Slashdot Mirror
Choosing an SSL Provider?
An anonymous reader writes "I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision."
They have cheap 128-bit cert that have Root in almost all browsers. The only issue we have run into is windows mobile devices.
If you're just after a basic root cert, RapidSSL(Equifax) is your best bet. If you need the stronger, blood-of-your-first-born cert, Verisign is the place to go.
Regards,
Website Hosting
How do you support a cert? They're pretty much set once delivered.
1) You make a cert request. Pay Money.
2) They verify your identity.
3) They sign your cert request and return it as a signed cert.
It's not like you can upgrade a v3 cert to v3.1.
Evil people are out to get you.
What sort of support are you expecting for a certificate? Installation support should be available from the vendor of your servers. Was it renewal or revocation you had problems with? Renewal means more money for the CA, so it should just be a matter of phoning their sales team, they'll fall over themselves to provide you with service if you have a large number of certificates to renew. Revocation - I'm not sure enough customers will have had to deal with that to get enough feedback to make a judgement.
What are your priorities?
It sounds like service is pretty high up on the list. What about price?
There is everything from CACert.org, which offers free certs, but supported is limited to the community it serves, to budget providers to full-service providers like Verisign.
Do you need more than just a few certificates? Do you need someone to be available 24x7 for phone support or is e-mail support good enough? What do you need?
Like anything else in life, you decide based on what your needs are and how well that, in this case, a particular CA fits your needs.
My blog
I was under the impression that SSL providers had a hold on the "market" and didn't really need to provide that good support, but that is coming from someone who has never had to deal with that side of it. Here is an aggregation of a bunch of providers though, beware it's an ugly page.
Absolute power corrupts absolutely. indymedia
We've used Geotrust since the beginning and have never had a problem. They are a bit more expensive than others, but we'll take the hit there for the good support.
There was one year where we wanted to try the EV-SSL. We decided to go cheap and went with Comodo. Big mistake. It didn't work, and after dealing 2 weeks with the support people there, we gave up and went back to Geotrust. They would only talk to us via email and were generally very unhelpful. I'm not saying that is what everyone experiences, I'm simply stating our own.
Go with a Rapid SSL wildcard cert. It will take care of most external needs with a single cert. They have a self service model that works pretty well. Cost is very reasonable.
Buy a real SSL cert, one with "Location" (L field) information and a real business name (not a domain name) in the "Organization" (O field). Avoid those cheap "Instant SSL" "Domain Control Only Validated" certs.
At SiteTruth, we consider the low-end certs worthless. They don't provide any information about who you're dealing with. We encourage other developers of certificate-validation software to take a similar position. You don't want to input a credit card number to a site with a "domain control only validated" certificate. "Domain control only" validated certs are enough for logging into a blog, perhaps, but not more than that.
I have had success with both OpenSRS and GoDaddy for SSL certs. OpenSRS will allow you to easily supply the needs of your customers. Never had a problem with using either. Also, what type of support do you need? My experience is you install them and they work, then you renew them/reinstall as needed. just mu $0.02
Look at the "/." just before the http in your location bar. Just turn it into a lock icon for your website.
If you want good support, go with Digicert. Absolutely phenomenal support. You don't go through hold queues to get to some person god knows where. Usually the person who picks up the phone is the one that helps you and they know what they are talking about. I've been extremely happy with them.
Since you're already anonymous, why not reveal who your crappy provider was so we know who to avoid?
Reviewing just the first hour of video games.
Verisign, always used them for public cert's.
SSL Shopper has a great list of SSL certificate providers and reviews, as well as the ability to compare different providers side by side using their SSL wizard.
The company I work at goes with Verisign, but that's only because Verisign is one of our customers. Unless your customers are financial houses or some equally paranoid group no one is going to give a rip where the certificate comes from as long as their browser automagically recognizes it. I've only met one person in my decade in IT who checks web site certificate validity (she works at a major investment firm) on a regular basis, and that's only because her job requires that she do so before transferring X-many millions of dollars.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
You can't go wrong with Thawte..
At my company, we use three different providers depending on the need.
Client Facing
We use Verisign for anything a client will interact with since we can use the Verisign Secured Seal on any web content on our site. Our studies have shown a percentage of our users actually know of the Versign secured logo and helps to assure them of the security.
Non-client Facing
We use Thawte certificates since these are much cheaper than Verisign, and are fully compatible with most browsers/mobile devices.
QA/Dev Servers
We use GoDaddy for internal/external tests and projects. They are cheap and quick, which makes them useful in a non production environment.
I've used VeriSign, Thawte (pre-VeriSign days) QuoVadis (for Bermuda companies), Comodo, GoDaddy, and RapidSSL (geotrust rebrand).
If I have a multi-million dollar e-Commerce site, I'd use an EV cert from a VeriSign or similar company. For the other 99.99999% of uses, it'll be the cheapest certificate that is signed by a trusted root in the IE, FF, and Safari browsers. Don't care if it's domain validation only, as long as it works.
RapidSSL has been good for price, root signing, and the wildcard certs work well to.
Choosing an SSL provider really depends on your requirements. If all that you need is a SSL cert for encrypted traffic and have no other corporate or audit requirements to adhear to, then almost any ssl provider with 99% browser compatibility will work. These certificates are usually in the $49-150 range. If you have to adhear to a policy, or if you want your "secured by xxxx" logo to be a well known name, then I would recommend Thawte. Others have recommended Verisign, but what most people do not realize is that Verisign and Thawte are the same company; and that you can purchase a Thawte SSL certificate for a little less than half of the price for the exact same thing.
https://www.thawte.com/ssl-digital-certificates/buy-ssl-certificates/?click=buyssl-buttonsleft
$699 one year
https://ssl-certificate-center.verisign.com/process/retail/product_selector;jsessionid=F682F047C9C50A9204F1B5A1F3971614?uid=d62acac0de1cbeb4b281f52d35982a1d&product=GHA002
$1,499 on year
Both certificates will pass all of the major security benchmarks (pci, hippa, iso20001, etc)
With more users accessing the web from mobile devices, certificate choice matters even more now. Motorola phones, for example, only have a verisign cert on them, so users will get annoying "untrusted site" warnings for sites with Equifax certs. Also, J2ME applications on these phones cannot connect to sites with non-verisign certs. This becomes a bigger problem for mashup java apps that try to access secure apis on multiple services. You end up greatly restricting how your service can be used if you go for a cheap, easy Equifax certificate.
I used GoDaddy for the one standard cert I ever had to order and had no problems at all. My one complaint is that when I ordered it, their pricing was $19.99, it has now gone up to $29.99.
The cert auto renewed and I wasn't expecting that, but a ticket to their support center and I got it canceled and refunded. So pretty good service I think.
But watch out. The more that ISPs start filtering content, and the more that governments increase monitoring and censoring data on the web... you're going to see rising demand for SSL certs and rising instances of the, pay more money for a green url bar nonsense.
The SSL providers are trying to sell you on the idea that it's the cert that makes the site trustworthy. Meanwhile, all you really need the cert for is the encryption.
IE7 has succeeded in making shared certs utterly useless. Too bad for the little guy who was using the shared cert provided free from his hosting company, because you can no longer use it without an enormous frightening message from the browser.
Look for more of this to come.
I could be wrong about this, but I think the problem is that PKI was intended to be much more hierarchical, like DNS.
In other words, I think the idea was probably that ISPs or other organisations would purchase bigISP.com certs, that allowed them to be certificate authorities too.
Then, an ISP's customers could go to THEM for certs. The customer's site cert would be signed by their CA; the ISP, and the ISP's in turn would be signed by the big names.
I think that does work. If so, then the problem is almost certainly that ISPs and such just don't buy those big certs, because so few people use SSL on their sites.
BUT... note that CA certs could be used much more widely than they are -- for email signing/encryption, server/client authentication in WANs, etc.
May I ask which vendor did a really poor job with support?
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
What you describe does work, though it gets annoying.
Basically, when your server negotiates SSL with the browser, it has to provide all the certificates in the trust chain that the browser doesn't have. So, bigISP.com has a certificate signing certificate from VeriSign, and signs a Web certificate for your company. Any time an SSL request comes in, your server has to present it's public certificate and the public certificate of bigISP.com's signing certificate. The browser already has VeriSign's public certificate signing certificate.
So, it's kind of like DNS resolution, where you have to "know" the root server, and then can build a chain down to get the actual name server to ask. But, in this case, you need a trust chain of signed certificates. With one or two layers, it's not _that_ big a deal...
The real downside is maintenance. Each layer has its own expiry, and you have to re-establish the chain whenever a certificate in it expires. That means new private certs and updating the public certs that are sent with the SSL transaction.
If, instead, your certificate is signed by a certificate for which there is a public key pre-loaded into the browser, you only have 1 certificate to update when it expires or when the signing certificate expires.
I use a self-signed certificate signing certificate for my home systems and for my department's SSL servers at work. But there's a very limited number of people who are supposed to access those servers, so they can be given the public signing certificate by hand. And even then, I wind up on vacation and unable to get to my IMAPS server because I forgot the signing certificate is going to expire on me....
So, keeping the chain short is actually worth-while, just from a maintenance perspective.
I've ordered and installed hundreds of SSL certificates (usually one or two a week). We use GeoTrust for nearly all of our certificates and I have never had any sort of problems. Their turn-around time is very fast too, at least in comparison to VeriSign and Thawte. Probably the easiest thing you can do to ease the process of ordering certificates is to make sure your domain WHOIS info is up to date. But really, as long as you know what info you want to have on your cert, there isn't much to getting one ordered.
Not really for the OP but I wanted to mention StartCom if someone was looking for a free cert as opposed to a self signed one. http://www.startcom.org/
Bringing liberty to the masses. - http://freetalklive.com/
I've had reasonably good experiences with Godaddy, and as far as I know, they're one of the cheapest around. SSL cert signing is mostly just snake oil anyway. It's not like the company signing your cert for you has any impact on the actual security of your site, and I can't imagine that many customers look at the cert signer and go "RapidSSL? No way! Fuck those guys! I'm gonna go spend my money at some other dildo store". So, your best bet is to go with the cheapest one around that's likely to be in all the major browsers' trusted CA list.
I work for a web hosting provider. We do provide SSL certs which can be purchased on an annual basis and are easy enough to install. (Basically you subscribe to it and it's installed automagically for you). However, if you buy your own SSL cert things get more complicated - at least for us 1st level support types. We have to install the cert manually which can be a massive undertaking - especially if the customer doesn't understand how it works. This usually results in numerous emails back and forth with the customer because they don't provide the "EXACT" information they used to register the cert. Since certs are purchased annually, and some customers have a habit of jumping from one hosting provider to another every couple of months, this can add to the complication. My advice would be to find a web hosting provider that caters to your needs and stick with them. Purchase your SSL cert from them for minimal headache. You may end up paying a little more because you are going through a reseller instead of purchasing directly from the issuer but it's definately worth it.
Become a member of CaCert.org http://www.cacert.org/.
Support their certificates and their root CA.
Advocate for support in OSS browsers like Firefox.
Tell everyone you know about CACert.
Certs want to be free like information (and beer, too).
Sig this!
What is this, some kind of Thawteweft? http://ww2.wizards.com/gatherer/CardDetails.aspx?&id=145799
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
The company I work for uses Verisign. We can't really use self-generated certs or cheapish certs from companies nobody has heard of. We have to use certs from somebody who is a name vendor so our customers get those warm, fuzzy feelings that customers need to keep doing business with us. Verisign's customer support is very good. I had a relatively minor issue and they had it fixed within 1 minute of my call. I was shocked. Verisign is not cheap. SSL certs cost $399 for just the basic bare bones ones for 1 year. You'll pay more for more bells and whistles and the longer it lasts, the more you pay, but you do get a discounted price for multi-year renewals.
For what it's worth, we use Thawte and have never had a problem. Even let us re-roll a cert when (our error) we messed up the cert request.
Trivia: Thawte was founded by Mark Shuttleworth, the guy behind Ubuntu Linux.
Cheap, all known, instant activation, and allows you to display a verified site seal on your site. nothing can beat it.
Read radical news here
I've been happy with GoDaddy for two reasons:
1) Cheap ($30/year for one cert, $200/year for wildcard)
2) Super Bowl Spokesperson has huge tracts of land.
The drawback is that you need a CA cert - but if this is a problem then you should probably find a new line of work.
...but doesn't obtaining a certificate from the CA require you to send them a copy of the private key? The purpose of the certificate is to ensure that your site is properly identified, and who it states to be. Excuse me, but don't I need absolute trust with the party I am doing business with in order to reveal ANY private key on my server? I don't know about you, but I absolutely do NOT trust any third parties with my business, let alone my customers' information, trends, activities, etc.
Encryption is not my cup of tea, but, as I understand it, is the CA and ISP in collaboration able to impersonate your site by redirecting it and falsifying validation? And barring that fact, with the ISP and CA in collaboration with a government agency, will they not be able to not only capture the encrypted data, but also DECRYPT it because they have a copy of your private key for the site?
Barring the ISP's involvement, wouldn't "spying" on the backbone itself be good enough, with the CAs collaborating, to decrypt ANY and ALL encrypted data that traverses this country's networks?
The dissemination of a private key of ANY kind is what has kept me from using ANY CA at all.
Now, correct me if I'm wrong, but isn't that the power you give the CA when you send your Certificate Request in?
Your assertion is correct, the original intent was to have a hierarchy of SSL providers like DNS. In practice the cost of becoming a dns registrar was relatively inexpensive. As I understand it, the cost of obtaining a key signing certificate from an existing CA is extremely high, if you can get one at all.* This is the reason that companies like GoDaddy find it easier to acquire a defunct SSL provider with a widely accepted Root certificate. * The cause for this is simple to deduce. It would be illogical for a company (Verisign) to sell the required materials for operation to a primary competitor.
I'm surprised few have mentioned Entrust.
:)
They've been around about 11 years and have been rather superb for us. We switched to them from using Verisign because it seemed like paying almost a grand a year for a 128/256 validated cert was absolutely ridiculous. Entrust has just as much browser and application (e.g. JBoss) exposure as Verisign and their certs are only $159-199/yr (depending on how many certs you purchase). EV certs are considerably cheaper as well.
Granted it takes them a few business days for the first cert you order, subsequent orders seem to have a turnaround time of 24 hrs.
They work for us, they're relatively cheap, and they don't require chained certificates like some of the cheaper CAs that have popped up over the past few years. As always, do your research and compare the CAs once you've whittled down the short list.
I love the information on the vendors' sites. Its opague. Thawte, GeoTrust and Verisign are the same, Verisigh bought them. They claim to be different, use different logos, root CAs, etc. but they are really the same company. I did this same search a few months back and ended up buying a wildcard cert from GeoTrust. It does not do good mobile phone 'presigning" but other than that, they work fine
Have purchased hundreds of Geotrust/Equifax RapidSSL certificates over the years, in the past couple only from their reseller servertastic.com. Dirt cheap, quick automated purchasing process and works across all browsers, except some mobile devices like a Motorola Q9 I played with the other day.
To quote one of my former coworkers, we use Comodo, like the dragon. Their prices are decent and every time I've dealt with their support they've been responsive and helpful.
There are only two: 0 and "internally certified, not yet invalidated".
So, security issues aside, I think the grandparent's assertion that the product is pretty much the same has meaning.
Now, as to whether it allows you to make ssl (tls)-enabled web pages that don't pop warnings up, that's a different matter, and a different kind of "assurance".
It didn't have to be such a racket, but it definitely looks, smells, tastes, and dances like one at this point in time.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
the one that allows you to be your own root.
Then be your own root.
It's the only solution that has any real meaning at this point, unless you merely want to "safely" clear all the warning messages that 3rd-party tools throw at you.
You must understand this to understand the meaning of TLS:
You are the party of the first part.
The party with whom you are conversing is the party of the second part, which, pretty much means your ISP, more specifically, the owner of your connection point.
Anyone else is third party, and that includes the current crops of CAs.
The current crops of CAs don't want you to believe this. Microsoft doesn't want you to believe this. There are many in the government who don't want you to believe this. Big corporations don't want you to believe this. Many schools and hospitals, churches, etc. don't want you to believe this. They want you to believe they are somehow more dependable than even the party of the first part.
You know what that makes them?
If you believe in God, God is the party of the zero-eth part.
If you don't believe in God (and often even if you claim to believe in God), the entity you place most trust in, usually the entity you subconsciously ascribe to being ultimately "in-charge" of whatever piece of the cosmos directly effects you, would be the party of the zero-eth part.
So, yeah, verisign and microsoft and others want to be your God.
I don't think that is the way it was originally intended to work, but that's pretty much the way that TLS currently works.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Other than getting rid of annoying and mostly meaningless warning messages, CACert is the best of the options you list.
Unless you trust your community less than you trust someone whom you have never met, whose job is to grab hundreds of e-mails like the one you sent, and turn as many of them into opportunities to cash the check as possible.
The best solution is to be your own root, but that currently only works for your own organization. You could also kludge together a mutual assurance scheme with organizations that you work with a lot, but that doesn't buy you much the way certificates are currently used, and CACert has solved, fairly correctly, a number of the problems you will face if you do so.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Compiling your own java might solve the problem of the built-in certificate providers. I'll have to look at that.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Have you patched out the hard-wired certificate(s)?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
The hierarchical structure is just one. It was primarily meant to be used by, erm, DNSes and the like.
Credit chains were supposed to be separate and structured differently.
Internal operations (inside your own company or department) chains and lateral operations (outside your company or department) chains get complicated, and the single hierarchy doesn't work very well. Actually, none of the structures that were originally suggested work very well. But they are supposed to be separate from the external operations chains.
(Lateral -- buying and selling are the operation you probably think of first, but, of course, there are plenty of others.)
Surfing chains were not really considered properly, which is part of the reason that even the hierarchy chains for domain names and IP numbers are not yet implemented.
Consider this -- were are trying to perform "trust" functions on the surfing chains.
Six guesses as to whom we should blame for this mess. Make sure you include a very large purveyor of OS and application software, a couple of "root" certificate providers, the market, the guys who invented PKI, and yourself in the list. (Shoot. If you want, include me for failing to invent technology for this that would work on several occasions in the past thirty years.)
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
GeoTrust announced it "signed a definitive agreement to be acquired by VeriSign" in May 2006. The acquisition was finalized around September 2006. They're still issuing QuickSSL Premium certs from Equifax.
For what it's worth, this whole article is a dupe from 2006.
My customer had a 500$ Thawte certificate at the beginning which entailed a very lengthy and complicated verification process. I still remember how annoyed he was to having to fill out all of the paperwork they required to get the cert.
We then switched to rapidssl until it got bought by Geotrust. It still required a phone verification but that was much less annoying.
When it comes around to renewing it, we'll go with GoDaddy, if only because it's cheaper.
As a side note, as with a lot of things related to godaddy, retailmenot.com has a lot of coupons to get a rebate on the list price.
One thing all you guys are missing is that the SSL cert only protects the data path over the net. In the day of switches (having replaced hubs) that's actually pretty secure. There's far more risk at the client (PC) or server (host) ends - that's where most of the data is stolen. All this is really about appearance rather than providing real security. Not saying that we shouldn't use certs, but an expensive cert is just a distraction from the potential lack of security on the server end. As a webhost and unix admin I'd much rather application developers put the effort they waste on discussing SSL into writing secure applications!!
Take a look at RSA: http://www.rsa.com/node.aspx?id=1267
Just over a year ago, I needed to transact credit cards. I use a self signed certificate authority. The credit card clearinghouse I use said "no way" during the application process. I showed them how I could apply for and receive a SSL root cert by supplying just a post office box and virtually any true or ficticous demographic info. Now, if people really want what is sold on the sites I administer, then they can complain to the browser publishers about the lousy "content blocked" notices. BTW, people still get in because they really want what is sold!
I have NO intention of supporting Verisign!
Comodo uses some of the proceeds to make very good anti-virus, anti-malware, firewall, etc. software. I have used their anti-virus software for some time and it does a better job than McAfee. It's free and less of a resource hog, especially the "on access scanning engine". Best of all, every application is separate, however ties in well with the others if you choose to install more than one. If you want everything except a software firewall on your windblows box (like most of Slashdot, right?)(because we have one running as a separate machine - right?), then you can just download the individual packages. Comodo is doing it right: Good product, good service and they use proceeds to provide free software.
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
Hi I am Yuvaraj, Being in Comodo Marketing Intelligence Team, I can assure you that the Best to go for would be Comodo SSL certificates. I can give the Justification of why you need to choose Comodo. 1.) Speed & Stringent Verification Process - For True Assurance 2.) Cheap at Price and High at Quality & assurance 3.) Gives You a Corner of Trust Logo for free* to make the visitors trust you 4.) Unique, patent-pending EV AUTO-Enhancer(TM) - Automatic EV Deployment and Maintenance Technology - automatically upgrades Microsoft® Internet Explorer 7.0 on Windows(TM) XP to full "Green Address Bar" functionality. Valued at $1,500, Comodo provides this technology free to all our EV SSL Certificate 5.) Industry Leading Support - you can visit http://www.instantssl.com/ and can see how our live support team functions. 6.)Comodo is the initiator of the CA/B forum (Certification Authority / Browsers Forum) visit http://www.cabforum.org/ And also you can get a free trial certificate......and then if you are satisfied ( I know for sure you will get satisfied) you can go for the paid ones. Thanks, Yuvaraj