Slashdot Mirror

To be effective, end to end email encryption needs to be view as something more than just "a bonus for more sophisticated users" like the EFF is treating it. As long as only the sender or receiver is sophisticated enough to use email encryption, the option becomes worthless. Encryption only can be used when it becomes easy enough that both sender and receiver choose to use it.

Take the Thunderbird email client for example, at first start the program provides a setup wizard to take you through the items that are critical in using the program. As part of that, they even partner with companies like gandi.net to help you create a new email account if you don't already have one. But at no point do they partner with a Certificate Authority to encourage you to get a personal certificate for S/MIME configuration. Mozilla Foundation seems to never consider it a critical step. While they provide a knowledge base article of S/MIME Certificate providers (including free ones such as StartCom, Comodo, and secorio), this article is not kept up to date and none of the information is provided directly in Thunderbird itself. And the email account provider that the Mozilla Foundation has partnered with (gandi.net) does not even provide S/MIME personal certificates as an option even as a payed option despite also being a certificate authority.

If the attitude of email client software developers was that IMAP over SSL and SMTP over SSL should be provided as a third-party add-on "for more sophisticated users" then we would be in even worse shape today. Fortunately, these are considered options that should be easily access-able to everyone. We need to change how we think about presenting end to end email encryption to notices and start treating it as a critical offering instead of a secondary/side option.

http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html

There is a free one, also you are missing the part about different pop3 server which essentially means you run your own domain, I'm assuming by " download our email from our Gmail account" you do not fall in that category. If you are actually using the pop3 protocol to download mail from Gmail you are already using SSL (Gmail hasn't accepted non-ssl client connections for years, I know because I had to setup a stunnel sever for some legacy apps during the cutover).

The list of people this actually affects (negatively) is miniscule (it only going to be the domain operators).

You want one that works, it ain't free but it IS cheap and you get a free 30 day trial to give it a spin. Here you go Comodo Instant SSL. To get the free trial just pick the free SSL button on the upper left. If it works good for you it is $69 a year for the basic package which will do what you want, the cert is recognized by ALL the major browsers, FF, Chromium based, Safari, IE, Opera, you name it.

Have you given Comodo SSL? Their main office is in India so I doubt it would be as quick to roll over for the USA, but hell you never know anymore. Anyway they offer a free 90 day SSL so you can try before you buy, and their certs go from 128/256 all the way up to 2048 bit, so you have plenty of choices. Prices start at $69 a year and go from there depending on how many extras you want.

Since it has a free try before you buy this would be a great chance to see where they stand without spending any $$$. I don't see a downside really, either they don't cave and you buy it, or they do and you don't.

Have you given Comodo SSL? Their main office is in India so I doubt it would be as quick to roll over for the USA, but hell you never know anymore. Anyway they offer a free 90 day SSL so you can try before you buy, and their certs go from 128/256 all the way up to 2048 bit, so you have plenty of choices. Prices start at $69 a year and go from there depending on how many extras you want.

Since it has a free try before you buy this would be a great chance to see where they stand without spending any $$$. I don't see a downside really, either they don't cave and you buy it, or they do and you don't.

[Programs not signed by a commercial code review agency] wind up in a virtual machine, completely isolated from the main OS and the app windows they put up are clearly marked as coming from an untrusted application, similar to untrusted applets in Java's sandbox.

Then any program that doesn't have a commercial entity behind it would have to run in the sandbox. For example, a lot of free software for Windows lacks Authenticode signatures because many individuals who maintain free software in their spare time don't want to incorporate ($100 or more depending on state) in order to become eligible for an Authenticode certificate and then keep the certificate up to date ($179.95/year).

They're freely available from comodo and instantssl. http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html http://www.comodo.com/home/internet-security/free-email-certificate.php

However they just verify your email address not your identity, but fortunately nobody is going to notice that...

All packages must be digitally signed with a certificate that chains back to to a commonly-accepted CA.

So how does an individual developer of free software get such "a certificate that chains back to to a commonly-accepted CA"? The Authenticode CAs that I checked tend not to issue certs to individuals. Must every developer of a Windows application form a partnership or LLC? And must every developer pay upwards of $160 per calendar year (source: Comodo) for the privilege of releasing packages or updates in that year? That's even more than Apple charges for access to the app store on the iPhone.

That is actually the first thing I did when I read the original post. Seems to work exactly the same for email purposes at least and everyone I sent mail to was able to decrypt etc. I also found the getting the cert process much easier. I didn't have to create an account and the email saying my cert was ready only took about 1 minute, I think i've waited close to 15 minutes for thawte certs in the past.

http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

Hopefully they don't follow the same fate at thawte did.

How about for free?

Where do you get these magical $10/year SSL certs (assuming they're from CAs that are included by default in Windows, OSX, and Firefox)? I could use something like 10 of them.

We use Comodo InstantSSL. Nearer $100 but very widely trusted.

True that, though I don't think that I've ever done business with a CA that didn't allow for screwing up a key/cert at least once (though you might have to beg real hard), and I've used several.

Thawte claims to be the only one to have free reissues for the lifetime of the certificate: http://www.thawte.com/reissue/

Of course, Comodo says it has unlimited reissues as well... http://www.instantssl.com/ssl-certificate-products/ssl.html

Hi I am Yuvaraj, Being in Comodo Marketing Intelligence Team, I can assure you that the Best to go for would be Comodo SSL certificates. I can give the Justification of why you need to choose Comodo. 1.) Speed & Stringent Verification Process - For True Assurance 2.) Cheap at Price and High at Quality & assurance 3.) Gives You a Corner of Trust Logo for free* to make the visitors trust you 4.) Unique, patent-pending EV AUTO-Enhancer(TM) - Automatic EV Deployment and Maintenance Technology - automatically upgrades Microsoft® Internet Explorer 7.0 on Windows(TM) XP to full "Green Address Bar" functionality. Valued at $1,500, Comodo provides this technology free to all our EV SSL Certificate 5.) Industry Leading Support - you can visit http://www.instantssl.com/ and can see how our live support team functions. 6.)Comodo is the initiator of the CA/B forum (Certification Authority / Browsers Forum) visit http://www.cabforum.org/ And also you can get a free trial certificate......and then if you are satisfied ( I know for sure you will get satisfied) you can go for the paid ones. Thanks, Yuvaraj

Bollocks.

The problem with email at the moment is that forging From: fields is trivial, anyone who knows the first thing about SMTP can do it in 5 seconds and this means that an email can appear to come from any source the actual sender wants. I can send an email to anyone and make it appear as if it's from any bank in the world.

With a signed email, if the sender(bank) email address in the From: field doesn't match the certificate then you know it's not from the real sender(bank). It's perfectly possible and indeed simple for the client to automatically check that a signed email is from who it says it's from. That's the whole point of digital signatures. It could then display a nice happy face for valid emails and an unhappy one for invalid or neutral for unsigned ones.

And certificates should be easy to obtain. Everyone should have one. Go get one now, they're free! It isn't whether you have a certificate or not that matters it's that you are who you say you are that matters and that's what certificate authorities do for you. It's then up to users check that the From address shows user@barclays.co.uk rather than user@barlcays.co.uk but at least they'll now be able to check.

You can get free certificates which can be installed in your s/mime compliant email client.

http://www.thawte.com/secure-email/personal-email- certificates/
http://www.cacert.org/
http://www.instantssl.com/ssl-certificate-products /free-email-certificate.html

More info here.
http://en.wikipedia.org/wiki/S/MIME

Take your pick: GeoTrust
Comodo
Thawte
VeriSign

$100? We've been looking into code-signing lately, and my impression was that Verisign had the market locked at $400 a pop. Is it cheaper for individuals, or did you get the cert from somewhere else???

It's easiest to find their cheap certs on their InstantSSL site.

Try InstantSSL. We use these across our medium sized server farm at work with no issues.

Closer to $50
I used to use Verisign until I started my own company, suddenly InstantSSL was a better choice at 1/10th the price. To my shock and surprise I haven't had a single customer that noticed (or at least mentioned that they noticed).

I got the Pro License for $149 for 3 years and if you somehow screw up they can invalidate and reissue in minutes (good for when you're new to it or implementing them on a different platform).

I'm very pleased with InstantSSL and would compare them favorably to Verisign (actually better because getting a cert reissued on Verisign was a bit of a pain).

Here's google's cache of the front page that we beautifully slashdotted. Also, on a related note, many companies offer free SSL certificates if you do a little business with them. Ever-popular GoDaddy recently joined the ranks of those companies. They started offering free SSL certs to open-source projects.

Isn't that just supporting another monopoly?

No, because there are plenty of other CAs out there. Comodo, for example, also sell code-signing certs that are verifiable with the usual set of trusted root CAs.

Might want to update that potentially useful link to take the typo out of the URL: InstantSSL.

The correct link is here

You should really shop around...

InstantSSL sells 2 year certs for $89.

And they are trusted by the same 99.3% (who came up with that number) of browsers as Verisign.

Here's the kicker (From Article):

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.

Here's the competition (From Google):

About Comodo:
Comodo is the leading WebTrust-compliant enterprise solutions provider for E-commerce Security Solutions. Firmly established in the market, Comodo markets a range of innovative products and services developed by its dedicated research lab delivering software, hardware, secure messaging and certificate-based security.

Comodo offers its SEEOS(TM) Secure Enterprise Extensible Operating System for integrated network security, together with secure Linux applications delivered via its Trustix(TM) brand, SIDEN(TM) next generation ASIC, Instant SSL Certificates for securing web servers and patented web site verification and identity solutions. For product information please contact US +1 800 772 5185 or Europe +44 (0) 161 874 7070 or visit the Comodo Home Page at www.comodogroup.com .

About Betrusted:
Betrusted is the premier global provider of security and trust services to the world's leading organizations and government agencies. Through its managed security services, Betrusted offers clients a comprehensive package of leading security products coupled with unrivalled expertise to help reduce costs, increase revenues and comply with government and industry regulations. For more information, please visit our website at www.betrusted.com . Betrusted is owned by One Equity Partners, Bank One's private equity group.

(http://www.instantssl.com/ssl-certificate-news/ss l-120104.html)

"Trusted by 99.3% of current Internet users"

Nope, it's a funny number, but it seems to be some kind if industry norm.

I really don't think I should disclose how big my transactions are to this company. It's really none of their business.

Actually you don't. What this does is provides a sort of insurance to the consumer. See here.

It's just peace of mind for the consumer, that says that if I/you rip them off as an InstantSSL customer, InstantSSL will guarantee any fraudulant transaction up to the amount of your cert.

I haven't tried them personally, but InstantSSL has certificates for much less than Verisign/Thawte.

I use Instant SSL cheap, good service and I haven't seen any compatibility issues.

$49 ssl certs

While authenticating smtp servers will prevent some spam, why invent a completely new system? Use ordinary certificates and STARTTLS to authenticate mail servers. My company has been doing this for 3 years. It's a well defined, well known standard available on most MTA platforms, with strong cryptography and backwards compatible with normal SMTP. You would have to get certificates from a CA, but Instant SSL will sell you certificates for US$50.

Combine this with "sending MX" DNS schemes, and you make make a big dent in spam.

Yes, it won't stop all spam, but will catch a lot. For example, my company's SMTP server is configured to reject email that doesn't have a valid domain in the "From" line. Even though it's trivial for a spammer to fake the "From" line to a real domain, over 500 spams per day get blocked from this.

Just the price difference.

I have run many an ecommerce website with Thawte certificates. Lately I have been a fan of InstantSSL certificates.

I would suggest this excelent resource WhichSSL? to assist you in deciding which SSL provider to use.

muirhead wrote:
I agree!
www.instantssl.com/ is he only Certification Authority providing low-cost, fully-validated and warrantied SSL Certificates.

Try this:

https://www.instantssl.com/

They can't even get the certs right for their own site ...

Comodo issues relatively inexpensive certs that are accepted by most consumer, and even most non-consumer browsers.

FreeSSL also offers inexpensive (though it doesn't quite seem to be free) certs.

They seem to work with Lynx, Mozilla-based browsers, IE... Well. Look at the compatibility list. =]

If you want to be compatible with EVERYONE, you'll have to spend a bit more, but these are good for the majority of e-commerce sites, and intranets/basic sites.

-Sara

Geotrust's $119 certificates are validated only by emailing the WHOIS admin contact, (at least according to the CPS, which you would expect to be correct. See esp. B.1 and B.2.

InstantSSL's $49 SSL certificates do validate the organisation, not just the control of the domain. See their CPS esp. 4.3 and 6.4.

Disclaimer: I work for Comodo, which does the validation for InstantSSL, although I am not involved in the process myself. However although I like Comodo, and they pay my wages, I don't speak for Comodo (hence posting anonymously), and am soley responsible for the content of this message.

By the way, they also do free email certificates (identity not validated) which other people charge $10-$20 for.

Geotrust's $119 certificates are validated only by emailing the WHOIS admin contact, (at least according to the CPS, which you would expect to be correct. See esp. B.1 and B.2.

InstantSSL's $49 SSL certificates do validate the organisation, not just the control of the domain. See their CPS esp. 4.3 and 6.4.

Disclaimer: I work for Comodo, which does the validation for InstantSSL, although I am not involved in the process myself. However although I like Comodo, and they pay my wages, I don't speak for Comodo (hence posting anonymously), and am soley responsible for the content of this message.

By the way, they also do free email certificates (identity not validated) which other people charge $10-$20 for.

Geotrust's $119 certificates are validated only by emailing the WHOIS admin contact, (at least according to the CPS, which you would expect to be correct. See esp. B.1 and B.2.

InstantSSL's $49 SSL certificates do validate the organisation, not just the control of the domain. See their CPS esp. 4.3 and 6.4.

Disclaimer: I work for Comodo, which does the validation for InstantSSL, although I am not involved in the process myself. However although I like Comodo, and they pay my wages, I don't speak for Comodo (hence posting anonymously), and am soley responsible for the content of this message.

By the way, they also do free email certificates (identity not validated) which other people charge $10-$20 for.

Consider http://www.instantssl.com.

Disclaimer: I work for Comodo, which runs this site.

I recently had the same question you do, namely I've got a small site doing a limited amount of business but I still need to accept credit cards and use SSL. Verisign? No way in hell. It'd take me two months to make their fee back in profits. No thank you.

After searching around a bit I found a site called InstantSSL run by an outfit called Comodo. They offer a 1 year 128-bit cert for $49, and you can even try it out for 30 days free of charge. I did, and it works well enough that I haven't had any complaints.

I use InstantSSL (Comodo) [flash alert]. Works great. A little Apache tweak, nothing on the client side, and haven't found an unsupported browser.

Best part: $49.

S

Even better, you can get a trial 30-day cert. They're fully functional and registered for your site, so you can test it out completely without getting any "SECURITY WARNING!!" notices from your browser.

Also check out www.whichssl.com It's run by Comodo, but it's surprisingly unbiased and shows you all the prices, browser compatibility issues, etc. of all the major CA's.

I am soooooooo glad I found them! Why pay $300-$500 for a 128-bit certificate when a $50 will work every bit as well? (The only reason I can think of is if you need support for MSIE 4.0 or something)

Has anybody used InstantSSL? They claim to work with IE 5+, NS 4+, AOL 5+ and Opera 5+, which they say is 99% of the browsers in use out there. Sounds like a good deal to me.

I'm looking at using the cert to do some credit card auth for a webhosting company, and I don't really think I'd have a problem turning away that 1% of people who can't upgrade to a browser that came several years ago. That whole 80/20 rule kicks in there. I'm sure somebody who can't be bothered to upgrade to a modern browser is going to be a tech support nightmare.

At $49 a piece for standard certificates they're the cheapest my company could find when we went looking last month. So far I have no problems recommending them.

When you check out their $49 product
here you will notice that DESIGNED is speeled "deisgned"..

Would you buy an SSL certificate from a company so unprofessional it can't be bothered to spell check their site?