Choosing an SSL Provider? 183
An anonymous reader writes "I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision."
RapidSSL is your friend (Score:5, Informative)
If you're just after a basic root cert, RapidSSL(Equifax) is your best bet. If you need the stronger, blood-of-your-first-born cert, Verisign is the place to go.
Regards,
Re:RapidSSL is your friend (Score:4, Informative)
Usually they are 1024 bit RSA with SHA-1 signing (80 bit). These are deprecated by NIST for use past 2010.
MS don't support SHA-256 signatures in XP, until SP3, which explains some of the delay in rolling out stronger roots.
Re: (Score:2)
depends on devices... (Score:5, Informative)
Re:depends on devices... (Score:5, Insightful)
Still secure but because Verisign obviously has a hand in the mobile distribution market, no one else is 'secure'.
I see is as the losers are the Motorola users tied to Verisign only certs.
Re: (Score:3, Informative)
Nope. RapidSSL is a brandname of Geotrust (which in turn is a brandname of Equifax). Geotrust also offers QuickSSL Premium certs, which are signed with the standard Equifax Secure CA root certificate, which, to my knowledge, is distributed with all mobile devices currently on the market.
The pricing for QuickSSL Premium certs is not much different from the bigger vendors, but the service we've gotten so far from Geotrust is excellent, and their simple no-nonsense verification systems means we get to deploy
Acquired by Verisign (Score:2)
For what it's worth, this whole article is a dupe [slashdot.org] from 2006.
Re: (Score:2)
Compatibility is relative to browser capability though, in that newer more powerful phones with better browsers will have more certs. So if you are building an app for a specific phone or group of phones, just pick the cheapest common denominator.
GeoTrust QuickSSL Premium would probably be the cheapest if compatible. Not to be mistaken with the normal non-premium cert.
What sort of support do you need? (Score:5, Interesting)
1) You make a cert request. Pay Money.
2) They verify your identity.
3) They sign your cert request and return it as a signed cert.
It's not like you can upgrade a v3 cert to v3.1.
Re:What sort of support do you need? (Score:5, Informative)
Re: (Score:2)
How do you support a cert? They're pretty much set once delivered.
Typically that is true. However when we tried an EV-SSL chained certificate, it wouldn't recognize the trust chain and caused all sorts of problems. We tried dealing with the support people, but they were very unhelpful and would only deal with us over email. Since they appeared to be in the UK (and we in the US), it was very frustrating in dealing with them. In the end we gave up and went back to a root certificate.
I have has customers having this problem. I only supply higher key strength certificates. Your problem was likely due to the higher key strengths and MAC sizes being unsupported by Windoes/IE. I can throw 2048 RSA, SHA256 cert at firefox and it will validate the chain, but IE will not.
It tends to get even messier if you have ECC certs.
Re: (Score:2)
Re: (Score:2)
I saw a reply to you, where they were talking about the chain cert. As long as you're not chaining, it's a piece of cake.
I've helped a few people with their chained certs. Sometimes THAT is a pain, because sometimes you have to BEG for the intermediary cert.
I've been buying cheap certs for years for a few things I do. Give the credit card, the drop an email to something resembling administrative at your domain, and then you get th
Re: (Score:2)
In the past I've dealt with Verisign and Thawte in the days where they wanted to see bank statements and such like - certificates then could take days or weeks to arrive. These days I'd only expect that to be the case with EV-SSl certs.
I'm not clear what the issue the original poster is having. All the providers I've used in recent years have provided detaile
Re: (Score:2)
Re: (Score:3, Insightful)
Support? (Score:2)
Re: (Score:3, Insightful)
Depends on priorities (Score:3, Insightful)
It sounds like service is pretty high up on the list. What about price?
There is everything from CACert.org, which offers free certs, but supported is limited to the community it serves, to budget providers to full-service providers like Verisign.
Do you need more than just a few certificates? Do you need someone to be available 24x7 for phone support or is e-mail support good enough? What do you need?
Like anything else in life, you decide based on what your needs are and how well that, in this case, a particular CA fits your needs.
Re:Depends on priorities (Score:5, Informative)
Impression (Score:4, Informative)
Re: (Score:2, Insightful)
I've thought for a long time that the answer to this problem is competition. What bugs me is why government hasn't gotten into the act. The purpose of an SSL certificate is to verify that the entity who owns the server you're communicating with
Re: (Score:2)
Re: (Score:2)
SSL Monopolies, SubCAs, PKI use, and supply/demand (Score:3, Interesting)
In other words, I think the idea was probably that ISPs or other organisations would purchase bigISP.com certs, that allowed them to be certificate authorities too.
Then, an ISP's customers could go to THEM for certs. The customer's site cert would be signed by their CA; the ISP, and the ISP's in turn would be signed by the big names.
I think that does work. If so, then the problem is almost
Re:SSL Monopolies, SubCAs, PKI use, and supply/dem (Score:5, Insightful)
What you describe does work, though it gets annoying.
Basically, when your server negotiates SSL with the browser, it has to provide all the certificates in the trust chain that the browser doesn't have. So, bigISP.com has a certificate signing certificate from VeriSign, and signs a Web certificate for your company. Any time an SSL request comes in, your server has to present it's public certificate and the public certificate of bigISP.com's signing certificate. The browser already has VeriSign's public certificate signing certificate.
So, it's kind of like DNS resolution, where you have to "know" the root server, and then can build a chain down to get the actual name server to ask. But, in this case, you need a trust chain of signed certificates. With one or two layers, it's not _that_ big a deal...
The real downside is maintenance. Each layer has its own expiry, and you have to re-establish the chain whenever a certificate in it expires. That means new private certs and updating the public certs that are sent with the SSL transaction.
If, instead, your certificate is signed by a certificate for which there is a public key pre-loaded into the browser, you only have 1 certificate to update when it expires or when the signing certificate expires.
I use a self-signed certificate signing certificate for my home systems and for my department's SSL servers at work. But there's a very limited number of people who are supposed to access those servers, so they can be given the public signing certificate by hand. And even then, I wind up on vacation and unable to get to my IMAPS server because I forgot the signing certificate is going to expire on me....
So, keeping the chain short is actually worth-while, just from a maintenance perspective.
Re: (Score:2)
SSL (Score:3, Informative)
There was one year where we wanted to try the EV-SSL. We decided to go cheap and went with Comodo. Big mistake. It didn't work, and after dealing 2 weeks with the support people there, we gave up and went back to Geotrust. They would only talk to us via email and were generally very unhelpful. I'm not saying that is what everyone experiences, I'm simply stating our own.
Re: (Score:2)
We used them as well. Price was the main thing - we did a "bulk" type plan since we were trying to get a hold on all of our rogue cert purchasers. We also got a decent portal out of them to expedite certs for any pre-vetted domain.
Re: (Score:1)
Rapid SSL Wildcard (Score:5, Informative)
Re: (Score:2)
Buy a real SSL cert, with location info (Score:4, Insightful)
Buy a real SSL cert, one with "Location" (L field) information and a real business name (not a domain name) in the "Organization" (O field). Avoid those cheap "Instant SSL" "Domain Control Only Validated" certs.
At SiteTruth [sitetruth.com], we consider the low-end certs worthless. They don't provide any information about who you're dealing with. We encourage other developers of certificate-validation software to take a similar position. You don't want to input a credit card number to a site with a "domain control only validated" certificate. "Domain control only" validated certs are enough for logging into a blog, perhaps, but not more than that.
Re:Buy a real SSL cert, with location info (Score:5, Insightful)
Re: (Score:2)
Identity can, and has, been validated in the same fashion as EV-SSL certificates for a fraction of the price in the past. If they wanted to establish identity they could, and for less than an EV-SSL cert costs at present.
Re: (Score:3, Insightful)
I certainly do - my first SSL cert from Thawte cost a fraction of the $900 an EV SSL certificate costs from them, and required utility bills, bank statements etc to verify my identity.
Identity can, and has, been validated in the same fashion as EV-SSL certificates for a fraction of the price in the past. If they wanted to establish identity they could, and for less than an EV-SSL cert costs at present.
In other areas of business, certificates of higher cryptographic strength go for less than $0.04 a cert in bulk. The processing time for a signing system using a modern processor and a HSM is less than 1 second. To maintain the old prices is daylight robbery.
Re: (Score:2)
If you look at Godaddy's middle cost cert it says:
Verifies domain name and domain name control, identity of requesting person or company, and authority to make request.
This is exactly the same as an EV cert except a browser will turn the address bar green if it detects the EV bit. They could easily do this with a regular SSL certificate that has more than just the domain name. If you're a CA you should be validating all the information put in by the cust
Re:Buy a real SSL cert, with location info (Score:5, Insightful)
And the main reason we pay for one is so we get one the browser recognizes without throwing up a prompt about unrecognized certs that might be off-putting to a customer.
How many site visitors really look at the cert? Or care whether its got an company name or more. How many even KNOW there are different levels of cert? For most either the 'lock icon' is there or its not. They don't -check- the cert, or even know how?
Re: (Score:2)
I thought the main point of a SSL cert for most people was session encryption.
And the main point of an SSL cert that isn't self-signed is to keep ISPs between the browser and the server from acting as a man in the middle and intercepting all communication. If you have some other reasonably secure infrastructure for distributing software to your customers, your company can distribute its own root cert for customers to install, leaving VeriSign and all the CAs it has acquired out of the loop.
Re: (Score:2, Interesting)
So _public_ users don't get a pop up prompt.
Nobody really gives a damn about the "other stuff" (e.g. real security, and even if users get a pop up, more than half the time they'll just click through
After all when CAs like Verisign issue "Microsoft" certs to nonmicrosoft people[1], and lots of sites still use Verisign (who are already known for _intentionally_ doing very dubious stuff), where's the security?
I
Re: (Score:3, Insightful)
Re:Buy a real SSL cert, with location info (Score:4, Insightful)
The point of the encryption is transport layer security and privacy. The point of the certificate is TRUST. Having an encrypted session makes no difference if you are communicating with an impostor.
The prompt about unrecognized certs certainly SHOULD off-put the customer; it's likely to be that customer's only warning that the party on the other end of the connection isn't who it claims to be.
Re:Buy a real SSL cert, with location info (Score:5, Insightful)
No. Think soley in terms of the average web user.
The point of the encryption is transport layer security and privacy.
Right. And that's what the average user is interested in when they see 'secure login', the lock icon, or the https prefix. I don't think most users even know that https is guaranteeing WHO they are talking to at all.
The point of the certificate is TRUST. Having an encrypted session makes no difference if you are communicating with an impostor.
That's true. But beside the point. From an engineering perspective, yes, the reason for the cert is trust, and the signing chain to root CA's etc establish a chain of trust.
But in practical terms, the average user doesn't have the foggiest idea what this all means.
So as a website developer looking to satisfy customers demands, I might want to provide seamless encryption which the customer understands and wants; so I need an SSL cert because the browsers don't support seamless encryption without one. And the customer gets what they demand.
They also get some 'trust', but its a side effect of the good engineering that went into the system. The customer doesn't actually -check- the cert and verify who they are talking to. And if someone sent them a fishing email pointing at 'bankotamerica.com' instead of 'bankofamerica.com' as long as bankotamerica.com has at least a domain only cert that their browser accepts, and their lock icon comes on, they'd be satisified.
Re: (Score:2)
And us techies are to blame for not educating users on using https to begin with. When I ask techs whether they instruct/remind people about https, they write the users off as too stupid... but when I ask when was the last time they tried, the answer is 'I just don't' or 'don't remember' which I uncharitably interpret as NEVER.
Sadly, most techs (incl. CNEs and
Re: (Score:2)
Depends entirely on the reason you're putting together a cert. Cert's on web services are much more than just for encryption, they are the primary means of secure verification. Verizon, for instance, will only accept Verisign Certs for their automated repair services and the cert information has to match what was sent to Verizon in the setup process.
Re: (Score:2)
Re: (Score:2)
Well, that depends upon whether or not you want me as a customer. I look at the cert. Will not buy anything from a site with a CA, I don't trust. I might not make a dent in your sales, but I am often asked to recommend sites for friends, family, non for profits, and small businesses.
End of the day, the cost of losing you and your referrals isn't likely to cover the annual cost of the 'better' cert.
Come back when you've educated enough people that it matters. Better still educate so many people, that domain-only certs go the way of the do-do and the economies of scale drive down the price of better certs...
Win-win for everyone then.
Re: (Score:2)
Re: (Score:2)
You know what? All those paperwork hoops CAs make you jump through are useless. The cert only verifies the identity of the server, none of that paperwork is reflected in the actual certificate itself. And your CA only has to take your word for it that all those papers belong to a legitimate business.
The paperwork is security theater, to justify the higher price. For the purpose of an SSL cert, to certify that a particular FQDN belongs to a particular server, domain-control checks are sufficient.
Mart
Re:Buy a real SSL cert, with location info (Score:5, Insightful)
those that error,
those which display a padlock
and those which make the address bar go green in their crappy browser.
Re: (Score:2)
What's that? "...no??"
Re: (Score:2)
Re:Buy a real SSL cert, with location info (Score:5, Informative)
Re: (Score:2)
That site has the address only on the "AUP" page, an unlikely place for a user to look for it. SiteTruth checked the "Contact" page, and didn't find it there. We look at about forty keywords ("contact", "about", "office", "address", "site map", etc.) likely to lead to an address, much as a user would.
The site does have an SSL certificate, but it's from StartCom, a relatively new root certificate authority, and we don't have them listed as a valid root CA. Now that Firefox is accepting them, we should s
Re: (Score:2)
Updated the root CA file on the SiteTruth servers to the Mozilla version of April 7, 2008. SiteTruth will now recognize StartCom-issued certs.
Now we get:
This certificate identifies the domain only, not the actual business.
Domain www.roysdon.net
It's one of those low-rent "domain validated only" certs.
Re: (Score:2)
So, I would say you should add a "yellow" caution "!" option, just as you have a yellow "?" option (instead of red stop, don't proceed) that says, "Verifies Domain-only, often used for personal-use, not owner of website - Don't trust for financial transactions".
The SSL cert is totally legit and there is nothing wrong with it and how it is being used. The personal
Re: (Score:2)
If you add the address to the contact page, SiteTruth should pick it up in 30 days or so. The whole point of SiteTruth is to associate a business name and address with a web site. Any site that's even vaguely commercial should have a clearly visible business name and physical address. In some jurisdictions that's required by law. We're trying to make a dent in the "on the Internet, no one knows if you're a dog" problem. Which, after all, was what SSL certificates were originally supposed to be for - vali
Re: (Score:2)
Https verifies the domain-based, Internet 'who' which is the important (and the most semantically verifiable) aspect of server's identity. Real-world addresses are actually more ambiguous and wouldn't matter anyway unless you have a penchant for entering sensitive info on sites you've never heard of before.
Re: (Score:2)
I don't think anyone actually uses SiteTruth anyway.
Re: (Score:2, Informative)
Re: (Score:2)
It depends on your needs but (Score:2, Informative)
Re: (Score:2)
Simply use a lock favicon for your website (Score:4, Funny)
Re: (Score:2)
Seriously what a torrent of bullshit. Certs are encryption keys, and the rest is just marketing.
Users don't even care so long as there is a padlock on their browser. The danger of this "money can buy trust" idea is that it just leads to escalation. If a yellow padlock is all too common and can be bought for $5.99 then next you will need a green tick that proves among other things that the company has given at least $999 to verisign.
I rate the firefox invalid ssl cert warning as insightful, and
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I don't hate VeriSign because they have a license to print money.
I hate them because their boundless greed seriously damages all
our efforts to educate joe sixpack about what is a "secure website" and
what is not.
No kidding, they're charging a thousand bucks for a cert that turns
your address bar green in some browsers. What's next, $2000 for a purple address bar?
$3000 for color of my choice? $10000 for a
VeriSign wants joe-sixpack
Re: (Score:2)
Re: (Score:2)
I get emails every other day trying to persuade me to that they are from Natwest Bank or Halifax Bank and I should visit their site to enter my security details. This is a major problem, and that's why we have these error pages.
Re: (Score:2)
Digicert all the way (Score:3, Informative)
Re: (Score:2)
Your old provider (Score:2)
go with (Score:2)
SSL Shopper (Score:5, Informative)
Re: (Score:2)
It used to be on Wikipedia, [wikipedia.org] but it looks like someone removed it. [wikipedia.org]
It's a wash (Score:2, Insightful)
Thawte (Score:4, Informative)
Re: (Score:1)
Thawteweft? (Score:2)
Re: (Score:2)
Re: (Score:2)
We use three different providers (Score:1, Informative)
Client Facing
We use Verisign [verisign.com] for anything a client will interact with since we can use the Verisign Secured Seal [verisign.com] on any web content on our site. Our studies have shown a percentage of our users actually know of the Versign secured logo and helps to assure them of the security.
Non-client Facing
We use Thawte [thawte.com] certificates since these are much cheaper than Verisign, and are fully compatible with most browsers/mobile devices.
QA/De
Cheapest non-intermediate certs (Score:2)
If I have a multi-million dollar e-Commerce site, I'd use an EV cert from a VeriSign or similar company. For the other 99.99999% of uses, it'll be the cheapest certificate that is signed by a trusted root in the IE, FF, and Safari browsers. Don't care if it's domain validation only, as long as it works.
RapidSSL has been good for price, root signing, and the wildcard certs work we
$$ vs requirements (Score:1, Informative)
Godaddy. And, SSL use will increase. (Score:3, Informative)
The cert auto renewed and I wasn't expecting that, but a ticket to their support center and I got it canceled and refunded. So pretty good service I think.
But watch out. The more that ISPs start filtering content, and the more that governments increase monitoring and censoring data on the web... you're going to see rising demand for SSL certs and rising instances of the, pay more money for a green url bar nonsense.
The SSL providers are trying to sell you on the idea that it's the cert that makes the site trustworthy. Meanwhile, all you really need the cert for is the encryption.
IE7 has succeeded in making shared certs utterly useless. Too bad for the little guy who was using the shared cert provided free from his hosting company, because you can no longer use it without an enormous frightening message from the browser.
Look for more of this to come.
Re: (Score:2)
You need both the encryption and the knowledge that the site on the other end is the one you intended to converse with.
One without the other isn't worth much.
May I ask ... (Score:2)
Re: (Score:3, Informative)
Mod parent UP please (Score:2)
StartCom - Free SSL (Score:2)
Godaddy (Score:3, Funny)
Verisign - my experience (Score:2)
Geotrust QuckSSL Premium (Score:2)
GoDaddy (Score:2)
1) Cheap ($30/year for one cert, $200/year for wildcard)
2) Super Bowl Spokesperson has huge tracts of land.
The drawback is that you need a CA cert - but if this is a problem then you should probably find a new line of work.
Comodo is Nice (Score:2)
Re: (Score:2)
You send the client your public key, and encrypt traffic with your private key for them to decrypt with your public key...
Before decrypting, the client checks your public key against the CA to see if your public key is correct and valid, and for the domain they requested.
Your private key is yours and yours alone, if you give it away, you've given out the keys to the store.
-ellie
Re: (Score:2)
Re: (Score:2)