www.foo.com and foo.com).

All you really need to know is what the root CA is, because some certs (even expensive ones like Thawte's EV) are signed by newer CAs that aren't present in older browsers, mobile devices, etc. Also extra "features" like > 1024 bit keys often cost more.

Thanks, I'd never heard of NameCheap before.

I see that they resell GeoTrust at $47/year (which is a nice discount from the $250/year I'd been expecting to pay), but what's the difference between that and their own $9/year certs?

Basically brandname, which logo you get to put on your site.

No experience, but there was a recent Ask HN about the same. This response says something about GoDaddy's certificates vs more expensive ones: http://news.ycombinator.com/item?id=1308619

Not sure if that helps you any.

Thanks for the link; I did a search before posting, and the only other thread I found was more than 400+ days old.

I don't understand the chaining issue described, but I can research that a bit more.

It makes sense there's some sort of catch with GoDaddy, since their certs are orders of magnitude cheaper than the others (everyone else is $150+ per year).

I think the chaining issue is just that it takes more work for you to setup. But maybe someone who knows what they're talking about can give you more info.

> is there any reason I shouldn't just use a $30 per year SSL cert from GoDaddy?

GoDaddy uses an intermediate certificate which means you need to install, not just your cert, but also all of the certs back to the root. It's a minor annoyance, except for the fact that they don't tell you about it until after you buy the cert.

It depends on what you want to do with it. For a basic cert for a web site GoDaddy is fine but remember to generate a CRS with of 2048bit (http://help.godaddy.com/article/5619) at least and not the older default of 1024 since some newer mobile devices will not like that. If you want it to work on ALL mobile devices you may have issues with GoDaddy anyway. Something about the chain of trust - it's been a while.

I would recommend you do your homework by checking out GeoTrust (here is a kb article from them http://bit.ly/9HMsqp) - If you are unsure, call them. If anyone has worked with ActiveSync and mobile devices perhaps you can remind me of some of the other issues.

Yes,you shouldn't pay $30 per year for SSL cert from GoDaddy because you can get it for $12.99 if you just search on Google for Godaddy SSL


if you're looking for cheap, why not go for http://www.startssl.com/ ? it's completely free and works on all recent browser, and most older ones too.

I agree on using startssl, and especially because of their ethos of how they charge: you only pay for the verification process, and after that, SSLs are free because they're automatic.

Also, startssl's founder is the best ambassador - send a help request, and he'll answer in no time.

It depends a lot on what kind of site you are trying to secure, but a cheap certificate works in many cases. Browser acceptance really isn't an issue with major providers. I would just be sure to check out some reviews for the provider that you want to go with: http://www.sslshopper.com/certificate-authority-reviews.html

I use http://www.rapidsslonline.com/rapidssl-certificates.php (~$15/year) and haven't had any problems.

https://www.servertastic.com/rapidssl/ look similar.

We use http://www.digicert.com/ since we need a SAN (SubjAltName). SAN lets you do *.domain.com and domain.com

Weird surprise, Android does NOT support SAN. DigiCert gave us a root cert for free with our wildcard.

I use Comodo to buy a domain specific cert for $30 and wildcard for $300. But that may be due to my company being a reseller of comodo certs..

Yes, normally they are three times more expensive

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact