Choosing an SSL CA?

zentigger asks: "I am looking at renewing some SSL certificates and checking out the various vendors. I seems that just about every major CA has some reason for not using them. Verisign is just evil, Thawte is owned by Verisign, Geocerts has a bad habit of spamming, and Godaddy uses a stupid chained cert that doesn't work for some appliances we have (and they won't let me check out using Firefox). I realize that I could just use a self-signed certificate, but we have too many stupid users that get all confused and whiny when something pops up and asks them unexpected questions. So I put it to you, Slashdot: what CAs do you recommend and why?"

Re:No Answer

[Zeinfeld]

It has been a while since I've seen a post unanswered for so long

That is probably because it wasn't really a question, more sort of a flame against the idea of Certificate Authorities with some unoriginal gratuitous insults thrown in.

Without knowing what he wants to do with the certificate it is impossible to answer the question. If he just wants to connect up to his POP3 server via SSL then self signed is fine. If on the other hand he is setting up the online banking service for a money center bank he

The cheapest one

[ericspinder]

The cheapest one. In the past I used GeoTrust, but I did see that my favorite registar registerfly [registerfly.com] has a 'special' for $16 ('real price' $25). Which is good for 99% of the browsers, and a 'Single root trusted SSL certificate' (I suspect that it is the GeoTrust/Equifax cert in a 'plain wrapper').

For god's sake, don't buy Veri-slime's 'Global Certificate' which was built to allow for a crippled 'international version browser', an idea which was abandoned 6 years ago. A quick check of their site leads me to suspect that they changed the name to 'Financial SSL Certificates for OFX'. I Think that that verisign product represents the last 'one percent', however I doubt if anyone should trust an SSL conntection to those long outdated browsers.

Re:The cheapest one

[narzy]

I'm personally a fan of NameCheap [namecheap.com], they use geotrust, my suggestion is to go with geotrust, I haven't had any problems with them but I do register the cert with a custom e-mail address like ssl@companyname.com that way if it is a spam target it's isolated.

GeoTrust is now Verisign

[dereference]

my suggestion is to go with geotrust

Unfortunately just last month Verisign announced its intentions to purchase GeoTrust. It might suck for any GeoTrust resellers, as Verisign was never very supportive of their resellers.

Here's the press release [verisign.com].

Re:GeoTrust is now Verisign

[C_Kode]

F. Someone cry foul, monopoly, or something. Stop the chaos. I've been using GeoTrust since about 2001ish because of how much I hate Vericrap. This will mean Verisign will own all the major CAs right? (the ones supported by 99% of browsers?) When I started with GeoTrust they weren't quite their yet but were gaining fast. Over the last few years they have been great!

RegisterFly works fine

[Anonymous Coward]

I've used them too.

The register-fly website is an example of how not to dimension your server farm for a beautiful PHP driven app. That aside, their Cert. "just works" and whoever's auth. server it actually points to is pleasantly fast.

A recent article suggested similar:

[Anonymous Coward]

For those who missed it, this /. article about a similar topic [slashdot.org].

I think the most interesting post that time was that the US military and Microsoft [slashdot.org] both use self-signed ones -- which makes a pretty strong case that (if you're a B2B company) your company should sign it and your customers should add your company to the trusted authorities. If your're a B2C one, choose the cheapest one that FireFox and IE trust by default.

Small B2B probably shouldn't self-sign.

[Kadin2048]

I'm not sure that I agree with this:

which makes a pretty strong case that (if you're a B2B company) your company should sign it and your customers should add your company to the trusted authorities

If you're a B2B company and have good recognition, like the U.S. Government/military and Microsoft both do, then by all means sign your own certificate. But if you don't have any name recognition, as Joe's Pretty Good Office Supplies might not, then you might still need to get a certificate signed by someone who d

Re:A recent article suggested similar:

[duffbeer703]

I strongly disagree. The military & Microsoft have very stringent security policies surrounding the storage of their private keys. They don't maintain their keys internally to save money -- they do so for higher levels of security.

Keeping your private key on a co-located server or on a CD in your CEO's liquor cabinet opens you to a world of potential hurt.

Re:A recent article suggested similar:

[theonetruekeebler]

Well, that and the fact that Microsoft usually insists on eating its own dogfood. As for the other, who's gonna stop them? Plus when you go to them and say, "Oh yeah? You and what army?" They can just say, "Nope, just us."

Re:The cheapest one

[x2A]

I've used litessl, now positivessl, who are very cheap (£10/year), and very quick to verify/install. I tried two others, rapidssl and err... someone else I forget, and had problems with both in the verify stage (eg, rapidssl: do the first step, then wait for the second step email to come through... and wait... and wait... and give up and go somewhere else. Second email comes through 2 weeks later).

Re:The cheapest one

[D'Sphitz]

i've ordered around a dozen RapidSSL certs and the entire process never takes more than 15 minutes.

cacert.org

[Procyon101]

cacert.org

They have a great concept that should be supported.

Re:cacert.org

[generationxyu]

Actually... cacert.org defeats the purpose of the CA system. It's a kind of pointless system if you ask me, but it's still defeated. If you register with cacert.org, you get a CA cert that isn't trusted by any browser -- much like a self-signed cert. If it gets registered with browsers (probably only Firefox and other open-source browsers), then spammers, phishers, and the like will just use cacert.org and get that nice padlock in the corner closed.

Re:cacert.org

[Wesley Felter]

Of course, SSL does not prevent and was never intended to prevent spamming and phishing; it foils sniffing (which generally doesn't happen anyway).

Re:cacert.org

[forsetti]

While SSL is not intended to prevent spamming, it is meant to prevent spoofing, thereby hindering phishing. SSL is more than just encryption via PKI -- given a proper trust fabric, it can provide proof of identity (via signing), thereby preventing man-in-the-middle attacks (which is the counter-attack to encryption without signing).

If you don't have a proper trust fabric (provided by a commonly trusted CA in the SSL scenario), then all of your encrypted traffic is still vulnerable to a simple MITM attack.

Re:cacert.org

[ericspinder]

then all of your encrypted traffic is still vulnerable to a simple MITM attack.

Only at the very beginning of a website request, when the SSL connection is being validated, and a MITM attack is only workable in a fully compromised network (in that case, a CC number would be 'chump change'). A more realistic exploit is a DNS exploit, where a criminal changes the IP address for well used financial site, and then uses a 'low-trust' cert authority to complete the 'spoof' of a correct SSL transaction

Re:cacert.org

[jrockway]

This post is so misguided I don't know where to start.

It is super easy to compromise a network. Try using ettercap sometime. It will ARP poison the switch, so that your switch port acts as an intermediary for all traffic on the subnet. Once you have that, you can also use ettercap to hijack SSL sessions. I've done this before, and it works great. The user gets the message saying "so and so.com sent you an invalid certificate? pretend that this is meaningless and blissfully send your SSN and passwords

Re:cacert.org

[ericspinder]

This post is so misguided I don't know where to start.

Yet, somehow you did. yeah! good for you.

It also works with SSH and pretty much anything else.

Yes, so then the internet isn't perfect. My 'key word' was REALISTIC exploit. (see next...)

I've done this before, and it works great... Super easy.

On routers and a network you don't own? Just keep talking, and the FBI might just be examining you shortly.

They click yes, the padlock closes, and you steal all their data.

...all the data they send to yo

Re:cacert.org

[Kadin2048]

Although I don't necessarily agree with the GP that CACert.org is useless or that it renders certificates meaningless, I don't think it's wise to be quite so cavalier about ARP poisoning-based MITM attacks.

It's perhaps not something that's as easily done from half a world away like current phishing schemes, but that doesn't mean that it couldn't be employed on any number of semi-public networks. I'm thinking most commercial/residential broadband systems that are shared between clients (cable modem systems).

Re:cacert.org

[FLEB]

It might not be profitable enough or feasable for the usual suspects, but imagine the usefulness of an automated MITM system set up on an open WiFi in some urban area. Combine poor SSL validation with any number of middle-access possibilities (ARP poisoning, as mentioned, WiFi spoofing, or even just "Lookie here, Open Wifi!"), then add in the fact that it takes only a few of the right compromises (a credit card number, or an online bank session key) to open yourself up to a fair amount of credit.

And the FBI

Re:cacert.org

[iluvcapra]

Well, it does foil sniffing, but it is also supposed to give you positive authentication of the HTTP sender, so that if you see "www.ebay.com." in Latin1 in the location bar and a padlock in the corner, you can be certain that you're actually talking to "ebay.com.", and not some guy in Novosibirsk that got some rogue records inserted into your DNS server.

SSL was absolutely supposed to prevent spoofing, which is a major tool in the toolbag of spammers and phishers.

Re:cacert.org

[Lord Ender]

You misspelled "MITM."

wrong!

[coyote-san]

Gah - I have moderator points but there's no "incorrect" flag.

Encryption without authentication is absolutely meaningless. There would be no way to detect a "man in the middle" attack -- anyone with access to the data stream could impersonate the other party and get the complete plaintext stream. Worse, the MitM could almost certainly insert or remove content at will. ("Almost" since it's possible that there's HMAC data at the application layer in addition to the network(?) layer.)

That's crypto 101 material. Any protocol designer that doesn't have MitM attacks as one of his top priorities should go back to his cereal box decoder rings.

SSL contains both strong mutual authentication and message digesting. One or both parties can choose to ignore information, but it's always their choice and they can refuse a connection unless acceptable authentication information has been provided.

Does this directly address spamming and phishing? No... but it guarantees that you can hold somebody responsible for it. That's why the "soft" side of the CA is so important - you're depending on the CA doing due diligence to ensure that 'paypal.com' is who they claim they are, not somebody with a maildrop. Generating and publishing the certs themselves is trivial.

As an aside, "SSL" does NOT mean that you're guaranteed an encrypted channel. A 'null' cipher exists for testing purposes and many administrators never realize that they should specify a minimal acceptable cipher strength. A malicious application or client could attempt to negotiate encryption down to nothing. Some of the other ciphers are only suitable for keeping your kid sister out of your stuff.

Re:cacert.org

[badfish99]

If your "users" are joe public buying stuff from your web site, then you need a commercial certificate that will stop their browsers from displaying a pop-up warning. Any certificate that all (or most) browsers support will be OK, and all of the suppliers smell like a dead fish, so you might as well google for the cheapest.

If your "users" are in any way under your control (e.g. if the point of this is to let your colleages use your intranet web-mail from home, or something like that) then you might as wel

Re:cacert.org

[crush]

CACert.org also adds into the mix the fact that a large number of people will have verified the identity of the person using the certificate and assigned a "trust value" (based on looking at passport, government issued photo id etc). That's a lot more assurance than a simple self-signed certificate. It's the same model as the GPG "web of trust".

Re:cacert.org

[badfish99]

Yes, but for the sort of use that I described, that is irrelevent.

Actually, for commercial use, it is irrelevant also. I don't trust any of the people who have allegedly done this, and I've only got their word that they did any checking. Come to that, I don't trust Thawte or Verisign either.

Re:cacert.org

[Atrus5]

First, I'll agree that, yes, CAcert is not supported by anything I know of. Mozilla finally got its act together and published a policy [mozilla.org]. The ball's in CAcert's court, last I heard; they need to have an audit done.

As I understand it, the point of the system is not to act as a content filter, but simply to establish identity. For e-mail certificates with no name (just the address), they simply send an e-mail probe. For domains, they run a WHOIS and you select one of the e-mail addresses in the registration i

Re:cacert.org

[DA-MAN]

The other big thing is Server Name Indication support and the retirement of SSL2; that will allow multiple SSL certs per IP, removing another costly barrier.

As I understand it, TLS & SSLv3 do not support mulitple virtual hosts on one ip/port. Would you mind providing a link for more info?

Re:cacert.org

[Atrus5]

RFC3546, section 3.1 [ietf.org] specifies server name indication. mod_gnutls [outoforder.cc] has supported it since April of 2005. mod_ssl (bug [apache.org]) is waiting on OpenSSL to make support possible. Opera has supported SNI since 8.0. IE7 has since beta 2 [msdn.com]. Mozilla/NSS/Firefox is ready to go with NSS 3.1.1/Gecko 1.8.1/Firefox 2.0. Konqueror will support it in 4.0 (bug [kde.org]). Safari is the only major browser without support (fresh bug [opendarwin.org]).

Re:cacert.org

[Sancho]

Unfortunately, I was unable to verify their certificate.

I'm not joking. Don't mod me funny. That's not a good thing for a certificate provider.

Re:cacert.org

[Ambush Commander]

Well, if they are a certificate provider, then they should be self-signing. How weird would it be if they were using a Verisign cert?

The real problem, however, is convincing the major browsers to add cacert to their default trusted certificate authorities. Firefox already has a bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=21524 3 [mozilla.org]

Re:cacert.org

[Sancho]

But this means that every user who visits a site which uses CACert will get that warning. Might as well use a self-signed cert. Your average user will never know the difference.

And even if Firefox gets CACerts root cert installed by default, the other 8/10 users are running IE. Does IE have this cert installed by default?

Re:cacert.org

[Ambush Commander]

I imagine that they would attempt to lobby Microsoft to get themselves included.

Re:cacert.org

[RemovableBait]

It's interesting reading through the Bugzilla comments; it certainly looks to me that the CAcert.org root certificate will probably be included with Mozilla Firefox at some point in the future.

From Frank Hecker, the guy in charge of CAs:

"I'm the person tasked with developing the mozilla.org policy on inclusion of root CA certs, and with approving noot[sic] root CAs for inclusion. ... I have looked over the documentation provided for CAcert, and I approve of including their root CA cert in Mozilla. I'm not

Re:cacert.org

[tendays]

By now you should have understood that writing "this is not funny" on slashdot automatically mods you as funny.

And I am serious, this is not meant to be funny either

Re:cacert.org

[Kadin2048]

I was going to bring them up. I'm not sure though that they satisfy his "stupid user" test, since their root certificate isn't included (to my knowledge) with most OSes or browsers.

If I'm wrong, I'll be very happy; it'll be nice when anyone can get a free certificate that's associated with a root cert that everyone has (although I'm not sure whether this would destroy the whole point of certificates -- then again I'm not sure whether I care).

Simple

[Mullen]

Verisign is the choice since they are the most well known.

Simple, if you customers can't shop on your site because there is some problem with the SSL, they will simply go somewhere else. They won't care about Verisign being evil, they won't care how doing business with them is wrong, they won't care what excuses you could give them. They simply will go somewhere else.

You are in the business of selling, not in the business of being moral and trying to explain it to someone else who may not agree with you. Most non-computer geeks types could give a fuck less on why you think Verisign is evil.

Troll? huh

[tanveer1979]

Looks like people have stopped reading moderator guidelines. "Do not mod based on wether it matches your opinion" But its not followed, sadly. If anybody writes a lame post which goes with the idiology of the mods, its insightful, but you go against it, no matter how true your post is, it will be modded to oblivion. Dont believe me, surf at -1, you will be surprised to see so many accurate, yet politically(slashdotically) incorrect posts. The parent is making a valid point. When you are selling something o

Re:Troll? huh

[Zeinfeld]

Looks like people have stopped reading moderator guidelines. "Do not mod based on wether it matches your opinion" But its not followed, sadly. If anybody writes a lame post which goes with the idiology of the mods, its insightful, but you go against it, no matter how true your post is, it will be modded to oblivion.

That is what metamoderation is for, but quite a few people use that for voting as well. And then there are the people who mod down posts a 'overrated' in the hope the metamods don't catch them.

Re:Troll? huh

[petermgreen]

The point is though that the user should not be told that a self signed certificate is secure either. It should just enable the use of encryption.

this is partly a UI design issue, browser UIs seem to be built arround the idea that ssl=secure with the warnings as an afterthought. Though there is a school of thought that self signed certs on the web should be discouraged anyway as they really give little more than a false sense of security (sure its encrypted but anyone can mitm it).

another thing is, i damn w

Re:Simple

[ericspinder]

Verisign is the choice since they are the most well known.

Joe Six-pack, doesn't know Verisign. He just knows if his browser kicks off a comfirmation box which defaults to 'no'. Besides, some time ago, GeoTrust bought their root certificate from Equifax (you know the 'little brother' who tells on you), so their certificate is called "Equifax Secure Certificate Authority". It's been in every major browser since IE && NS 4,

Re:Simple

[jd]

There might be some validity in that, if it weren't that Microsoft's certs were obtained from Verisign by phishers a few years back. Regardless of anything else, I would NOT be willing to pay a company for a cert that doesn't certify.

Re:Simple

[x2A]

"Most non-computer geeks types could give a fuck less on why you think Verisign is evil"

Nah, I bet you they couldn't.

Thawte, who else?

[Roadkills-R-Us]

When we started out, Thawte was really the only rational choice.

I haven't found any reason to change.

Re:Thawte, who else?

[misleb]

I haven't found any reason to change.

Isn't a Thawte signature like hundreds of $$$ a year? That should be enough to make you want to change.

-matthew

Re:Simple

[Sithgunner]

You just said customer don't care about verisign and whatnot but at start saying take Verisign for being famous...
Why don't you just take the cheaper deal?

Or I still even think customer don't care to click 1 extra step for accepting some verification screen if the web tells you to click and it's safe and the price fits their demand... Why make cost on certificate? Not that they are going to put in a great frame and mail it to you.

Re:Simple

[misleb]

Simple, if you customers can't shop on your site because there is some problem with the SSL, they will simply go somewhere else. They won't care about Verisign being evil, they won't care how doing business with them is wrong, they won't care what excuses you could give them. They simply will go somewhere else.

The problem with Verisign isn't that they are evil. It is that they are EXPENSIVE. There are some very cheap CAs that will be happy ti sign your cert and your customers won't know the differnce.

-mat

Re:Simple

[jzuska]

I 100% agree with this. If it's not your company you can't make moral choices like this. If you cause your biz to lose customers, you're gonna be screwed, and you better have a better come-back than "Verisign is evil." They are the best choice for a corporate CA. Deal with it.

I use Comodo

[Anonymous Crowhead]

http://comodo.com/ [comodo.com]

They were the first company I found selling certs for $50 compared to Thawte which was around $200 at the time. Now we use a wild card cert which costs $449 + $10/server. We use it on 15 servers with 20 or so hostnames (*.url.com) right now. It makes it a hell of lot easier to update and manage only one cert.

We have had no reported problems with browser compatibility.

Re:I use Comodo

[TheDawgLives]

I have used comodo in the past and was always happy with them. I had to add their root cert as trusted on my server, but then all the clients trusted it. I'm pretty sure they are in the default list of truseted CAs now. Their support is very helpful and available shoudl you actually need support. The cert was for secure.ndgi.com. I'm not sure what they use now.

Re:I use Comodo

[schoaff]

I recently bought a wildcard certificate and while shopping saw that some vendors were charging a fee for each physical server, like the pricing you mention, and others had a single price for as many servers as you like. What's up with that? I'm pretty sure I understand how the certificates work, and it's not like the IP addresses are encrypted into it, so why would anyone pay extra to use it on more than one server?

Re:I use Comodo

[Anonymous Crowhead]

Well, it's pretty much the honor system. The certificate does not change if you add servers, you can pay for 1 server and use it on 1000. We pay for roughly the correct number of servers. We're already paying nearly $500 for the cert, why quible over another $1-200 dollars.

Re:I use Comodo

[Anonymous Coward]

My job uses Codomo too, they are a pretty good deal, especially for a wildcard cert (if you're running an ASP, using hostnames like [clientname].domain.com, then this is what you want.

