Cheap SSL Certificates for Small Websites?

zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"

Self-sign

[vegetablespork]

And put text in saying to click through the security warning. Most people will, anyway.

Re:Comodo - $49

The free cert basically only works with IE. They claim IE has 95% of the market share, but I guess that depends on the type of website you operate...

Are there actually limitations on that free cert? E.g. are you required to buy the 'real' cert? With other words, is it a 'get 3 months free if you buy one year' scam?

Re:It's not as much of a scam as you think.

[borud]

However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier).

knowing your social security number does not make me you. it makes me someone who knows your social number. nothing more. nothing less.

while a lot of people seem to think they know the mechanics of cryptography pretty well (and probably do), there still seems to be a lot of people who aren't really in the habit of thinking where security supposedly comes from in any given scheme.

Re:Thawte

[snubber1]

When the fuck did they start charging $199??
Last time I looked it was $125 first time, $99 renwal.

Greedy mother fucking bastard cum-lapping whore dicks.

I guess it suddenly became more expensive to take your money.

Government and more flexible signed assertions

[Fastolfe]

This is the situation where we need the government to step in. We're all getting driver's licenses from the government, passports, etc., and these are really the only real-world pieces of identification people accept. What we need is for the government to step in and issue digital ID's, to individuals and corporations. These ID's would tie us to whatever electronic identifiers are appropriate (domain names and/or e-mail addresses), and appropriate delegation would be permitted from there.

We just need the a trusted authority (for certain definitions of 'trusted' and for the definition of 'authority' that is ubiquitously recognized instead of decided by the highest bidders in the browser wars) to make digital assertions.

You'd start with certifying identities: my state might sign a certificate certifying my name, maybe driver's license number, perhaps address and even a photograph. I should now be able to sign e-mails with this now independently of my e-mail address. The resulting signed message could carry whatever signed assertions I wanted to put on it. (Probably my name and maybe my photograph.) I can't forge these, because these components are signed by the state in connection with my identity. A posting to a self-help group might just assert my identity in the form of a photograph and an unsigned nickname.

Taking this a step further, I should be able to use this ID to sign other things, even web sites. This will require changes to the way users perceive an "authenticated" web site. If I go to a bank at www.example.com today, they have a certificate that basically states "www.example.com is Example Bank, and their identity is certified". What my own signed web site might assert is "www.example.com is Joe User". User agents need to give more weight to the name here and less weight to the fact that the domain name matches what's in the certificate.

Extend this now to corporations. When a corporate charter is created, a digital ID for that corporation is created along with it and signed by the state of incorporation. That corporation can now sign assertions like "Joe User is the CEO of Example Corporation".

So now, when Joe User sends an e-mail, he can include this information:

• Joe User (signed by the state of residence)
• (Joe's picture, signed by the state)
• Job Title: CEO (signed by Example Corporation)

At this point, we really have a framework to allow the signing of most any type of assertion. If someone feels that we still need a signed DNS-based model, we'd do this within the DNS framework. I.e. registrars, when creating a domain, would also create a certificate for the domain name created and pass that on to the new owner, who can now sign for sub-domains as needed. When presented with www.sub.example.com, we have "www" signed by "sub" signed by "example" signed by one of the registrars for ".com".

Some of these concepts will require a re-thinking of the way we approach authenticated online identities. We need to stop placing so much importance on online identifiers (like domain names and e-mail addresses) and start paying attention to who is making those assertions. I can sign an assertion stating that my e-mail address is 'joe@example.com', but unless that's really my e-mail address, it's not going to do anyone a whole lot of good. If I go around forging e-mails from joe@example.com and including that signed assertion, everyone should be able to take one look at that and say, "Who the hell is this guy claiming to be joe@example.com?". Only the guy with the certificate stating the assertion that he is "joe", signed by "example", signed by a valid registrar for ".com" would be able to say that with any authority.

A lot of this can be done today with signed/encrypted XML, provided we have a common framework to start sharing the assertions.

Big Fuss?

[wdr1]

How is a pop-up a big fuss? Also most browsers allow you to permentantly accept the certificate as valid, don't they?

-Bill

Re:No Real Options, Sorry

[Patersmith]

Anyone know what it would take to be included in the major browsers default certificate list?

The certificate 'business' is a scam for 3 reasons

[Xeger]

1) Almost every known root CA targets businesses as their primary customers. The prevailing mentality seems to be that if you want to secure your HTTP server's connections to members of the general public, you must be running some sort of business. Their cost per certificate is nothing; you are paying them not for the certificate itself, but for a certification of your trustworthiness as a business.

But what if I'm offering a free service, which nonetheless requires that my users have absolute trust in their browsing security? What if I'm running a nonprofit organization? If the CAs were truly interested in security, they would offer a low-cost alternative for people who are offering free services, and perhaps a free certificate for non-profit organizations.

You may point out that I can now get a cheap certificate for $50. While this is true, the low price of certificates these days is the result of market pressure. These guys aren't lowering their prices out of the goodness of their hearts, or to help Joe Q. Webmaster who wants a secure website. They're doing it only in response to competition.

2) 'Wildcard' certificates cost an absurd amount of money, usually $500 or more.

Excuse me? The entire premise of the certification, is that Thawte (or VeriSign, or whoever) is certifying my trustworthiness as an organization. As such, it shouldn't matter whether I have one, ten or a hundred DNS names associated with my website and with my organization. By forcing you to buy separate certificates for your web server's DNS name, your mail server's DNS name, your LDAP server's DNS name and others, they are extracting even more money from your wallet. Even if all my services are hosted on the same machine, I must pay hundreds of dollars extra for the privilege of giving them separate aliases. The only other alternative is to host all of my services on one machine, under one DNS name. Thank you so much, VeriSign, for sticking your nose into my system administration.

And, finally,

3) VeriSign, the biggest fish in the pond, has demonstrated on more than one occasion that it is in fact not trustworthy.

Remember the incident involving a falsely-issued code signing certificate for Microsoft? That's right! This supposed paragon of trustworthiness gave some unknown cracker free reign to masquerade as the largest software company in the world. If they're that damned vulnerable to simple social engineering...then why did I pay them $200 or more, again? What exactly were they certifying?

From the start, the entire digital certificate business has been about politics and moneymaking, nothing more. It's a pity that we're forced to live with it.

DRM -- You nailed it

[serutan]

Yes, and this is just a preview of the next economic layer that is going to be laid on top of the Internet with the arrival of Palladium. What do you suppose you will have to do to get your content enabled so everybody's PC will be allowed to open it? It's not just a scam, it's maybe the ultimate scam. Inflict the publishing industry's business model on the Internet by taking control of all the hardware connected to it.

These bastards are pure evil.

Why they're cheaper

[billstewart]

They acquired a lot of market share early on by getting installed as default roots by IE and Netscape and selling their certs much cheaper than Verisign. So Verisign bought them, but uses them as a lower-priced brand where that's useful for market differentiation, and it beats having them as a competitor.

They've also done some innovative technology, but their basic raison d'etre was to sell certs for a low price, since the cost was also low.

becoming a CA?

[DuckWing]

This whole thread begs the question, how does one become a Certificate Authority. Someone started it and others are available if you look at the CA's in your browser prefs. Couldn't a company be their own CA then?

Whose government?

Yet again, the assumption that the world stops at the USA's borders.
Do try to remember that some of us don't answer to Uncle Sam.

A Scam

[iie1195]

[Ranting, flame if you want... Corrections and thoughts would be most appreciated ;)]

I know you're paying to prove you say who you are, but what's the big deal here anyways? To me, certs are more about encryption than a form of digital ID.

The 'Certificate Authority' is just another scam to monopolize, to a certain extent, encrypted digital transfer of data. If my cert is OpenSSL with myself as the signing authority, the cert is no less or more secure than an 'official' certificate. And even if the site/program is signed by authority, that does not mean you are not being cheated in some way by the issuer.

Blablah, I call for a grass-roots movement demanding the power to self-sign code and sites etc... Who's with me??!? :p

-- iie1195