If you just want to secure a login page for your own personal use, get a free cert from StartSSL.
If you need to give access to the page to more people, it's best to get a cheap cert from Comodo, etc. because they're compatible with more mobile devices. Don't spend more than $15
If you intend on selling something from the site, I'd recommend getting some form of company validation on top of the standard domain validation which is performed when buying cheaper certs. GeoTrust, Comodo, Globalsign, etc. can help. It should cost less than $100.
The best certs to get to re-assure your customers are the EV ones. No need to go full Verisign and waste ton of money on them, you can get them cheap-ish from Globalsign, Comodo and Geotrust resellers.
If you're getting a cert generated by an established certificate authority, it doesn't really matter who you buy it from. Aim for the best price for the level of support that you want to get.
Free SSL cert accepted by all modern browsers https://www.startssl.com/?app=1
They are owned and operated by http://www.startcom.org/
FWIW, I use free certs from startssl.com myself.
If you really want to avoid the "cartel", use cacert.org or a self signed cert.
imho a extremely overrated (and overpriced) features, which imposes no extra security what so ever.
You are pointing to a study that was published in 2006. This means the actual data is at least 7 years old.
Can you find a more current example?
These are users who also keep their browser sessions going forever and therefore session cookies never expire - thereby making what was supposed to make something more secure, exactly the opposite.
Will a free StartSSL certificate trigger an 'untrusted source' warning from the browser?
Also, will a free certificate be adequate for encrypting authentication data in a web API?
Also, please check the definition of 'disingenuous', it's massively overused on Hacker News (often in a completely incorrect context).
I don't know what your beef is with 'disingenuous,' but that's exactly what I meant.
You can't work around that with chaining, it can only be disabled from client code, or by having the CA issue a cert that doesn't include an OCSP address (doubt any do this now, given the number of legit certs issued to attackers in the past 2 years).
> We recommend DigiCert — their certificates have very wide acceptance (for example, Facebook uses a DigiCert certificate). Other options include NameCheap and GoDaddy. They have slightly lower acceptance but their basic certificates cost $10 to $20.
I paid for one of their certificates (through a re-seller) but they refused to issue it on the grounds that they could not verify my phone number. It was true that it was not in the directories they referred to, but they did not make that clear before selling the certificate.
I would have made a chargeback, but was paranoid about them informing other CAs of the fact - it would be a disaster if I was never able to get another SSL certificate.
The downside seems that the organization/country/city fields must be the same but that doesn't show unless you use EV The upside is no painful IP acquisition, CSR and renewal process.
If there is more than one site hosted on a single IP, the client sends a request for the SSL certificate. In the "old" way, the client didn't say to which domain it wants to connect (it only told that after the SSL connection was established), so the server didn't know which certificate to send.
The problem has been solved with SNI, but it isn't universally supported (yet), though we are close (namely IE on XP). With SNI the client basically sends the server to which domain it wants to open a secure connection, so the server can serve the correct certificate.
More information: http://www.verisign.com/ssl/ssl-information-center/extended-...
In general, no one should ever do business with Verisign, due to their practice of domain slamming, their Site Finder misfeature, and other shady practices.
"VeriSign was sued in 2002 for their actions in sending ambiguous emails informing people, often incorrectly, that their domain was about to expire and inviting them to click on a link to renew it. Renewing the domain resulted in the registration company being transferred to VeriSign from the previous registrar."
(I don't know the difference between standard SSL certificates and EV ones)
When you care about your cert (validated, EV, etc): DigiCert.
When you don't care that much: RapidSSL from Namecheap.
Why? What's wrong with it?
Do you really think users pause to check what type of SSL certificate the site has? .. And what CA had signed that certificate? They don't -- even when they access their bank.