Protip: While you might be wondering about that $10/server charge there, know this: apache 1.3.x (and I suspect 2.x) CAN in fact have SSL vhosts all sharing an IP provided that they all use the same SSL key and SSL certificate Since they all use the same key, the encryption will be negotiated, then the actual vhost to use wi

Re:I use Comodo

[Anonymous Crowhead]

Thanks for the tip, I am going to look into that first thing tomorrow. One thing I hate about using SSL is the unique IP per host requirement. Most of our stuff runs one host name per server, but for some machines with a few extra vhosts, I hate burning up IP addresses just because it's SSL. It's a waste of IPs and more stuff to keep track of - another external to internal map, etc.

I know those gotchas too. If you change anything in an SSL vhost you have to do full restart. There's nothing worse than f

Re:I use Comodo

[DrSkwid]

> Our logrotate scripts now issue "apachectl graceful; sleep 5; apachectl graceful; sleep 10; apachectl graceful", just to be sure

You should rewrite them to do the job properly instead of your clumsy hack. I'm surprised you want to admit such sloppiness in public.

Re:I use Comodo

[oyenstikker]

My company got a certificate from Comodo, and got a cert with a 3 signer chain. It was in okay in IE and Firefox, but not in Sun's JVM. Unacceptable for us. We emailed them, and they got us a new cert, signed by GTE, that was recognized by Sun's JVM in about 6 hours.

Re:I use Comodo

[DA-MAN]

I don't exatly see why another company has to get around a bug in Sun's code, instead of them correcting it...

Who says it was a bug in Sun's code. Maybe the JVM just doesn't trust Comodo, in which case you have a gripe. Why should one pay for a cert that isn't trusted in everything the customer needs????

Re:I use Comodo

[oyenstikker]

You are correct. Sun's JVM does not trust whoever signed the first cert we got. We had specifically told them that we needed it to be signed by somebody trusted by Sun's 1.4 and 1.5 JVMs. They messed up the first time, but were prompt and courteous in fixing the issue.

It seems like _everybody_ messes up the first time nowadays, so I'll take somebody who can fix their problems well.

Sorry

[Spazmania]

If you want a cert that's directly under the root, you buy Verisign. Thawte is Verisign, so you buy Verisign. Their business model is highway robbery but if you need to interact with stupidly broken applicances that's your tough luck.

If you just need to work with any web browser released in the last 5 years, you buy a chained certificate from, well, just about anyone. Godaddy is my preference, but you can use ssl.com or any of the others. I don't recall having a problem checking out with firefox.

Can you trust a self-signed ?

[JohnnyKlunk]

We use a self-signed CA, but being a corporate MS shop we force our CA's certs out as trusted through AD, so there's no difference between certs signed by our CA and certs signed by someone else. For me, it's brilliant. I can certify whatever I need to without having to cough up each time. It's only useful for internal users though. Obviously no good for public sites.

Re:Can you trust a self-signed ?

[imemyself]

I agree, I do that too. I kind of think of it this way - I trust myself (the CA in this instance) a helluva lot more than I trust Verisign, et al. And my users should too (not that they have a choice, since I'm the admin). Its obviously not going to work for an e-com site, but it works quite well for Intranet type stuff, and for when people need to get email/webmail/other web app that they need to log-in to remotely.

Deja Vu?

[edward.virtually@pob]

Wasn't this article previously posted weeks ago? Same answer as then: forget the CA, sign it yourself and make the required user ok of the resulting certificate part of the documented process for accessing your content. The CA system as implemented is just a bit of high tech profiteering. As far back as the 90s they were charging outrageous repeating fees -- and not really doing anything for the money, as the cases of CAs issued to fraudulent companies proved.

Re:Deja Vu?

[The Angry Mick]

Same answer as then: forget the CA, sign it yourself and make the required user ok of the resulting certificate part of the documented process for accessing your content.

We use imaging software (such as Ghost) and include the cert pre-installed in IE's "Trusted Root" and/or Mozilla's "Authorities" on every machine we roll out. Eliminated perplexed users calling about messages they don't understand.

Of course, we're not an e-commerce site, so this is purely an internal solution.

Re:Deja Vu?

[steppin_razor_LA]

That only works for exposing secure content to a small/controlled client base. Implementing your advice on a B2C site would be idiocy.

FYI, IE7 makes visiting a site w/ a non-trusted cert even less palatable.

Avoid Thawte

[Nom du Keyboard]

I would say to avoid Thawte. Every site that has ever tried to install a piece of dodge to just plain unwanted adware/spyware seems to have their content certified by Thawte. To my way of seeing it, when you sleep with dogs...

ev1servers.net = $14.95

[rklrkl]

Cheapest I've seen on the Net is ev1servers.net [ev1servers.net] at $14.95 (about 8.50 pounds for UK folks). It works with almost all browsers, except for users running IE 5.0 or older that haven't upgraded the latest root certificate via Windows Update. What I did is write a script that scanned the access logs for IE 5.0 or older and displayed the percentage of such browsers - when it dipped below 0.1% (which it has already for about half the sites we manage), we switched from Verisign to the ev1servers.net secure cert and saved, wait for it, over 250 pounds per certificate!

Re:ev1servers.net = $14.95

[mongus]

I got a RapidSSL cert through EV1Servers about a year and a half ago. It worked on every browser I tried - not a single problem.

Now if you really want to spend 13 times as much for a Thawte cert that functionally does exactly the same thing go right ahead. I prefer to keep the extra $184.05 in my pocket.

Comment removed

[account_deleted]

Comment removed based on user account deletion

security requires a good verification process

[kurtdg]

I don't know about VeriSign, but Thawte does a real investigation before issuing a code signing certificate. They look up government documents, require you to send over company documents, call your notary, CEO, president of the board, things like that. If I recall it well, the first time it took about two weeks or so. If they say you're you, you are.

Renewal, OTOH, is much easier. Basically you just click the buy renewal button and hand over the money.

Best deal I've found

[Phroggy]

Start with FreeSSL [rapidssl.com], a real cert that's valid for one month for free.

Then move on to Simple-SSL.com [simple-ssl.com], $35 for two years or $44 for three years. Both certs are from RapidSSL.com [rapidssl.com] (aka GeoTrust, but I've never seen spam from them), so they work in all the browsers most people care about, but Simple-SSL.com is much cheaper than RapidSSL.com even though it's exactly the same product.

"RapidSSL.com certificates are compatible with IE 5.01+, Netscape 4.7+, Mozilla 1+, AOL 5+, Firefox, Safari and many newer Windows and Mac based browsers and are single root install certificates (they do not use chaining technology), meaning that they are compatible with SSLv2 and SSLv3."

By the way, if anyone knows how to add additional certificates to a Motorola v551 mobile phone, please let me know...

Re:Best deal I've found

[O]

By the way, if anyone knows how to add additional certificates to a Motorola v551 mobile phone, please let me know...

Check around HoFo [howardforums.com] -- I'm sure you'll fine information there. It's probably just a matter of downloading the cert in the proper format (DER, PEM, whatever) in the built-in browser. Use openssl to convert formats if needed.

GeoTrust was bought by VeriSign last month

[maggard]

The new was made public 1 month ago with the announcement that almost all of GeoTrust's staff were being let go in a few weeks, VeriSign was the new owners and were gonna consolidate operations.

GeoTrust is still in business right now, I know for a fact that they've got salesfolk answering the lines and their product lines haven't been shut down so as far as a certificate goes they're still as good as they were a month ago. And those certificate chains are a valuable asset and will no doubt be maintained indefinitely. However the package and pricing will likely change as VeriSign moves yet more solidly into the number 1 (and 2, and 3) spot.

Any regulation of this?

[bill_mcgonigle]

However the package and pricing will likely change as VeriSign moves yet more solidly into the number 1 (and 2, and 3) spot.

Hmmm, and I thought I had found a decent non-Verisign company. I wonder when these acquisitions qualify as anti-competitive.

Certificate Authority Market Share Report

[Onymous Coward]

This list might be of use:

http://www.securityspace.com/de/s_survey/data/man. 200603/casurvey.html [securityspace.com]

Popularity does not equate to quality or value for price, but it often well correlates to it. At least you could use this as a starting point for investigation.