Choosing an SSL CA?

zentigger asks: "I am looking at renewing some SSL certificates and checking out the various vendors. I seems that just about every major CA has some reason for not using them. Verisign is just evil, Thawte is owned by Verisign, Geocerts has a bad habit of spamming, and Godaddy uses a stupid chained cert that doesn't work for some appliances we have (and they won't let me check out using Firefox). I realize that I could just use a self-signed certificate, but we have too many stupid users that get all confused and whiny when something pops up and asks them unexpected questions. So I put it to you, Slashdot: what CAs do you recommend and why?"

cacert.org

[Procyon101]

cacert.org

They have a great concept that should be supported.

I use Comodo

[Anonymous+Crowhead]

http://comodo.com/

They were the first company I found selling certs for $50 compared to Thawte which was around $200 at the time. Now we use a wild card cert which costs $449 + $10/server. We use it on 15 servers with 20 or so hostnames (*.url.com) right now. It makes it a hell of lot easier to update and manage only one cert.

We have had no reported problems with browser compatibility.

wrong!

[coyote-san]

Gah - I have moderator points but there's no "incorrect" flag.

Encryption without authentication is absolutely meaningless. There would be no way to detect a "man in the middle" attack -- anyone with access to the data stream could impersonate the other party and get the complete plaintext stream. Worse, the MitM could almost certainly insert or remove content at will. ("Almost" since it's possible that there's HMAC data at the application layer in addition to the network(?) layer.)

That's crypto 101 material. Any protocol designer that doesn't have MitM attacks as one of his top priorities should go back to his cereal box decoder rings.

SSL contains both strong mutual authentication and message digesting. One or both parties can choose to ignore information, but it's always their choice and they can refuse a connection unless acceptable authentication information has been provided.

Does this directly address spamming and phishing? No... but it guarantees that you can hold somebody responsible for it. That's why the "soft" side of the CA is so important - you're depending on the CA doing due diligence to ensure that 'paypal.com' is who they claim they are, not somebody with a maildrop. Generating and publishing the certs themselves is trivial.

As an aside, "SSL" does NOT mean that you're guaranteed an encrypted channel. A 'null' cipher exists for testing purposes and many administrators never realize that they should specify a minimal acceptable cipher strength. A malicious application or client could attempt to negotiate encryption down to nothing. Some of the other ciphers are only suitable for keeping your kid sister out of your stuff.