Choosing an SSL Provider?

An anonymous reader writes "I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision."

What sort of support do you need?

[TechyImmigrant]

How do you support a cert? They're pretty much set once delivered.

1) You make a cert request. Pay Money.
2) They verify your identity.
3) They sign your cert request and return it as a signed cert.

It's not like you can upgrade a v3 cert to v3.1.

SSL Monopolies, SubCAs, PKI use, and supply/demand

[CarpetShark]

I could be wrong about this, but I think the problem is that PKI was intended to be much more hierarchical, like DNS.

In other words, I think the idea was probably that ISPs or other organisations would purchase bigISP.com certs, that allowed them to be certificate authorities too.

Then, an ISP's customers could go to THEM for certs. The customer's site cert would be signed by their CA; the ISP, and the ISP's in turn would be signed by the big names.

I think that does work. If so, then the problem is almost certainly that ISPs and such just don't buy those big certs, because so few people use SSL on their sites.

BUT... note that CA certs could be used much more widely than they are -- for email signing/encryption, server/client authentication in WANs, etc.

Re:Buy a real SSL cert, with location info

[TheLink]

Wrong. The main point of an SSL cert that's by one of those CAs is for the very reason he said:

So _public_ users don't get a pop up prompt.

Nobody really gives a damn about the "other stuff" (e.g. real security, and even if users get a pop up, more than half the time they'll just click through ;) ).

After all when CAs like Verisign issue "Microsoft" certs to nonmicrosoft people[1], and lots of sites still use Verisign (who are already known for _intentionally_ doing very dubious stuff), where's the security?

If you actually want security you're better off deleting most CA root certs and stick to getting the browser to recognize certs for sites that you really trust on a per site basis.

You shouldn't be depending on CAs that don't really care. Because some random CA will sign some cert they shouldn't and then you're screwed since your browser has their cert built in, and so you don't get a prompt when you get MITM'ed at some WiFi + Latte place. Instead of your bank site, you end up passing your credentials to some hacker.

Whereas if you recognized the bank site just because of the bank's usual cert, and not because some evil/incompetent CA signed it, if a hacker presents a different cert, you will get a prompt. Naturally when the cert expires you get a prompt, but that's really not a big deal in practice.

[1] http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx