Hacker News new | comments | show | ask | jobs | submit login
Ask HN: What SSL Cert Provider Do You Use?
55 points by strooltz on Nov 19, 2010 | hide | past | web | favorite | 33 comments
Being that SSL has been getting a fair amount of attention lately do to the Instagram debacle (http://techcrunch.com/2010/11/18/yet-another-hot-startup-leaves-a-gaping-security-hole-in-its-iphone-app/) and Firesheep exploit (http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/) I thought it might be interesting to spawn a discussion on SSL providers out there.

I typically use GeoTrust quick SSL for most E-Commerce applications but I was wondering what were some of the pluses and minuses (cost, support, time to deployment, etc) users in the community had experienced.

I use and like StartSSL for class one validation, which is free, though the class one certs are only for single hosts. (Don't forget to load the intermediate certificate in the web server config, or Firefox will act like there's no root cert loaded.)

Class two validation, supporting wildcart certs, is available, but requires high-resolution documentation of personal identity, resubmitted annually and kept on file outside my legal jurisdiction (Startcom is based in Israel), until seven years after the certificate's eventual expiration or revocation, which rounds up to forever.

I admire Start's model of charging only for actions that require human intervention, like identity validation, but I can't bring myself to have faith that their current trustworthiness precludes being acquired or compromised in the distant future. It's aggravating that organizational validation (for wildcard or EV certs) is layered on top of individual validation, meaning that an individual's ID always has to be on file.

I use the StartSSL Wildcard/Class2 certificate and I'm quite happy with it. The validation process is really quick and easy: you send them a scan of your id/passport or similar and some grumpy guy from israel calls you and asks for your name and birthdate. I'm not that worried about a scan of my id-card getting lost, you have to provide that all the time.

And $50/2yr for wildcards from StartSSL is nothing to sneeze at! Very nice recommendation, will definitely be checking them out.

If you are concerned for speed, you want to go with one of the "big boys" to get a cert that is closer to the root the browser trusts. The more intermediate certificates you have to supply, the more the client has to download to complete hand-shake, and you should strive to keep it under 4k to avoid overflowing the initial TCP window (which would then require another round-trip).

No need to go with the big boys, just go with the unchained boys. RapidSSL / GeoTrust offer unchained certs that are teeny (< 2K) compared to GoDaddy (4K+, 2 chain certs) and others.

GoDaddy makes SSL certs really easy if you have the domain registered with then too. Hot tip: type "ssl cert" into google and click on their ad instead of going straight to their site - $12 vs $49. If you have your domain name, it's basically as easy as upload your CSR text, download your cert. Could be done in about 5 mins.

Of course, that raises a question I have...what's the difference, if any, between their cheap ssl certa and their $99 "premium" ones?

I believe the "premium" ones are extended validation (EV) certificates. These give the green bar on newer browsers.

The $12 ones just validate domain ownership and not organization identity. I believe they also ignore the Organization and Organizational unit fields in your CSR and replace it with the common name in the certificate they issue.

In order of preference:

1) GeoTrust 2) Comodo 3) Thawte

Although many cert providers tout wide browser acceptance, you may find discrepancies in production. Be careful. GeoTrust has excellent customer service, decently priced certs, and an automated/expedited process. No affiliation.

NameCheap gives out free "Comodo PositiveSSL" certificates when you register a domain, so that's what I'm using.

From a conversion rate standpoint not much seems to beat verisign - although GoDaddy SSL seems to be making gains.

Also see "Proper placement of "trust logos" can make a huge difference in conversion rate." :


I use GoDaddy mainly because of cost. Never really had a problem with them.

I stopped using GoDaddy when Bob Parsons started opining in public about national politics. I'd rather pay an extra couple bucks a year than support that nut. Though where certs are concerned, StartSSL also has the benefit of being cheaper.

The only thing I've seen that didn't trust their cert was an old SonyEricsson phone. Might be worth watching if you do retro-mobile.

Why do we have to have ssl cert providers? I understand when you're doing ecommerce, it makes sense. But for a website that is just trying to do SSL to get past firesheep, or simply because they are transmitting sensitive information, doesn't it make sense to allow them to just encrypt their traffic?

To answer the actual question, we use godaddy.

> Why do we have to have ssl cert providers?

Because the web has a broken security model.

By default, the only way that a web browser can know that the site gave it the right cert (as opposed to someone intercepting the connection with their own cert), is if it's signed by one of a couple hundred "trusted" providers who are supposed to be careful to not give certs to the wrong people.

Something like [Perspectives](http://www.cs.cmu.edu/~perspectives/) should be much more secure and can be more decentralized, but unfortunately isn't included with any default browser installs. It can't provide the same link to a meatspace identity, but you very rarely care about that (basically just for ecommerce) and it could be used in conjunction with a CA-based system for that anyway.

The certificates are unverified by a trusted certificate authority, so anyone can perform a man-in-the-middle attack by providing a different certificate to clients, allowing the bad guy to decrypt the information.

(edit: clarified wording)

It wouldn't be like that if you're using a self-signed cert.

I use GeoCerts


I've bought and installed about a dozen different certificates from them, even some of the high-ticket ones that need a background check during the application stage.

Interface is good, price is right. No complaints.

We use digicert and have been super happy with them.

Also using digicert. We're a nonprofit and they cut us a nice deal on a wildcard cert.

Non profit here as well and we get great rates from Digicert.

StartSSL (http://www.startssl.com/) is super rad. Basic certs are free; wildcards are only $50; their validation isn't a joke; and they are a trusted CA on Firefox, Safari, and IE.

Check your hosting company, they may have a deal to resell certificates and may provide installation for you. I got a certificate significantly cheaper than listed on the GeoTrust site.

I use servertastic https://www.servertastic.com/ssl-certificates/ usually with the RapidSSL one: https://www.servertastic.com/order/rapidssl/ Servertasic resells from a large number of SSL providers. Avoid GoDaddy to avoid the cert chaining headache.

I've used RapidSSL for domains I registered through Namecheap, since they offer them for around $10, and had good experiences thus far.

Same here. A step up from GoDaddy as there's no cert chaining. It's surprising how much cheaper it is through NameCheap than directly from RapidSSL ($10 vs $79).

Most of the certificates I use are self-signed. For the others, I get them through Gandi (a 1-year certificate is included with each domain registration) and my webhost, SoftLayer (they resell RapidSSL certificates for $20 a year).



Myself. I run my own CA for internal use and sign all my own certs, and occasionally those for customers. This works only because I generally control all the devices that the certs will be used on - I wouldn't use this on public facing sites.

Wildcard certs are expensive last I checked, but simply too useful to ignore.

Verisign. They are probably the most expensive CA available, but they are absolutely worth it if you ever intend to provide secure user sessions to the proverbial Aunt Millie.

Their identification verification process is fully automated now( phone + web ), so most certificates are issued within a few hours of CSR submission.

How does Aunt Millie distinguish Verisign certs from those of any competitor with good browser support? Are we just covering the case that she might be using Netscape 3, or is there another angle I'm not seeing?

It has nothing to do with browser support, although that has been an issue in the past. It has everything to do with Aunt Millie "feeling secure" when she sees the Verisign Secure Seal moreso than, say, the Godaddy Badge.

It's all about the conversion rate, basically.

Can you back your assertion up with some evidence ?

"Seals" used to be quite popular some years ago (e.g. TrustE seal and the BBB Seal), but they seem to get less press these days, so I wonder how important they are for conversions.

Has Aunt Millie really heard of Verisign ? May actually have heard of GoDaddy though due to the advertising.

Not linkable evidence, no, although Verisign has their own collection of user stories claiming huge conversion increases in their marketing literature.

We have done A/B testing on Verisign seals vs no seals vs generic "Secure Site" seals we created. There is a statistically significant increase in conversions with the Verisign seal vs the other two options.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact