Hacker News new | past | comments | ask | show | jobs | submit login

You are absolutely paying a premium based on the market persuasion tactics Verisign and Thawte have employed against the world. It's true that there's no good reason to trust Verisign more than Mozilla, Microsoft, and OpenSSL --- if Mozilla fucks up, you're just as screwed as if Verisign does.

The business model behind certificates may very well be a huge scam. Unfortunately, the technical model behind having a small number of trusted certificates shipped with your browser is not. Until that link breaks, you don't get security without paying Verisign.




It's amazing how many people still think Verisign are the only CA out there. There are a lot now, and if you hunt about, you needn't pay more than $10-$20 for a cert that's trusted in most browsers (granted, they are domain-only validated, but that's a whole different issue that needs to be fixed, I won't bring it up here...)

The reason you 'trust' Verisign/Thawte/Comodo/Geotrust/GoDaddy is because their roots are in the OSs & browsers. You can't get in those root stores without a hell of a lot of hoop-jumping. I know this. The money you pay for a cert does go to covering the costs of the background checks you have to pass through before you get the certificate.

Trust has to start somewhere - why not with large companies who have undergone rigorous procedures that also have been vetted by the companies you're implicitly trusting by installing their software?


If someone on this board wanted to argue that GoDaddy and GeoTrust haven't really seen "vetting" that makes or breaks their security, as a practitioner in this industry, I don't feel I could win that argument.

What you and I are really saying is that a company like Thawte has staked their business on those pubkeys, so that we at least know that if they screw up, they stand a good chance of losing the company.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: