Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What's the best company to buy an SSL certificate from?
95 points by petecooper on Sept 20, 2014 | hide | past | favorite | 86 comments
I am embarking on an upcoming Magento e-commerce project, target demographic is security-aware business customers. The extended validation (green bar) SSL is -- in my view -- required for the website.

There was an Ask HN thread [1] from nearly three years ago that asked the same question, and a variety of answers were provided. On the one hand, there's the "don't spend more than x" on a certificate, and there's the flip side of "get a green bar, it's worth it".

The specifics:

- site is running atop Magento 1.9 on LAMP, payments processed offsite by Braintree (i.e., no credit card details stored on the website) - initially 1x IP address, hosted from a UK data centre - static components may be served from a non-www subdomain (i.e., static.example.com) in future, which may be the same or different IP address

My questions:

1. Who's worth shortlisting in 2014? 2. If you consider yourself a security-aware shopper, would you be dissuaded from purchasing from a site with standard (`non-green`, if you will) SSL?

Thank you in advance.

[1] https://news.ycombinator.com/item?id=3556796




Th problem with EV (green bar) certs is the Browser usually ends up checking the certificate status via CRL or OCSP (URI is specified in the cert), which can add an additional .5 to 10+ seconds before the page is displayed. More so when the CA servers are down or the connection times out.

So if you do go for an EV cert, go for the one that has the best listed uptime on it's CRL or OCSP servers.

Having said that, I would never spend more than $10 on a cert, and just use the most standard/common "bundled" CA cert. No one will ever know. It will have faster page loads. And those fake stories that EV certs increase conversions are exactly that, fake, and misleading. No one will real world experience has ever claimed to see a positive difference with EV certs.

The only problem with cheaper certs is you have to bundle the intermediary CA certs...

http://www.devside.net/wamp-server/installing-comodo-positiv...


I accidentally let our EV cert expire a few years ago and ordered $10 domain verified Comodo Cert to tide us over. Hilariously we saw absolutely 0 change in order metrics. I didn't renew the EV cert. EV certs are a neat idea but the average consumer doesn't understand/know about them.


You get OCSP checking for non-EV certificates too in many browsers. However, you can remove any additional delay by using OCSP stapling.


Such bad advice given the inquiry. Obviously. Lot of OP's customers are going to want the "best" certs (whatever that means). Or they're going to want "they're name in green".

It's important to answer in the context of the question.


"So if you do go for an EV cert, go for the one that has the best listed uptime on it's CRL or OCSP servers."

http://uptime.netcraft.com/perf/reports/performance/OCSP

How is the above bad advice, and not answering the context of the question? What other possible qualification is there for "best" EV certs? They are all "green bar". There is little else to them except price differences.

His customers are going to want a responsive page load time, none of them are going to pull the certificate to make sure he went with a DigiCert EV instead of a GeoTrust EV.


I was responding mainly to: "I would never spend more than $10 on a cert" and "No one will ever know" and "can add an additional .5 to 10+ seconds" and "Ev stories are fake" and "no one with real world experience has ever had positive experience".

Having worked with thousands of business in ecommerce I can guarantee you that a large percentage will want their name to appear "like PayPal and Citibank".


Pick one that can deliver the full certificate chain without using SHA-1.

The faster the web moves away from SHA-1 the better, and rewarding companies that are already abstaining from SHA-1 contributes to our collective security, in the case of HTTPS.

You should also do it for purely selfish reasons. Chrome is sunsetting SHA-1 for use in certificate signatures, and Chrome will eventually show SHA-1 certificates as insecure. See the link below.

http://googleonlinesecurity.blogspot.se/2014/09/gradually-su...


You should also do it for purely selfish reasons. Chrome is sunsetting SHA-1 for use in certificate signatures, and Chrome will eventually show SHA-1 certificates as insecure.

Referring specifically to this point, and not to your wider point about moving away from SHA-1, "because one browser maker said so" is rarely a good reason to do anything.

Google has an irritating habit of deciding it knows best for the entire world, but often it gets that call wrong and winds up degrading the experience for people who aren't in its chosen group of blessed users. The Firefox team are similarly arrogant at times.

However, in the real world, large organisations also use browsers to access intranet sites, and their requirements -- particularly with regards to security -- may be different to users surfing the public Web. Developers do need to do things with sites that aren't fully configured yet or are in transition from one system to another even if those things might not be a good idea when surfing the public Web. And so on.

So, I urge you to support good practices by making solid technical arguments for them. For example, in this case you could explain or link to information about why the SHA-1 issue matters for those who don't know. Please don't promote browser makers as authoritative sources of best practices instead, because often they aren't.


Correction: two browser vendors who between them have more than half of the browser share. And the solid technical argument is that SHA-1 is no longer considered secure.


They don't have a majority on any site I run, but even if they did, that wouldn't be the point. Decisions about technical matters -- and particularly about security policies -- should be made on the basis of evidence, not appeals to authority.

For example, instead of saying "it's a good idea to do this because Google will show scary messages", it would be more helpful to link to a site with a test tool and explanatory information about the underlying issue, such as this one:

https://shaaaaaaaaaaaaa.com/


I fond appeals to authority OK, given that if 50% of market share wouldn't be on board, nobody would consider adopting it.


Anyone serious about security would, and they'd be doing it now, not in a few months just because Google decided to show some different pixels on a screen from that date.


More information about the support for SHA-2 certificates from various purchase avenues at: https://shaaaaaaaaaaaaa.com/#sha2-certificate


To the point of EV certs, if you haven't checked in a while the browser vendors have _really_ started to de-emphasize non EV (standard certs).

Here's a visual comparison I put together:

https://www.expeditedssl.com/pages/visual-security-browser-s...

How you feel about this probably centers around whether you view SSL more as a cryptographic means of securing a connection (stopping traffic snooping) or if you view the SSL+Browser iconography as a means of site identification (stopping phishing attacks).


Thanks for sharing this. It's really interesting to see exactly how each browser handles both standard and EV certificates.


I came to this discussion to dismiss the technical relevance of EV certificates, but frankly, it never occurred to me that iconography could mitigate a phishing attack. That's interesting.


My startup is actually centered around this. If anyone wants to purchase a certificate through me, I'll happily give you the lowest rates I can. ($25 EV or $40 wildcard)

Our homepage is https://certly.io, shoot me an email at ian@certly.io


I am an early adopter, but the blank home page and blank blog are a little too early for my tastes.


We haven't launched yet, and won't be for a while. I'll probably write a post or two about the development soon.


Can you at least create a "Coming soon" page with a signup form?


Yeah, I'm redoing the homepage now but CloudFront takes a while to clear the cache.


How does that look?


What does your startup do?

How are you able to offer EV certificates so cheaply? I thought they were typically ~$1000.


Haha, you must be thinking of Symantec (we have an account with them and they don't give us good rates).

They retail at $300 typically but resellers pay dirt for them.

Our goal is to improve the way you buy your SSL/code signing/SMIME certificates. We have agreements with every large authority to give the buyer the best price for each product. We hope to take on VC funding to build our own root authority.


Want to expand you business exponentially? Build a WHMCS plugin/API module that lets webhosts do a 1 click cert gen/purchase. I'd be /really/ happy to work with you on this.


These modules actually already exist, I just think the companies offering them are bad at advertising.

I'm open to working with others, shoot me an email @ ian@certly.io


I might be interested - is your root cert in all common browsers/OSs?


We don't have a root certificate (yet), but our partners are.


I can be interested. What is cost of SSL certoficate ?


Shoot me an email with more info.


What kind of info you need ?


Your home page is a "coming soon" page...


We haven't launched yet, sorry if it was misleading but I can no longer edit it.


1. DigiCert. They're not the cheapest, but they really have their stuff together. Their support is awesome (speedy, technically competent, and human). They're also proactive about identifying issues with your certs, they handled the heartbleed incident perfectly - reissued for free with no issues.

2. No


DigiCert also has a nice "enterprise" offering where you can confirm your domain with them once then have role accounts that can approve and issue certificates without them needing to re-do verification. Others within your company can then make their own sub-accounts and request certificates.

I've dealt with their support people a few times as well, and agree that they are fantastic.


This also exists with COMODO, Symantec and IIRC GeoTrust and Thawte.


Wow, one needs a super premium $595 "Wildcard Plus™" plan to secure an entire domain. Is this normal or a blatant ripoff?


It's a rip-off but plenty of people think it is normal so I'm not sure what to answer your question with.

I think the whole certificate business is a rip-off, the only thing that 'green bar/lock icon/whatever' says is that someone at some point in time was able to pay some low dollar amount, but not who, what amount and if they're trustworthy in any way.


It's a ripoff, but sadly also the industry standard.


Honestly? If you have the cash, DigiCert will probably be worth every penny.

One great feature is the unlimited SAN feature with the wildcards. You can secure multiple levels for free, amazing support, fast validation, etc.

They are on the high end with Symantec though, price wise.

Disclaimer: DigiCert affiliate


+1 for Digicert. They'll also reissue certs with new SANs if needed.


https://www.startssl.com

2 Years wildcard for $59.90


StartSSL has some detractors but I've used them for certain projects for quite a while, including for S/MIME email certificates (with full knowledge of the security implications compared to PGP, of course).

I'll give them some credit though for successfully using client certificates for login purposes. Sure it has some obvious drawbacks (if they only issue you one login keypair, losing it locks you out of your account) and some real benefits. It's interesting to say the least, and impressive to see working too.

I'd like to see that sort of login method offered at least as an option on more websites, even consumer stuff like Gmail and Facebook, but especially other SSL providers, seems like a natural fit.

As a login method it works automatically without any user interruption, every browser seems to support it, even my iPhone, and the enrollment process for securely generating a new key on the users machine and installing their certificate in the browser for them can clearly be 100% automated by the website itself (that's what StartSSL does), so that removes almost all the pain points for even non-technical users.

Oh and it makes automatic website login via smartcards possible too, should you choose to develop an obsession with them like I have :)

/tangent


They charge for reissuing certs though. https://news.ycombinator.com/item?id=7557764


StartSSL also requires you to send a copy of your passport out of country (to Israel). Fine; they need to verify identity.

They retain the records for seven years though. Why preserve the documents at all after validation is complete for non-EV certs? Seems like it creates an unreasonable liability given that data breaches happen. They will also not say how the records are secured. When I inquired, they simply said "We obviously can't provide any technical details about our security measures, but the documents are secure." While I can understand the need to maintain operational security, disclosing whether documents are stored encrypted or not should not violate this security.

The lack of openness, combined with the charge for cert re-issuance made me look elsewhere. When the heartbleed vulnerability hit and I had to regenerate certs, I was very happy to have chosen a different CA.


That's not a good reason to skip over them. Unless you expect multiple Heartbleed-severity bugs to be exposed in two years you are still way ahead. Just don't lose your private key.


You actually only need a single one to make it cheaper to go elsewhere, they charged $25/revocation, which brings the price up to $85 which no longer makes them the most cost effective.

Heck for $99 you can buy a Comodo "EssentialSSL" wildcard, which grants you unlimited re-issue (plus you don't have to deal with StartSSL's terrible UI):

https://comodosslstore.com/essentialssl-wildcard.aspx


StartSSL's UI is awful.

If you need a cheap wildcard cert you can get a two year wildcard AlphaSSL cert from garrisonhost for $79 without the pain of dealing with StartSSL.

http://www.garrisonhost.com/ssl-certificates/alphassl.html


I honestly don't think it matter much where you buy your certificates. In the end it the same product, plus or minus some service you may of may not care about.

Should your certificate provider do something stupid you can switch to a new provider in 30 minutes, assuming you don't pick EV.

The EV certificates look good, but that's about it. They do come with at least two disadvantages:

1. If your company name is different from the domain name it's going to look weird. We dropped having a EV because we're not interested in having the name of our parent/holding company in the address bar.

2. If you later switch back to a regular SSL certificate is going to look suspicious to your regular customers.

That being said, we use Trustzone (http://www.trustzone.com). They provide GlobalSign SSL certificates at a reasonable price. I like that they email us, or call if we don't react, a few months before our certificates expire. We also have our own account manager who helps with new certificates and renewals. It's extremely nice just be able to call someone.


Check out my startup, SSLMate: https://sslmate.com. What sets SSLMate apart is that we're working on making SSL certificate management extremely easy on Linux servers. You buy certs from the command line in a single step that takes a minute or less and automates important details like bundling the chain certificate. You can set up a cron job for automatic renewals. Even well-run sites have been known to forget or botch cert renewals, and we want to put an end to that by automating everything. Many features are in the pipeline and will be announced in the coming weeks.

Regarding EV certs, they're not worth the extra money and inconvenience. They provide no additional security, and the assurance they provide visitors is highly questionable (e.g. see shiftpgdn's comment about how switching to a non-EV cert resulted in absolutely no change in order metrics: https://news.ycombinator.com/item?id=8344666).


I didn't found pricing information about your certs. I even tried to register to find these prices, but you asked me for my credit card. Sorry.


It's on the home page:

Standard: $15.95/year

Wildcard: $149.95/year

But thanks for the feedback; I'll make this more prominent.


Just to address point 2. No. Those who say yes probably do not understand what EV certs actually do.

You get the exact same level of security from EV and non-EV certs. The whole "extended validation" criteria is pretty handwavy and varies from CA to CA. Paying more for that warm, fuzzy feeling isn't worth it.


Who are you to say that, for him, giving his customers a "warm fuzzy feeling" isn't worth paying a few hundred dollars? It could easily increase revenue far more than that.


Don't EV certs create a net increase in security risk (if any web users understood what they were supposed to mean)? I'm not expert in these issues, but I've always doubted their security value:

EV certs are supposed to communicate certainty[1] to typical web users about identity, confidentiality, and integrity. But, if I understand correctly, obtaining EV certs in someone else's name (or something close enough to fool web users) is possible without great cost, and so that message of high security is misleading. If EV certs were believed by end users, wouldn't we merely be creating a social engineering security hole? Competent thieves also would use EV certs and increase trust in their websites too.

Thankfully, I've never met an end user without technical knowledge who understood what an EV cert was. I do know what they are and I don't trust them more than regular certs (which is not much for identity, but I do as protection against low-cost confidentiality and integrity attacks).

[1] Re: "certainty": I know EV certs are supposed to be more secure and not perfectly secure, and that there is no perfect or 'certain' security. However, few end users understand the latter, and of the ones that do few would take the time to learn the degree of increased security EV provides. We shouldn't say, 'trust the green bar' unless we expect people to do it.


You could consider EV certs as an economic attack by the Certificate Authorities and Browser vendors against phishing operations.

As a baseline, it is fairly difficult now to receive a certificate for any well known company, charity or government entity. For example, even a standard non EV request for something like 'C1tybank.com' would be flagged for manual review and rejected.

EV cert requests just up the amount, types and means of communication that must be done which (hopefully) raises costs more for phishers attempting to setup hundreds of scam sites than legit purchasers.


Could you explain more about obtaining it under someone else's name? There are many checks in place to prevent this.


> Could you explain more about obtaining it under someone else's name? There are many checks in place to prevent this.

Here's what I know, which is not conclusive but possibly persuasive, and as I say below, I've never seen someone call the checks effective: 1) In my experience obtaining regular certs, the identity verification looked ineffective (though I wasn't trying to fool anyone). 2) Regarding both EV and regular certs, I've read several times about ineffectiveness of the verification, and I've never seen someone say otherwise. 3) Finally, effective verification is hard and manually intensive; it's hard to believe it's economical or practical for the large volume of certs issued.


Organizationally validated certificates do not require a lot of paperwork or manual validation. The effectiveness of the verification is still a topic for discussion. However the last point is dubious at best, as CAs make >$30-40 per certificate and validation takes max 30 minutes spread out over a day or two (typically).

I will say there are very few maliciously issued EV certificates.


Thanks for responding. I get the sense that you have some expertise in this field? As I said above, I don't, so if you do please forgive any ignorance on my part:

> CAs make >$30-40 per certificate and validation takes max 30 minutes spread out over a day or two (typically).

$30-40 isn't much, and 30 minutes doesn't seem nearly sufficient to reliably verify someone's identity.

> I will say there are very few maliciously issued EV certificates.

How do we know? And is there a lower fraud rate for EV certs than for standard certs? (Probably there is little fraud in any set of business transactions -- otherwise nobody would participate -- but I don't think that's what you mean.)


Sorry for the late reply:

> 30 minutes doesn't seem nearly sufficient to reliably verify someone's identity.

It's actually not that long of a process once you read over the CPS's of a few CAs and the EV baseline.

> How do we know? Ah, the golden question! Hopefully CT (certificate transparency) will sort this out within the next 3 years. My statement is an assumption but any high level fraud (e.g. Google/MSFT) is caught immediately (chrome pinning/reporting and internal CA logs, if you're not DigiNotar). I don't know about small companies though.

I don't think there's ever been a maliciously issued EV cert in the context of the ComodoHacker and other very public hacks. They typically have tighter internal controls, that I know (e.g. RAs have very limited EV issuance power) but I have no numbers. :(

You should note that EV implies DV validation, so to, without hacking, maliciously issue a certificate an attacker would probably settle for a DV cert.


startssl.com gives out free certs to individuals. This is great for personal projects, blogs, etc. Otherwise I use Namecheap and their $9 certs. I have not found a great wildcard cert provider yet (why all certs are not wildcard by default is beyond me).


1. I use Namecheap, generally their resold Comodo offerings. No complaints.

2. No. An EV cert is nice little warm fuzzies, but the absence of it doesn't really tell me anything useful that would dissuade me from making a purchase.


And cue the SSL resellers and affiliates!

3. 2. 1. Go!


Hard to beat http://gogetssl.com price wise. I'd get a Comodo Positive SSL Wildcard so you can use it for the main site and the static sub-domain. That way one cheap cert covers everything and it's SHA-2.


1. In terms of pricing, https://www.gogetssl.com seems good. I haven't used it personally, but $27.85 for an EV in the first year seems quite nice. Namecheap is good, too, but a bit more expensive.

2. Yes


Where do you see an option for an EV at $27.85 on that site? I'm seeing prices that start at $110 a year for 2 years. https://www.gogetssl.com/extended-validation/


https://www.gogetssl.com/business-validation/comodo-instants...


I recently purchased an ev cert for one the my client in Netherland from https://www.cheapsslshop.com

they are good with price and service, you may give them a try.


I used https://www.ssl2buy.com/ in the past few months and it worked well.


+1 for ssl2buy. Bought a wildcard cert[1] from them for a special price.

[1] https://www.ssl2buy.com/ssl-discount-offers


I've been happy with cheapsslsecurity.com, they are resellers but they offer huge discounts compared to the actual issuers.


Thank you, everyone - this thread has been enormously helpful to me. I am grateful for your time, attention and input.


Make sure you get an SHA2 certificate as google is deprecating the SHA1 certificates over the next months.


SSL certs are an untrusty ransom based on the tyranny of bad UI.

FF, and chrome and IE are totally ok with login/pass passing in clear over http, which is wrong. But when you don't have a certificate signed with by one of the root certificate in your wallet it screams to death. (Which is totally in hierarchy of risk WTF).

Your wallet contains organization that should have been shut down according to the rules of SSL: we normally cannot trust any authority that even once or for good reasons emitted a joker certificate to make a MITM (or helped people doing so). https://news.ycombinator.com/item?id=2138565

In your web browser default certificates list you find microsoft. in 2007, they put in IE for the Ben Ali gvt a special certificate to be able to do a MITM on the tunisian opponents. (ofc those using ff would see a warning).

MS did not emit the certificate, but for them who can issue SSL certificates that's clear not right to provide a SSL joker root certificate in its web browser used for MITM (without your nice little icon you care about to get red).

MS is still in my list of trustful SSL certificates. How can you trust them. If they could betray once for a few money (tunisia had less money as a state than MS, google, whatever country) they have incentive to redo it again.

Knowing MS has gone through the death penalty, other SSL issuers can now have an incentive to do the same.

SSL central certificate are NOT to be trusted anymore. We have proofed once a company in our "trustfull" wallets betrayed without consequence. So betraying is OK.

My recommandations: - Ever dane (but that is a combinat) or the new technology google is secretly working on (maybe mozilla too), - set a cookie on http landing page ssl_cert_on=bool - if not present redirect to http://www/my_cert - give a link to your self signed certificate on your domain so that your user add it its wallet securely (must be a js or a MIME extension to set so that IE/FF/google open at the "add this certificate to your wallet page" - correct the world and FF/Chrome/IE mess by providing a way for the user to read the mess of the X509 certificate (for which domain this cert is valid, the fingerprint) - correct the world another time by explaining to your customers it is normal they should not trust this special web page or this certificate and give them links for them to check your allegation, (knowledge and tools) - provide another secured way to access your cert fingerprint (DNS SEC TXT record for instance, snail mails, flying carrier, PGP mails...) - and make a rant on how much security UI/UX is so much sucking and poorly thought that it is the major security hole nowadays and how all security guru giving us advice on how to code to "secure" code should be regarded as cons that should be imprisoned.

Then, now that you corrected the whole "what gone wrong with central authoriy"'s mess, you can very easily make your free self signed cert secure certificates and sleep on your 2 ears because your customers are now understanding security the right way.

If you understood nothing of the text above, just buy a normal certificate to whoever you want. You will be "safe" according to the green icon, and this is all that matters in the real world.


1. Namecheap according to me.

2. Yes.


get this http://puu.sh/bGSOF/3809882b0c.png


1. cheapsslsecurity.com 2. Yes


Geotrust work better for us.


1. SSLS.com is rather nice.

2. Yes.


I can't edit now, but I thought by non-green, OP meant a self-signed certificate. Didn't realize OP was referring to EV certificates. I don't have a problem with buying from domains without EV certificates as long as the certificate is valid.


DigiCert


No love for Gandi?


Gandi looks good, especially if one already use them for DNS. We intend to start using them for SSL.


Same here. Gandi is an interesting solution.


Curious: What do you mean by interesting?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: