Cheap SSL Certificates for Small Websites? 445
zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"
Self-sign (Score:0, Insightful)
Re:Comodo - $49 (Score:1, Insightful)
Are there actually limitations on that free cert? E.g. are you required to buy the 'real' cert? With other words, is it a 'get 3 months free if you buy one year' scam?
Re:It's not as much of a scam as you think. (Score:2, Insightful)
knowing your social security number does not make me you. it makes me someone who knows your social number. nothing more. nothing less.
while a lot of people seem to think they know the mechanics of cryptography pretty well (and probably do), there still seems to be a lot of people who aren't really in the habit of thinking where security supposedly comes from in any given scheme.
Re:Thawte (Score:1, Insightful)
Last time I looked it was $125 first time, $99 renwal.
Greedy mother fucking bastard cum-lapping whore dicks.
I guess it suddenly became more expensive to take your money.
Government and more flexible signed assertions (Score:5, Insightful)
We just need the a trusted authority (for certain definitions of 'trusted' and for the definition of 'authority' that is ubiquitously recognized instead of decided by the highest bidders in the browser wars) to make digital assertions.
You'd start with certifying identities: my state might sign a certificate certifying my name, maybe driver's license number, perhaps address and even a photograph. I should now be able to sign e-mails with this now independently of my e-mail address. The resulting signed message could carry whatever signed assertions I wanted to put on it. (Probably my name and maybe my photograph.) I can't forge these, because these components are signed by the state in connection with my identity. A posting to a self-help group might just assert my identity in the form of a photograph and an unsigned nickname.
Taking this a step further, I should be able to use this ID to sign other things, even web sites. This will require changes to the way users perceive an "authenticated" web site. If I go to a bank at www.example.com today, they have a certificate that basically states "www.example.com is Example Bank, and their identity is certified". What my own signed web site might assert is "www.example.com is Joe User". User agents need to give more weight to the name here and less weight to the fact that the domain name matches what's in the certificate.
Extend this now to corporations. When a corporate charter is created, a digital ID for that corporation is created along with it and signed by the state of incorporation. That corporation can now sign assertions like "Joe User is the CEO of Example Corporation".
So now, when Joe User sends an e-mail, he can include this information:
Some of these concepts will require a re-thinking of the way we approach authenticated online identities. We need to stop placing so much importance on online identifiers (like domain names and e-mail addresses) and start paying attention to who is making those assertions. I can sign an assertion stating that my e-mail address is 'joe@example.com', but unless that's really my e-mail address, it's not going to do anyone a whole lot of good. If I go around forging e-mails from joe@example.com and including that signed assertion, everyone should be able to take one look at that and say, "Who the hell is this guy claiming to be joe@example.com?". Only the guy with the certificate stating the assertion that he is "joe", signed by "example", signed by a valid registrar for ".com" would be able to say that with any authority.
A lot of this can be done today with signed/encrypted XML [w3.org], provided we have a common framework to start sharing the assertions.
Big Fuss? (Score:2, Insightful)
-Bill
Re:No Real Options, Sorry (Score:3, Insightful)
Anyone know what it would take to be included in the major browsers default certificate list?
The certificate 'business' is a scam for 3 reasons (Score:5, Insightful)
But what if I'm offering a free service, which nonetheless requires that my users have absolute trust in their browsing security? What if I'm running a nonprofit organization? If the CAs were truly interested in security, they would offer a low-cost alternative for people who are offering free services, and perhaps a free certificate for non-profit organizations.
You may point out that I can now get a cheap certificate for $50. While this is true, the low price of certificates these days is the result of market pressure. These guys aren't lowering their prices out of the goodness of their hearts, or to help Joe Q. Webmaster who wants a secure website. They're doing it only in response to competition.
2) 'Wildcard' certificates cost an absurd amount of money, usually $500 or more.
Excuse me? The entire premise of the certification, is that Thawte (or VeriSign, or whoever) is certifying my trustworthiness as an organization. As such, it shouldn't matter whether I have one, ten or a hundred DNS names associated with my website and with my organization. By forcing you to buy separate certificates for your web server's DNS name, your mail server's DNS name, your LDAP server's DNS name and others, they are extracting even more money from your wallet. Even if all my services are hosted on the same machine, I must pay hundreds of dollars extra for the privilege of giving them separate aliases. The only other alternative is to host all of my services on one machine, under one DNS name. Thank you so much, VeriSign, for sticking your nose into my system administration.
And, finally,
3) VeriSign, the biggest fish in the pond, has demonstrated on more than one occasion that it is in fact not trustworthy.
Remember the incident involving a falsely-issued code signing certificate for Microsoft? That's right! This supposed paragon of trustworthiness gave some unknown cracker free reign to masquerade as the largest software company in the world. If they're that damned vulnerable to simple social engineering...then why did I pay them $200 or more, again? What exactly were they certifying?
From the start, the entire digital certificate business has been about politics and moneymaking, nothing more. It's a pity that we're forced to live with it.
Where is the opensource SSL community? (Score:5, Insightful)
What is the meaning of this ssl certificate?
It's less than 1 kilobyte (remember this term from the 80's?) and it's stored on a socalled certified system so they can check if the certificate is true.
The whole secure web server could be corrupted with a dozen of exploits by missing only a couple of security patches.
I mean this whole thing does reeks of greedyness.
Shouldn't be the opensource community bring out their own SSL certificates. The opensource browsers should neglect the standard certificates, since they don't mean anything anyway.
The certificates that are accepted by opensource browsers are the ones that are certified by a nonprofit organisation, the only way to be recognised by the browser is that the database of this organisation is sure that the server is maintained well.
What are you paying for otherwise?
DRM -- You nailed it (Score:5, Insightful)
These bastards are pure evil.
Why they're cheaper (Score:2, Insightful)
They've also done some innovative technology, but their basic raison d'etre was to sell certs for a low price, since the cost was also low.
becoming a CA? (Score:2, Insightful)
Whose government? (Score:1, Insightful)
Do try to remember that some of us don't answer to Uncle Sam.
A Scam (Score:2, Insightful)
I know you're paying to prove you say who you are, but what's the big deal here anyways? To me, certs are more about encryption than a form of digital ID.
The 'Certificate Authority' is just another scam to monopolize, to a certain extent, encrypted digital transfer of data. If my cert is OpenSSL with myself as the signing authority, the cert is no less or more secure than an 'official' certificate. And even if the site/program is signed by authority, that does not mean you are not being cheated in some way by the issuer.
Blablah, I call for a grass-roots movement demanding the power to self-sign code and sites etc... Who's with me??!?
-- iie1195