Choosing an SSL Provider?

← Back to Stories (view on slashdot.org)

Posted by kdawson on Friday April 25, 2008 @03:08AM from the who-you-gonna-trust dept.

An anonymous reader writes "I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision."

36 of 183 comments (clear)

Min score:

Reason:

Sort:

RapidSSL is your friend by teknopurge · 2008-04-25 03:15 · Score: 5, Informative

They have cheap 128-bit cert that have Root in almost all browsers. The only issue we have run into is windows mobile devices.

If you're just after a basic root cert, RapidSSL(Equifax) is your best bet. If you need the stronger, blood-of-your-first-born cert, Verisign is the place to go.

Regards,

--
Website Hosting
1. Re:RapidSSL is your friend by TechyImmigrant · 2008-04-25 03:19 · Score: 3, Informative
  
  >They have cheap 128-bit cert that have Root in almost all browsers.
  
  Usually they are 1024 bit RSA with SHA-1 signing (80 bit). These are deprecated by NIST for use past 2010.
  
  MS don't support SHA-256 signatures in XP, until SP3, which explains some of the delay in rolling out stronger roots.
  
  --
  Evil people are out to get you.
2. Re:RapidSSL is your friend by mvdwege · 2008-04-25 06:41 · Score: 2, Informative
  
  Nope. RapidSSL is a brandname of Geotrust (which in turn is a brandname of Equifax). Geotrust also offers QuickSSL Premium certs, which are signed with the standard Equifax Secure CA root certificate, which, to my knowledge, is distributed with all mobile devices currently on the market.
  
  The pricing for QuickSSL Premium certs is not much different from the bigger vendors, but the service we've gotten so far from Geotrust is excellent, and their simple no-nonsense verification systems means we get to deploy certs within five minutes from submitting the CSR.
  
  Full disclosure: I work for a Geotrust reseller. We picked them because we got fed up with our previous supplier.
  Mart
  
  --
  "I know I will be modded down for this": where's the option '-1, Asking for it'?
What sort of support do you need? by TechyImmigrant · 2008-04-25 03:16 · Score: 4, Interesting

How do you support a cert? They're pretty much set once delivered.

1) You make a cert request. Pay Money.
2) They verify your identity.
3) They sign your cert request and return it as a signed cert.

It's not like you can upgrade a v3 cert to v3.1.

--
Evil people are out to get you.
1. Re:What sort of support do you need? by mackil · 2008-04-25 03:37 · Score: 5, Informative
  
  How do you support a cert? They're pretty much set once delivered. Typically that is true. However when we tried an EV-SSL chained certificate, it wouldn't recognize the trust chain and caused all sorts of problems. We tried dealing with the support people, but they were very unhelpful and would only deal with us over email. Since they appeared to be in the UK (and we in the US), it was very frustrating in dealing with them. In the end we gave up and went back to a root certificate.
2. Re:What sort of support do you need? by jea6 · 2008-04-25 08:03 · Score: 2, Insightful
  
  Not exactly. They all may provide a similar level of encryption but encryption != security. There are other factors that contribute to the "level of security" (what I'd call assurance) that different certificate vendors or sources can provide.
  
  --
  
  sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Depends on priorities by morgan_greywolf · 2008-04-25 03:17 · Score: 3, Insightful

What are your priorities?

It sounds like service is pretty high up on the list. What about price?

There is everything from CACert.org, which offers free certs, but supported is limited to the community it serves, to budget providers to full-service providers like Verisign.

Do you need more than just a few certificates? Do you need someone to be available 24x7 for phone support or is e-mail support good enough? What do you need?

Like anything else in life, you decide based on what your needs are and how well that, in this case, a particular CA fits your needs.

--
My blog
1. Re:Depends on priorities by crush · 2008-04-25 04:28 · Score: 4, Informative
  
  Except that's a pretty good community and is more clueful and ethical than many of the for-money providers. The problem with CAcert is not on the support end, it's the fact that their root certificate is not distributed with current browsers. Each potential verificant would have to import their cert manually. Supposedly that's changing slowly with the Mozilla Foundation spelling out exactly what the audit process is to allow the inclusion of CAcert. We can but wait and hope. Personally I'd rather have community support for something like this.
Impression by esocid · 2008-04-25 03:18 · Score: 3, Informative

I was under the impression that SSL providers had a hold on the "market" and didn't really need to provide that good support, but that is coming from someone who has never had to deal with that side of it. Here is an aggregation of a bunch of providers though, beware it's an ugly page.

--
Absolute power corrupts absolutely. indymedia
1. Re:Impression by mendax · 2008-04-25 03:33 · Score: 2, Insightful
  
  They do indeed have a hold on the market... in that the big guys listed in the question have their certificates in the main key store files of your browse, Java runtime installations, etc. which guarantees that they are trusted and cause the least amount of hassle.
  
  I've thought for a long time that the answer to this problem is competition. What bugs me is why government hasn't gotten into the act. The purpose of an SSL certificate is to verify that the entity who owns the server you're communicating with is who they say they are. This is the role of a notary, a private individual who is commissioned by the government to verify that people are who they say they are when documents are signed. Sounds like a profit-making enterprise to me.
  
  --
  It's really quite a simple choice: Life, Death, or Los Angeles.
SSL by mackil · 2008-04-25 03:19 · Score: 3, Informative

We've used Geotrust since the beginning and have never had a problem. They are a bit more expensive than others, but we'll take the hit there for the good support.

There was one year where we wanted to try the EV-SSL. We decided to go cheap and went with Comodo. Big mistake. It didn't work, and after dealing 2 weeks with the support people there, we gave up and went back to Geotrust. They would only talk to us via email and were generally very unhelpful. I'm not saying that is what everyone experiences, I'm simply stating our own.
Rapid SSL Wildcard by Kagato · 2008-04-25 03:20 · Score: 4, Informative

Go with a Rapid SSL wildcard cert. It will take care of most external needs with a single cert. They have a self service model that works pretty well. Cost is very reasonable.
Buy a real SSL cert, with location info by Animats · 2008-04-25 03:21 · Score: 4, Insightful

Buy a real SSL cert, one with "Location" (L field) information and a real business name (not a domain name) in the "Organization" (O field). Avoid those cheap "Instant SSL" "Domain Control Only Validated" certs.
At SiteTruth, we consider the low-end certs worthless. They don't provide any information about who you're dealing with. We encourage other developers of certificate-validation software to take a similar position. You don't want to input a credit card number to a site with a "domain control only validated" certificate. "Domain control only" validated certs are enough for logging into a blog, perhaps, but not more than that.
1. Re:Buy a real SSL cert, with location info by pyite · 2008-04-25 03:25 · Score: 4, Insightful
  
  Are you also amongst the group of people that think Extended Validation certificates are anything more than something to make Verisign more money?
  
  --
  "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
2. Re:Buy a real SSL cert, with location info by vux984 · 2008-04-25 03:34 · Score: 5, Insightful
  
  I thought the main point of a SSL cert for most people was session encryption.
  
  And the main reason we pay for one is so we get one the browser recognizes without throwing up a prompt about unrecognized certs that might be off-putting to a customer.
  
  How many site visitors really look at the cert? Or care whether its got an company name or more. How many even KNOW there are different levels of cert? For most either the 'lock icon' is there or its not. They don't -check- the cert, or even know how?
3. Re:Buy a real SSL cert, with location info by Anonymous Coward · 2008-04-25 03:43 · Score: 5, Insightful
  
  To an end user there are three types of SSL certs:
  
  those that error,
  those which display a padlock
  and those which make the address bar go green in their crappy browser.
4. Re:Buy a real SSL cert, with location info by jroysdon · 2008-04-25 03:47 · Score: 4, Informative
  
  I found SiteTruth's search worthless. I put in my own domain and it said it was suspect, no address listed on the website. Totally bogus information. One of the first links is to the AUP page, which contains the same address WHOIS has listed. Even if I search giving the AUP link, it cannot find the address. Further, it says no usable certification info - I could see it complain that it doesn't like my CA, but there cert works just fine in any non-Microsoft browser. I find this site worthless as it fails to provide valid information. I could see it complaining that my SSL cert (free for non-commercial, personal use) is a domain-only, but it doesn't, it just says, "No valid cert." Finally, just because something doesn't have a valid business behind it (as in a personal website/email hosting), doesn't mean it is invalid or worthless. Don't give me your money - I'm not asking for it.
5. Re:Buy a real SSL cert, with location info by caluml · 2008-04-25 03:48 · Score: 2, Insightful
  
  I thought the main point of a SSL cert for most people was session encryption. Don't forget about identifying the server at the other end. No point having ultra-mega-good encryption if it's with a MiTM.
  
  --
  Get your own free personal location tracker
6. Re:Buy a real SSL cert, with location info by CalvinTheBold · 2008-04-25 03:49 · Score: 4, Insightful
  
  I think you may be a little mixed up.
  
  The point of the encryption is transport layer security and privacy. The point of the certificate is TRUST. Having an encrypted session makes no difference if you are communicating with an impostor.
  
  The prompt about unrecognized certs certainly SHOULD off-put the customer; it's likely to be that customer's only warning that the party on the other end of the connection isn't who it claims to be.
  
  --
  Try using a zero-knowledge proof to show you don't know anything!
7. Re:Buy a real SSL cert, with location info by vux984 · 2008-04-25 04:09 · Score: 4, Insightful
  
  I think you may be a little mixed up.
  
  No. Think soley in terms of the average web user.
  
  The point of the encryption is transport layer security and privacy.
  
  Right. And that's what the average user is interested in when they see 'secure login', the lock icon, or the https prefix. I don't think most users even know that https is guaranteeing WHO they are talking to at all.
  
  The point of the certificate is TRUST. Having an encrypted session makes no difference if you are communicating with an impostor.
  
  That's true. But beside the point. From an engineering perspective, yes, the reason for the cert is trust, and the signing chain to root CA's etc establish a chain of trust.
  
  But in practical terms, the average user doesn't have the foggiest idea what this all means.
  
  So as a website developer looking to satisfy customers demands, I might want to provide seamless encryption which the customer understands and wants; so I need an SSL cert because the browsers don't support seamless encryption without one. And the customer gets what they demand.
  
  They also get some 'trust', but its a side effect of the good engineering that went into the system. The customer doesn't actually -check- the cert and verify who they are talking to. And if someone sent them a fishing email pointing at 'bankotamerica.com' instead of 'bankofamerica.com' as long as bankotamerica.com has at least a domain only cert that their browser accepts, and their lock icon comes on, they'd be satisified.
8. Re:Buy a real SSL cert, with location info by firewrought · 2008-04-25 05:10 · Score: 2, Informative
  
  At SiteTruth, we consider the low-end certs worthless.
  But the self-signed cert you have for your own domain is laudable? Sheesh... it's even expired, not that you'd know since your "site verification site" doesn't even take the most basic precaution of defaulting to https.
  
  --
  -1, Too Many Layers Of Abstraction
9. Re:Buy a real SSL cert, with location info by TechyImmigrant · 2008-04-25 06:17 · Score: 2, Insightful
  
  I certainly do - my first SSL cert from Thawte cost a fraction of the $900 an EV SSL certificate costs from them, and required utility bills, bank statements etc to verify my identity.
  
  Identity can, and has, been validated in the same fashion as EV-SSL certificates for a fraction of the price in the past. If they wanted to establish identity they could, and for less than an EV-SSL cert costs at present. In other areas of business, certificates of higher cryptographic strength go for less than $0.04 a cert in bulk. The processing time for a signing system using a modern processor and a HSM is less than 1 second. To maintain the old prices is daylight robbery.
  
  --
  Evil people are out to get you.
It depends on your needs but by gerry_br · 2008-04-25 03:21 · Score: 2, Informative

I have had success with both OpenSRS and GoDaddy for SSL certs. OpenSRS will allow you to easily supply the needs of your customers. Never had a problem with using either. Also, what type of support do you need? My experience is you install them and they work, then you renew them/reinstall as needed. just mu $0.02
Simply use a lock favicon for your website by Anonymous Coward · 2008-04-25 03:22 · Score: 4, Funny

Look at the "/." just before the http in your location bar. Just turn it into a lock icon for your website.
Digicert all the way by cryogenix · 2008-04-25 03:23 · Score: 3, Informative

If you want good support, go with Digicert. Absolutely phenomenal support. You don't go through hold queues to get to some person god knows where. Usually the person who picks up the phone is the one that helps you and they know what they are talking about. I've been extremely happy with them.
Re:Support? by TechyImmigrant · 2008-04-25 03:23 · Score: 2, Insightful

... Revocation - I'm not sure enough customers will have had to deal with that to get enough feedback to make a judgement. I run a small CA for a particular technology. My advice to the manufacturers obtaining certs is "Don't compromise your keys!". Revocation is painful.

--
Evil people are out to get you.
SSL Shopper by CSMatt · 2008-04-25 03:37 · Score: 4, Informative

SSL Shopper has a great list of SSL certificate providers and reviews, as well as the ability to compare different providers side by side using their SSL wizard.
It's a wash by cusco · 2008-04-25 03:38 · Score: 2, Insightful

The company I work at goes with Verisign, but that's only because Verisign is one of our customers. Unless your customers are financial houses or some equally paranoid group no one is going to give a rip where the certificate comes from as long as their browser automagically recognizes it. I've only met one person in my decade in IT who checks web site certificate validity (she works at a major investment firm) on a regular basis, and that's only because her job requires that she do so before transferring X-many millions of dollars.

--
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Thawte by NekoXP · 2008-04-25 03:42 · Score: 3, Informative

You can't go wrong with Thawte..
depends on devices... by bentley79 · 2008-04-25 03:52 · Score: 5, Informative

With more users accessing the web from mobile devices, certificate choice matters even more now. Motorola phones, for example, only have a verisign cert on them, so users will get annoying "untrusted site" warnings for sites with Equifax certs. Also, J2ME applications on these phones cannot connect to sites with non-verisign certs. This becomes a bigger problem for mashup java apps that try to access secure apis on multiple services. You end up greatly restricting how your service can be used if you go for a cheap, easy Equifax certificate.
1. Re:depends on devices... by Ucklak · 2008-04-25 04:40 · Score: 4, Insightful
  
  Now ain't that a racket.
  Still secure but because Verisign obviously has a hand in the mobile distribution market, no one else is 'secure'.
  I see is as the losers are the Motorola users tied to Verisign only certs.
  
  --
  if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
Godaddy. And, SSL use will increase. by sherriw · 2008-04-25 03:55 · Score: 2, Informative

I used GoDaddy for the one standard cert I ever had to order and had no problems at all. My one complaint is that when I ordered it, their pricing was $19.99, it has now gone up to $29.99.

The cert auto renewed and I wasn't expecting that, but a ticket to their support center and I got it canceled and refunded. So pretty good service I think.

But watch out. The more that ISPs start filtering content, and the more that governments increase monitoring and censoring data on the web... you're going to see rising demand for SSL certs and rising instances of the, pay more money for a green url bar nonsense.

The SSL providers are trying to sell you on the idea that it's the cert that makes the site trustworthy. Meanwhile, all you really need the cert for is the encryption.

IE7 has succeeded in making shared certs utterly useless. Too bad for the little guy who was using the shared cert provided free from his hosting company, because you can no longer use it without an enormous frightening message from the browser.

Look for more of this to come.
SSL Monopolies, SubCAs, PKI use, and supply/demand by CarpetShark · 2008-04-25 03:55 · Score: 2, Interesting

I could be wrong about this, but I think the problem is that PKI was intended to be much more hierarchical, like DNS.

In other words, I think the idea was probably that ISPs or other organisations would purchase bigISP.com certs, that allowed them to be certificate authorities too.

Then, an ISP's customers could go to THEM for certs. The customer's site cert would be signed by their CA; the ISP, and the ISP's in turn would be signed by the big names.

I think that does work. If so, then the problem is almost certainly that ISPs and such just don't buy those big certs, because so few people use SSL on their sites.

BUT... note that CA certs could be used much more widely than they are -- for email signing/encryption, server/client authentication in WANs, etc.
Re:SSL Monopolies, SubCAs, PKI use, and supply/dem by greed · 2008-04-25 04:07 · Score: 5, Insightful

What you describe does work, though it gets annoying.
Basically, when your server negotiates SSL with the browser, it has to provide all the certificates in the trust chain that the browser doesn't have. So, bigISP.com has a certificate signing certificate from VeriSign, and signs a Web certificate for your company. Any time an SSL request comes in, your server has to present it's public certificate and the public certificate of bigISP.com's signing certificate. The browser already has VeriSign's public certificate signing certificate.
So, it's kind of like DNS resolution, where you have to "know" the root server, and then can build a chain down to get the actual name server to ask. But, in this case, you need a trust chain of signed certificates. With one or two layers, it's not _that_ big a deal...
The real downside is maintenance. Each layer has its own expiry, and you have to re-establish the chain whenever a certificate in it expires. That means new private certs and updating the public certs that are sent with the SSL transaction.
If, instead, your certificate is signed by a certificate for which there is a public key pre-loaded into the browser, you only have 1 certificate to update when it expires or when the signing certificate expires.
I use a self-signed certificate signing certificate for my home systems and for my department's SSL servers at work. But there's a very limited number of people who are supposed to access those servers, so they can be given the public signing certificate by hand. And even then, I wind up on vacation and unable to get to my IMAPS server because I forgot the signing certificate is going to expire on me....
So, keeping the chain short is actually worth-while, just from a maintenance perspective.
Godaddy by StealthyRoid · 2008-04-25 04:17 · Score: 3, Funny

I've had reasonably good experiences with Godaddy, and as far as I know, they're one of the cheapest around. SSL cert signing is mostly just snake oil anyway. It's not like the company signing your cert for you has any impact on the actual security of your site, and I can't imagine that many customers look at the cert signer and go "RapidSSL? No way! Fuck those guys! I'm gonna go spend my money at some other dildo store". So, your best bet is to go with the cheapest one around that's likely to be in all the major browsers' trusted CA list.
Re:May I ask ... by Anonymous Coward · 2008-04-25 05:45 · Score: 3, Informative

The vendor was Verisign. And after reading some of these posts I think some clarity may help everyone. We have about 600 ssl certificates in geographically distributed data centers, with another 25,000 other types of internal certificates. You would not just go to CACert or RapidSSL for this. We need an API and Control Panel, Audit privileges, management tools etc.