If you just want to secure a login page for your own personal use, get a free cert from StartSSL.
If you need to give access to the page to more people, it's best to get a cheap cert from Comodo, etc. because they're compatible with more mobile devices. Don't spend more than $15
If you intend on selling something from the site, I'd recommend getting some form of company validation on top of the standard domain validation which is performed when buying cheaper certs. GeoTrust, Comodo, Globalsign, etc. can help. It should cost less than $100.
The best certs to get to re-assure your customers are the EV ones. No need to go full Verisign and waste ton of money on them, you can get them cheap-ish from Globalsign, Comodo and Geotrust resellers.
If you're getting a cert generated by an established certificate authority, it doesn't really matter who you buy it from. Aim for the best price for the level of support that you want to get.
StartSSL.com offers free yearly simple SSL certificates, and are supported by all major browsers. If you want higher-grade, you'll have to pay.
They're very open about wanting to provide free simple certificates for everyone.
What's the difference between a simple certificate and something higher-grade? What does the simple certificate lack that a higher grade certificate provides?
Exactly! In fact the change to green out of the ordinary lack of it might make them think something is WRONG, not better.
These are users who also keep their browser sessions going forever and therefore session cookies never expire - thereby making what was supposed to make something more secure, exactly the opposite.
The free one also wont work with wildcard certs, and will only accept one hostname in the subjectAltName field. My domain is "grepular.com", the certificate needs to contain "secure.grepular.com" for historical reasons. This means, when I use startssl, I can't include "www.grepular.com" in the cert. Unless I pay for a cert.
StartSSL is completely fine for those goals. Pretty much the only effect of an EV certificate is the green bar. (Which is easily worth $150/yr if you're doing millions in e-commerce, of course!)
jorangreef said "RE StartSSL..." then pointed to an article about the problems of SSL w.r.t mobile apps. Since this is in reply to a very positive post about StartSSL, the obvious inference is that his linked article provides some evidence on why one wouldn't want to use StartSSL. But that's pure FUD because the only mention of StartSSL in the whole article is that they close their connections so two more TCP connections are required to authenticate the cert... but anyone worth their salt would be bundling in the CA cert anyway, obviating the need for those connections.
I don't know what your beef is with 'disingenuous,' but that's exactly what I meant.
OCSP isn't an optional step involved only if you don't present your CA's intermediary certificate, it's in addition to it. The whole point of it is "I have this guy with these legit looking credentials you issued, do you still stand by them?".
You can't work around that with chaining, it can only be disabled from client code, or by having the CA issue a cert that doesn't include an OCSP address (doubt any do this now, given the number of legit certs issued to attackers in the past 2 years).
Some of those numbers don't look correct at all. For example I can't find any host name that takes longer than ~500ms to do DNS resolution over 3G. (That's almost worst case scenario, where everything except the TLD is uncached.)
> We recommend DigiCert — their certificates have very wide acceptance (for example, Facebook uses a DigiCert certificate). Other options include NameCheap and GoDaddy. They have slightly lower acceptance but their basic certificates cost $10 to $20.
FB's been switching over the VeriSign -- at least, in my neck of the woods. I pay attention to certs, so I noticed this and took some time to somewhat reassure myself that no MITM was going on. (If I'm wrong, someone please tell me!)
I paid for one of their certificates (through a re-seller) but they refused to issue it on the grounds that they could not verify my phone number. It was true that it was not in the directories they referred to, but they did not make that clear before selling the certificate.
I would have made a chargeback, but was paranoid about them informing other CAs of the fact - it would be a disaster if I was never able to get another SSL certificate.
Side question: what's the best company for SSL certificates where you're hosting multiple distinct domains for various clients on the same server? I've read about SAN certs, but I haven't found any documentation ...
DigiCert claims that you can add/remove alternative names on already purchased certificates right from their account (you don't even need to include them in the CSR just the primary), but I haven't tried it personally. I wonder about what authentication you, as owner of www.foo.com, have to undergo to add e.g. myapp.client.com to the alternate name.
The downside seems that the organization/country/city fields must be the same but that doesn't show unless you use EV The upside is no painful IP acquisition, CSR and renewal process.
As far I know the only thing that works reliably is to get multiple IPs and multiple (wildcard) SSL certificates. You can try to save a little money by getting startssl certificates (free) or by using SSL host headers (multiple SSL on one IP address), but it doesn't work on all browsers so you end up wasting time explaining to your customers why they get an error when they access their site.
If there is more than one site hosted on a single IP, the client sends a request for the SSL certificate. In the "old" way, the client didn't say to which domain it wants to connect (it only told that after the SSL connection was established), so the server didn't know which certificate to send.
The problem has been solved with SNI, but it isn't universally supported (yet), though we are close (namely IE on XP). With SNI the client basically sends the server to which domain it wants to open a secure connection, so the server can serve the correct certificate.
They say you also get a free 1-year certificate with domain name renewals, implying that if you renew your domains for 1 year you can get a perpetual stream of free certs.
Slightly off topic, but how are people using SSL with App Engine? Last time I checked they didn't support SSL on your own domain. I'm not sure if this is similar for e.g. Heroku. I presume most non-trivial apps would have some kind of secure login.
Well how can you trust a company you have never dealt with before? It used to be that SSL certificates were a mark of insurance, proof that they had thought about securing your data in transmission, and proof that someone had validated the company as being real (like an auditor should). Nowadays points 1 and 3 are no longer true.
We've used Comodo certs for our projects, given out for free by our provider SSD Nodes (http://www.webhostingtalk.com/showthread.php?t=1122631). I think the certs by themselves are $9-10/year if you decided to get them on your own.
I get ours through our registrar (who also does our sideproject hosting), DreamHost. They have $15/year certificates (via Comodo), and you automatically get both the root and the www. subdomain of the certificate, included in the price.
What's your goal? There are all types of certificates, some cheap and some expensive. If you're aiming for cheap, companies like Namecheap and GoDaddy sell them for peanuts but they're "cheap" certificates, not with bells and whistles.
All EV certificates provide that feature, not just the ones sold by Verisign. Are you a paid shill of Verisign?
In general, no one should ever do business with Verisign, due to their practice of domain slamming, their Site Finder misfeature, and other shady practices.
"VeriSign was sued in 2002 for their actions in sending ambiguous emails informing people, often incorrectly, that their domain was about to expire and inviting them to click on a link to renew it. Renewing the domain resulted in the registration company being transferred to VeriSign from the previous registrar."
Ok, I didn't know that. What I should investigate is whether the same people that authorized those shady tactics are still in charge there (or whether that culture persists).
Mostly, they are the same. There are some "addons" that are possible with SSL certificats. For example wildcard certificats which are valid on all subdomains, included support, encryption strength, browser support and others.
I use http://exoware.net/ They're a small company, but they care and they do a good job so we get along just fine. SSL starts at £15 a year and goes up. £70 per year for a wildcard.
You might care about your cert. However, your users do not care at all. Most users (not most HN readers!) have no idea what is the difference between certificates.
Do you really think users pause to check what type of SSL certificate the site has? .. And what CA had signed that certificate? They don't -- even when they access their bank.
If you just want to secure a login page for your own personal use, get a free cert from StartSSL.
If you need to give access to the page to more people, it's best to get a cheap cert from Comodo, etc. because they're compatible with more mobile devices. Don't spend more than $15
If you intend on selling something from the site, I'd recommend getting some form of company validation on top of the standard domain validation which is performed when buying cheaper certs. GeoTrust, Comodo, Globalsign, etc. can help. It should cost less than $100.
The best certs to get to re-assure your customers are the EV ones. No need to go full Verisign and waste ton of money on them, you can get them cheap-ish from Globalsign, Comodo and Geotrust resellers.
If you're getting a cert generated by an established certificate authority, it doesn't really matter who you buy it from. Aim for the best price for the level of support that you want to get.