Cheap SSL Certificates for Small Websites?

zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"

although this sounds like an advertisment...

[r00tarded (553054)]

a bunch of excellent geeks I know use entrust [entrust.com].

DirectNIC.com does SSL certs for $99/yr

[by Anonymous Coward]

Title says it all

Re:although this sounds like an advertisment...

[dildatron (611498)]

I just checked them out. Decent prices. Their prices are here [entrust.com] for those who are interested.

Re:although this sounds like an advertisment...

[quacking duck (607555)]

I used to work there, and there's a fairly good reason international prices are much higher.

Entrust is a company headquartered in the US but with the bulk of the workforce in the US. When applying for an SSL certificate, there's a very stringent set of rules set out by both US and Canadian governments that they have to follow in order to verify that the person requesting the certificate in fact represents the organization he/she claims to, and that the request for a certificate was authorized.

Verification requires three independent contacts within the requesting organization. These can be managers, sysadmins, billing, etc. All three need to be contacted.

Calling these contacts up can get expensive when you handle a lot of international orders. International information like addresses can also be difficult to verify halfway around the world, too, adding more costs. This is partly why Canadian prices scale up with the US exchange rate, but international ones are so much higher.

The OTHER reason it's a bit higher is that Entrust doesn't WANT to have to handle international verifications, preferring to pass that on to their affiliates located around the world. This way, customers place the order through the affiliated site (at a price that's supposed to be a fair bit lower than the international pricing Entrust itself offers), the affiliate handles the verification themselves. Since affiliates are located in the same geographic area as their customers, they're better qualified to judge whether the info is correct or not. Once the affiliate has verified the information Entrust issues the certificate.

So if you're not based in the US or Canada, check the list of affiliates [entrust.com] to see if there's an affiliate in your country that offers lower "international" pricing. Don't mean to sound like a sales agent, but that's why affiliates are there.

Thawte

[JM (18663)]

They charge $199 for certificate, and have a pretty good service. I've been using them for years.

Re:Thawte

[the eric conspiracy (20178)]

Thawte IS Verisign - bought out a couple of years ago.

Re:Thawte

[Software (179033)]

I agree that Thawte is as good as Verisign. But they are a subsidiary of Verisign [thawte.com], so that's not too much of a surprise. They seem to operate pretty independently.

What is surprising is that their prices are cheaper than the parent company's. I like their SPKI program [thawte.com], which allows you to get 5 certificates for $500.

Re:Thawte

[letxa2000 (215841)]

No kidding. I was expecting no paperwork to be necessary on renewal. In my dreams. They asked for an entirely different sent of annoying paperwork when I tried to renew, and had raised the price by about $40.

That pissed me off and got me shopping. Within 3 days I had my certs issued by InstantSSL. $49/year, no fuss.

Might want to check.......

[tiwason (187819)]

The stories /. has already had on the topic....

Why Are SSL Certificates So Expensive? by Cliff with 192 comments on Sunday March 18, @04:48PM
http://ask.slashdot.org/article.pl?sid=0 1/03/18/18 55230&mode=thread&tid=93

Are FreeSSL Certs Worthwhile? by Cliff with 8 comments on Friday September 07, @11:50AM
http://ask.slashdot.org/article.pl?sid=0 1/09/06/04 51218&mode=thread&tid=148

Poor Cliff

[uberdave (526529)]

Why Are SSL Certificates So Expensive? by Cliff with 192 comments on Sunday March 18, @04:48PM http://ask.slashdot.org/article.pl?sid=01/03/18/18 55230&mode=thread&tid=93

Are FreeSSL Certs Worthwhile? by Cliff with 8 comments on Friday September 07, @11:50AM http://ask.slashdot.org/article.pl?sid=01/09/06/04 51218&mode=thread&tid=148

Poor Cliff. Perhaps he will get an answer this time around.

Certificate Services on Windows 2000

[by Anonymous Coward]

You can use it to create certs, and you can even add your organization to the browsers trusted organizations so the users don't get an error message.

QuickSSL

[by Anonymous Coward]

Rackshack.net [rackshack.net] has a link to a $49 QuickSSL certificate [rackshack.net]. I haven't used them, but it sounds like a good deal.

Is it any good if most browsers reject it?

[HotNeedleOfInquiry (598897)]

I couldn't find rackshack listed in any of the "approved" signing sources for mozzila or netscape.

No Real Options, Sorry

[sabat (23293)]

There aren't really many options, because the browser has to recognize the signer, and the major browsers only recognize Verisign (and Thawte, which is also Verisign).

RSA is the company that started Verisign, so you can guarantee they'll not be of help.

If this is a situation with a limited client base, like a company, you can self-sign and send everyone your CA certificate and have them all import it into their browsers (all browsers support this, I believe). But what a pain.

I wish the news was better, but you're right -- it's a scam. The problem isn't technical; it's political.

Re:No Real Options, Sorry

[1984 (56406)]

This is somewhat misleading. I bought a cert for a smal personal Web server from Comodo [comodogroup.com], since it was cheap (about $60). It works fine with (i.e. is trusted by) all 4.7x Netscape and above, all IE 5 and above.

The only point of buying one, after all, being that visitors aren't subjected to confusing warnings about certificates.

Besides that one certificate I haven't dealt with Comodo so won't recommend at random -- but they supplied the certificate quickly, cheaply enough, and it works.

Re:No Real Options, Sorry

[lylonius (20917)]

Actually, you are mistaken.

Today's browsers (even the first SSL enabled browser, Netscape 2.0) recognized _dozens_ of certificate authorities. Besides Verisign and Thawte, there are RSA, Entrust, and others.

You are also mistaken that RSA started Verisign; RSA Security was the company that licensed the RSA public-key algorithm. They actually compete directly with Verisign as a CA.

To see for yourself:
(Netscape|Mozilla): Edit->Preferences->Privacy->Certificates
IE: Tools->Options->Content->Certificates

Re:No Real Options, Sorry

[God! Awful (181117)]

You are also mistaken that RSA started Verisign; RSA Security was the company that licensed the RSA public-key algorithm. They actually compete directly with Verisign as a CA.

Check your facts before you post. RSA was in fact spun out of Verisign [businessweek.com]. Just because they compete now doesn't mean that they weren't ever affiliated.

-a

Re:No Real Options, Sorry

[Kragg (300602)]

Fool. that very article says that VeriSign was spun out of RSA.

Re:No Real Options, Sorry

[stefanlasiewski (63134)]

Verisign bought Thawte about 2 years ago.

As I understand it, Thawte mostly deals with customers outside of the US (which has been their domain for years). Verisign mostly deals with customers inside the US and Canada.

I they they are mostly two distinct entities, with 2 different sets of managers (A few managers probably work both sides of the fence). The profits from both entities drop in the same bucket.

Thawte's support used to be much, much better then Verisign's support. Let's hope they spread the Thawte philosophy among the Verisignites...

It is a scam

[dnoyeb (547705)]

I say the same thing about signing my Java applets. Sun only puts Verisign or Thawte root certificates. So if you want to avoid your customers seeing some redicuouls

"Jesus!! this software is unsigned!!!"

message, then you gotta buy the certz. I am self signing right now. I would love if OSDN could have their own root certificate and let us public folks buy from them. Any malicious signers will be found out quickly so whats the big deal???

I think this signing thing is DRM in action. Nobody is realizing it yet.

Re:It is a scam

[ADRA (37398)]

"I think this signing thing is DRM in action. Nobody is realizing it yet."

I think everyone is realizing it, but doing nothing about it. It is one of those sticky technologies that can be used for good and evil. There is and always will be good uses for this technology like the way it is being used today, but on the other hand, forcing certificates on those that just want secure internet connections seems rather arguable to me, but since it is in spec there isn't much for us to do until I take a flame thrower to all the anal-monopolistic companies.

Just to clearify the DRM == cert part, I think the nature of DRM forces anyone who implements that security mechanism to use certs.

The real problem when internet connected devices become more pleantiful, and central authorities like Microsoft and Verisign start signing everything under the sun. Running a program on Windows 2004:

#bash
- Error 31337 -
Problem: This program has not been signed by an
application trusted provider.

Solution: Bend over and take it like the
mule that you are
-

#Format C:

- Error 31337 -
Problem: This program has not been signed by an
application trusted provider.

Solution: You can never escape us! MWAHAHAHAHA!
-

DRM -- You nailed it

[serutan (259622)]

Yes, and this is just a preview of the next economic layer that is going to be laid on top of the Internet with the arrival of Palladium. What do you suppose you will have to do to get your content enabled so everybody's PC will be allowed to open it? It's not just a scam, it's maybe the ultimate scam. Inflict the publishing industry's business model on the Internet by taking control of all the hardware connected to it.

These bastards are pure evil.

Cheapass trusted SSL certs

[pablos (122458)]

You can purchase a ridiculously cheap ($50) 128bit SSL cert, trusted by browsers from http://www.geotrust.com

All you need a valid credit card to get a
cert. The CA key is loaded in almost all of the browsers, the notable exception being Opera.

They do send a 'auth check' by emailing the domain admin contact you can select.

The entire ordering process (including filling out forms) takes less than about 5 or ten minutes.

This should SCARE you if you're relying on the security provided by Veri$ign and the root that ship with browsers. - pablos.

Re:Cheapass trusted SSL certs

[letxa2000 (215841)]

Most (normal) people don't even know that businesses with secure pages have supposedly been "verified." Thus it really doesn't matter who you purchase the certificate from as long as it doesn't pop-up a browser warning. No-one is going to do business with a site they don't trust. It's not like you go to a site, and say, "Wow, these guys look real shady. But heck, they have a Verisign cert, ok, no problem." That doesn't happen.

Building trust is an issue between the website and their potential customer. If the customer trusts the site, they're going to buy regardless of who signed the cert. If they don't trust the site, they're not going to buy regardless of who signed the cert.

Verisign and Thawte are, for obvious reasons, trying to promote the idea that their certificates cost more because users somehow trust their verification process more. That is BS. No-one cares because each individual person decides whether or not to trust the website in question.

In reality, all people want out of SSL is encryption. The decision to trust the business in question is always going to be the customer's and that decision will not be influenced by who signed the cert.

Free root cert project

[kylegordon (159137)]

You may find what you're after over at http://www.cacert.com [cacert.com] The creator of this website believes that trusting someone should be free, and is doing his best to make this happen.

Re:Free root cert project

[V. Mole (9567)]

Nice idea. Unfortunately, the MD5 fingerprint on the root certificate doesn't match what the webpage claims it should be. This leads to doubts...

I suspect what happened is that they issued a new certificate on September 15th, and forgot to update the webpage. But that kind of sloppiness is not reassuring, and the fact that nobody has fixed it in 17 days indicates that it's probably not very widely used. (And yes, I e-mailed the webmaster about the problem.)

Easy one

[shurdeek (571257)]

There is a nice page, http://www.whichssl.com. Through the comparison tables there I found comodo's http://www.instantssl.com. I generated a demo certificate first and after I had no problems with it, I bought it. For $49 a 128 bit, not 40. Recommended.

That's interesting

[petard (117521)]

WhichSSL [whichssl.com] is nothing but an ad for Comodo:

Registrant:
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: WHICHSSL.COM
Created on: 25-JUN-02
Expires on: 25-JUN-04
Last Updated on: 25-JUN-02

Administrative Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Technical Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Domain servers in listed order:
DNS01.EXODUS.NET
DNS02.EXODUS.NET
DNS03.EXODUS.NET

InstantSSL

[aldjiblah (312163)]

Just switched from Thawte (adding $100 each year for your certificate services is NOT a good way to hold on to your customers, Thawte!) to InstantSSL [instantssl.com].

At $49 a piece for standard certificates they're the cheapest my company could find when we went looking last month. So far I have no problems recommending them.

Everything you need to be a certifying authority

[Chuck Chunder (21021)]

comes with openssl [openssl.org]. It even has a nice perl script to make it easy.
What Verisign and co have that you don't is their root certificates installed with the browsers by default. For internal use you should have no problem using your own certificates. For external use, where an existing business relationship exists (ie you aren't selling to the public, but to people who can trust your cert because they know who you are) it should take little more than a quick explanation.

It's not as much of a scam as you think.

[antis0c (133550)]

Sure we all hate VeriSign for all kinds of reasons.

However when you get an SSL Certificate from VeriSign and some of the other Cert signers out there, you are getting two things.

The most commonly understood thing you are getting is the encryption thats automatically accepted by just about any modern browser. However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier). This way you know when you're going to https://secure.yourdomain.com to enter your credit card information, that you are indeed still on yourdomain.com and that your information is encrypted, and verified to be sent to the company you intend to send it to.

So if all you are concerned about is encryption, just generate your own. It will however throw a warning in just about any browser that the identity of the site can't be verified. Other than that, cost of this service isn't going to drop very dramatically without losing its verification services.

I understand though, that browser warning annoys me too.

Re:It's not as much of a scam as you think.

[g4dget (579145)]

However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier). [...] Other than that, cost of this service isn't going to drop very dramatically without losing its verification services.

That would be a fine argument if they actually do any significant verification. My impression is that they don't.

I think it's foolish to rely on VeriSign or anybody else to guarantee that the company on the other end is who they claim they are. And you don't need that anyway--you don't get that protection for mail order either, and, besides, lots of people can get your credit card number without all the hassle of setting up a web site.

What matters ultimately is the money trail: not VeriSign, but MasterCard, needs to know where your money went and get it back for you. That's their responsibility as credit card companies.

Re:It's not as much of a scam as you think.

[antis0c (133550)]

I agree. Thats why I said "VeriSign is suppose to" and not "VeriSign does". Obviously they don't, remember the whole fiasco with them giving out a cert to someone posing as Microsoft? I'm just saying, thats the idea. I don't agree with it. :)

RSA Who?

[Blrfl (46596)]

Never heard of 'em. Must be some fly-by-night operation. :-)

Create own CA, don't just self-sign

[coyote-san (38515)]

You're going at the problem wrong. Don't worry about getting your clients to accept a self-signed cert, worry about getting them to add your own root certificate to those they trust.

This is actually straightforward - you point them to a URL that returns the root cert, with MIME type application/x-x509-ca-cert, and tell them to accept it for all uses when the broswer pops up a dialog box.

You should then use this root cert to sign your web server certs (and certs for mail servers, databases, whatever). All should be trusted immediately, assuming you have your other ducks in a row. (E.g., you need to have your web server cert's common name resolve to the IP address of the web server.)

It's a bit more work to maintain a mini-CA than to just use self-signed certs, but overall the benefits outweigh the hassles. Many of us are working on JSP tools to operate mid-range CAs, but I don't know how far most are. (The problem is Microsoft's eternally changing standards on how clients generate the cert request on their side - I can handle Netscape/Mozilla with ease, but it seems like every version of MSIE is just slightly different.)

this is a bad idea, security-wise

[Trepidity (597)]

I would be very hesitant to add you, someone I do not know or have a particular reason to trust, as a CA. I wouldn't mind accepting your self-signed certificate to do an SSL transaction with your site, but adding you as a CA is a much bigger security risk. If I do that, you can then sign certificates for any site, including sensitive sites like my bank's. Then you, as a potentially malicious CA, can trick me into accepting false certificates identifying my bank's site.

Thus if you don't want to use a certificate signed by the major CAs, then please just self-sign. I have no problem accepting self-signed certificates, but adding random sites you don't know as CAs is a huge security risk that no one should do (so it'd be nice if you didn't require people to do it in order to visit your site).

Re:Create own CA, don't just self-sign

[paco verde (561678)]

The parent post is exactly how we do it in our organization (a non-profit with not a lot of money for certs, but lots of things we want to run over SSL). Once someone trusts your root cert you're good to go.

I mostly figured out how to set it up from the Apache mod-ssl module FAQ at http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29 [modssl.org]. BTW, mod-ssl comes with a nice little signing script that is quite handy.

Once I got the hang of it with Apache sites I used the technique in the FAQ almost verbatim to produce certs for our IMAP and SMTP servers.

You might also check out http://www.openca.org/. I'm not using it, but if I was starting over I would be looking into it.

Just exploit the IE SSL bug

[giminy (94188)]

Have your company buy a key, then create signed keys for your domain private domain with it as the issuing key. Nobody will know, as most people still use IE, and it still has that fun bug.

Google is your friend.

[Eric Seppanen (79060)]

CA links [pki-page.org]
CA links [netscape.com]

If your the IT Department

[mystik (38627)]

... and can manage an installation of certificates on all clients, you can create your own certificate authority all by your self.

Here are some *SIMPLE* instructions for building a self-signed CA cert, and then signing SSL certs for servers. Any real implentation should probably be assessed for security (like ca-generation on an isolated machine, etc ...)

• openssl req -newkey rsa:2048 -keyout ca.key -out ca.req - Answer all questions it asks
• openssl x509 -signkey ca.key -req -out ca.crt -in ca.req -days 1200 - Self- signs the CA certificate
• openssl x509 -signkey ca.key -trustout -req -out ca-trust.crt -in ca.req -days 12000 - produces a "Trusted certificate"
• use the first step to generate any other certificate requests. Some servers like IIS & Domino have their own request-generation tool.
• openssl x509 -CA ca-trust.crt -CAkey ca.key -req -days 360 -in certificate-request.req -out cert.crt -CAserial ca.srl [-CAcreateserial] - to sign requests. The first time, you'll have to use CAcreateserial

That's pretty much it. mix into your IT operations as nessecary

Certs prevent Man-in-the-middle attacks

[adamy (78406)]

Certs prove you are who you say you are, not that you are a reputable company. Otherwise, someone can spoof your IP address and or domain name, collect your clients secure information, and the whole process is encrypted using the attackers keys, not yours.

It is a boot strap problem. Since your clients connect to your over the web, there is no way to prove that you are really you. Instead, you say, my CA (e.g. Verisign) says I am me, and hand them something they can use to verify that info. The browser checks the cert that your site offers, and using the Verisign public key, can ensure that you are actully signed by verisign. The fact that Verisign's public key was shipped with the browser means that the trust chain goes like this:

Install disk (or Download from Mozilla site)->Verisign->You

You can become your own CA, but that borken link is still there.

Another option is to use something like PGP or hand delivered Certs, which would work for an internal website or a limited audience.

Adam

Government and more flexible signed assertions

[Fastolfe (1470)]

This is the situation where we need the government to step in. We're all getting driver's licenses from the government, passports, etc., and these are really the only real-world pieces of identification people accept. What we need is for the government to step in and issue digital ID's, to individuals and corporations. These ID's would tie us to whatever electronic identifiers are appropriate (domain names and/or e-mail addresses), and appropriate delegation would be permitted from there.

We just need the a trusted authority (for certain definitions of 'trusted' and for the definition of 'authority' that is ubiquitously recognized instead of decided by the highest bidders in the browser wars) to make digital assertions.

You'd start with certifying identities: my state might sign a certificate certifying my name, maybe driver's license number, perhaps address and even a photograph. I should now be able to sign e-mails with this now independently of my e-mail address. The resulting signed message could carry whatever signed assertions I wanted to put on it. (Probably my name and maybe my photograph.) I can't forge these, because these components are signed by the state in connection with my identity. A posting to a self-help group might just assert my identity in the form of a photograph and an unsigned nickname.

Taking this a step further, I should be able to use this ID to sign other things, even web sites. This will require changes to the way users perceive an "authenticated" web site. If I go to a bank at www.example.com today, they have a certificate that basically states "www.example.com is Example Bank, and their identity is certified". What my own signed web site might assert is "www.example.com is Joe User". User agents need to give more weight to the name here and less weight to the fact that the domain name matches what's in the certificate.

Extend this now to corporations. When a corporate charter is created, a digital ID for that corporation is created along with it and signed by the state of incorporation. That corporation can now sign assertions like "Joe User is the CEO of Example Corporation".

So now, when Joe User sends an e-mail, he can include this information:

• Joe User (signed by the state of residence)
• (Joe's picture, signed by the state)
• Job Title: CEO (signed by Example Corporation)

At this point, we really have a framework to allow the signing of most any type of assertion. If someone feels that we still need a signed DNS-based model, we'd do this within the DNS framework. I.e. registrars, when creating a domain, would also create a certificate for the domain name created and pass that on to the new owner, who can now sign for sub-domains as needed. When presented with www.sub.example.com, we have "www" signed by "sub" signed by "example" signed by one of the registrars for ".com".

Some of these concepts will require a re-thinking of the way we approach authenticated online identities. We need to stop placing so much importance on online identifiers (like domain names and e-mail addresses) and start paying attention to who is making those assertions. I can sign an assertion stating that my e-mail address is 'joe@example.com', but unless that's really my e-mail address, it's not going to do anyone a whole lot of good. If I go around forging e-mails from joe@example.com and including that signed assertion, everyone should be able to take one look at that and say, "Who the hell is this guy claiming to be joe@example.com?". Only the guy with the certificate stating the assertion that he is "joe", signed by "example", signed by a valid registrar for ".com" would be able to say that with any authority.

A lot of this can be done today with signed/encrypted XML [w3.org], provided we have a common framework to start sharing the assertions.

The certificate 'business' is a scam for 3 reasons

[Xeger (20906)]

1) Almost every known root CA targets businesses as their primary customers. The prevailing mentality seems to be that if you want to secure your HTTP server's connections to members of the general public, you must be running some sort of business. Their cost per certificate is nothing; you are paying them not for the certificate itself, but for a certification of your trustworthiness as a business.

But what if I'm offering a free service, which nonetheless requires that my users have absolute trust in their browsing security? What if I'm running a nonprofit organization? If the CAs were truly interested in security, they would offer a low-cost alternative for people who are offering free services, and perhaps a free certificate for non-profit organizations.

You may point out that I can now get a cheap certificate for $50. While this is true, the low price of certificates these days is the result of market pressure. These guys aren't lowering their prices out of the goodness of their hearts, or to help Joe Q. Webmaster who wants a secure website. They're doing it only in response to competition.

2) 'Wildcard' certificates cost an absurd amount of money, usually $500 or more.

Excuse me? The entire premise of the certification, is that Thawte (or VeriSign, or whoever) is certifying my trustworthiness as an organization. As such, it shouldn't matter whether I have one, ten or a hundred DNS names associated with my website and with my organization. By forcing you to buy separate certificates for your web server's DNS name, your mail server's DNS name, your LDAP server's DNS name and others, they are extracting even more money from your wallet. Even if all my services are hosted on the same machine, I must pay hundreds of dollars extra for the privilege of giving them separate aliases. The only other alternative is to host all of my services on one machine, under one DNS name. Thank you so much, VeriSign, for sticking your nose into my system administration.

And, finally,

3) VeriSign, the biggest fish in the pond, has demonstrated on more than one occasion that it is in fact not trustworthy.

Remember the incident involving a falsely-issued code signing certificate for Microsoft? That's right! This supposed paragon of trustworthiness gave some unknown cracker free reign to masquerade as the largest software company in the world. If they're that damned vulnerable to simple social engineering...then why did I pay them $200 or more, again? What exactly were they certifying?

From the start, the entire digital certificate business has been about politics and moneymaking, nothing more. It's a pity that we're forced to live with it.

Where is the opensource SSL community?

[Sarin (112173)]

I wouldn't pay more than $25 for a ssl certificate this a year, which is a reasonoble price, but still too much! Perhaps I'd even make use of a recent bu in ie.

What is the meaning of this ssl certificate?

It's less than 1 kilobyte (remember this term from the 80's?) and it's stored on a socalled certified system so they can check if the certificate is true.

The whole secure web server could be corrupted with a dozen of exploits by missing only a couple of security patches.

I mean this whole thing does reeks of greedyness.

Shouldn't be the opensource community bring out their own SSL certificates. The opensource browsers should neglect the standard certificates, since they don't mean anything anyway.
The certificates that are accepted by opensource browsers are the ones that are certified by a nonprofit organisation, the only way to be recognised by the browser is that the database of this organisation is sure that the server is maintained well.

What are you paying for otherwise?

Be your _own_ CA. Why pay anyone?

[jdreed1024 (443938)]

from the why-can't-we-be-our-own-certificate-authority dept.

Er, um, you can. It's trivial to be a certificate authority. You simply need to read a couple of HOWTOs and understand how X.509 certificates work. At MIT for example, we are our own CA. The MIT CA signs all other certifiates, such as certificates for machines that offer secure services, or client certificates for users to authenticate themselves for confidential services. Sure, your browser will claim that it won't recognize the certificate authority. But go ahead and download the root certificate, and tell Netscape you want to accept that certificate authority to certify "Internet sites", and you're all set. You only have to do that _once_. Ever. Just make sure that all your server certificates are signed by the certificate authority.

At MIT we get around the "accepting the certificate authority" problem by re-distributing Netscape with our CA alrady in the database. If your organization isn't big enough for this, then just hand the customers printed instructions on how to do it. Tell them by doing this, you're saving them money, with less costs to pass on.

Commercial Certificate Authorities mean jack shit. All they "certify" is "Joe Schmoe paid me $400, so I will now say that he is who he claims to be." Big fscking deal. Who exactly are they to claim that, anyway? Do they have access to Joe's birth certificate? His passport? His social security record? I had to provide more documentation to get a Massachusetts Drivers License than I did to get a certificate from Verisign. Once the general public realizes this, Verisign will need to find a new source of revenue. I envision a future when certificate authorities can be obtained for a nominal processing free ($30) provided the requestor provides proof of identity (or corporate identity).

Check out www.WhichSSL.com

[Nonesuch (90847)]

Just this week I have started looking around before we purchase a certificate for a semi-private Internet server. I've found the 'WhichSSL.com' site to be very helpful, especially http://www.whichssl.com/faq/compatibility.html [whichssl.com].

Our users are easily alarmed, so we need to use a certificate from CA that is fully trusted by all of the common browsers. This pretty much limits you to Verisign/Thawte. If you expect that most users will have mostly upgraded to more modern browsers, then your available choices increase dramatically.

I am currently considering InstantSSL... so far it's taken two days, and no signed certificate, but the price (free trial, $49/year) is right.

InstantSSL.com

[fwc (168330)]

$49/Year.

Almost instant (like 10 minute) issuance.

Trusted by 99% or so of in-use browsers (IE>=5.0, Netscape>=4.x, AOL>=5, Opera>=5).

Works great. Highly recommended.

use your own CA for your backend servers

[iebgener (592564)]

You might need a certificate signed by a well known CA for your connections from the internet, but for all your backend server you can create your own CA. This will enable you to use a full strenght 1024/128 bit sll for nothing. There is a project called tinyca [sm-zone.net] which enables you to create and signed certificates with your inhouse CA. So you create a CA for your company and add the CA to all your backend server. Once this is done, any certificate signed by your CA will be valid and fully secured.

I have tested it for Apache and Weblogic and Websphere and they work very well.

GeoTrust.com rocks, and is cheap!

[CrudPuppy (33870)]

we use them for all of our commercial sites.

Re:Self-sign

[Anemophilous Coward (312040)]

There is a way to do this with ASP scripting. A good base to start with can be found at this Microsoft Knowledge base article [microsoft.com].

It is a starting point I used to make the root certificate stick. It will present the user with a large-ish alert box asking them if they want to install the certificate. It will only do this once as long as they click 'yes'. Subsequent visits to your site will be automatic from then on out.

This is course is great for internal sites, you can educate your users to click on the box the first time, then they never have to worry again. And they know it's trusted since it came from you. One small caveat, this probably only works on IIS servers and only works in IE web browsers.

- "A non-productive mind is with absolutely zero balance."
- AC