Hacker News new | past | comments | ask | show | jobs | submit login

You can get SSL certificates for free for one domain, and they work with all browsers (except Opera, IIRC). Also, you can use Perspectives for Firefox, which I think is much better than the current system.

Off topic, but re: Perspectives. It allows your browser to compare notes with other nodes on the Internet ('network notaries') to ensure that everyone is seeing the same cert for a given website.

Looks like a great idea, but how do they prevent the man-in-the-middle from impersonating a network notary?

Notaries sign their responses, if I remember correctly.

Perspectives doesn't work in the latest version of Firefox. Its home page says a new version is coming, though:


I've had a bit of a look on Google, but I'm not 100% sure which provider you mean? Where can you get free SSL certificates that don't upset browsers?

Ah, I can't remember the name now... Rapidssl? That's probably it. Check historio.us, the ssl cert there is a free one (which is, sadly, why subdomains don't validate).

EDIT: I searched and it's actually http://cert.startcom.org/.

Check historio.us, the ssl cert there is a free one (which is, sadly, why subdomains don't validate).

AFAIK this is common to all certs (free or otherwise). You need a separate one for each subdomain (including www).

No, there are also wildcard certificates that match all subdomains, but are rather more expensive.

Wildcard certificates are available for USD $49.90 from StartSSL (http://www.startssl.com/?app=40), which is rather more expensive than free, but shouldn’t be a hardship.

The only downside to wildcard certs through StartSSL is that getting one requires high-resolution proof of personal identity, to be kept on file outside local jurisdiction (the company's based in Israel) until the cert's final renewal or revocation, plus seven years.

I admire their model of only charging for operations which require human intervention, like identity validation, but handing over that degree of documentation for that amount of time requires a lot of trust, not just of the company as it currently exists, but as it will exist in the far future.

If there was a way to validate organizations which wasn't layered on top of an earlier validation of an individual, or if their decentralized web-of-trust was usable for class 2/wildcard certs, I'd be a big fan.

As it is, there's no reason not to use Start for class 1, single-domain certs, for which the validation is automated and reasonable.

Wildcard certs don't match the underlying domain, though. See, for example, dropbox.com instead of www.dropbox.com; they've got a wildcard cert and it's not valid for dropbox.com.

Didn't know that, thanks.

Namecheap provides free ssl certificates for each domain you get through them.

The monkeysphere is also a good alternative if you use debian and gpg.


Right, and even the paid ones can be had for well under $30/yr nowadays, which is pretty trivial.

There are levels of pay for functionality, like subdomains, and being able to issue your own certificates.

For instance, from Verisign: a 1 year Microsoft code signing certificate starts at $499 [1]. A top-of-the-line (from their main pages) web certificate for a single server for one year: $1499 [2]

[1]: https://securitycenter.verisign.com/celp/enroll/selectOption... [2]: https://ssl-certificate-center.verisign.com/process/retail/p...

edit: it would figure the links don't work. Just go to www.verisign.com and those are a couple clicks from the front page.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact