Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Are there any SSL certificate authorities that don't cost a king's ransom?



Bill Horne wrote:
> ...we're talking about putting up a "donations" page, and that means
> using SSL.

Not necessarily. You can outsource that to PayPal or Amazon, both of
which offer a turn-key payment collection system that runs on their
secure servers, which can be linked to from a non-secure page.

Google Checkout used to be another option, but Google is shutting it
down, and is moving merchants to Google Wallet, which isn't really the
same functionality from the merchant's perspective. (Requires your own
merchant account.)

I've heard the web hosting bundled with Google Apps includes HTTPS, but
I haven't investigated to see what additional costs or restrictions
apply. (Theoretically, it could be very cheap or free. Google already
has the hardware infrastructure at scale to do SSL hosting, and is a
certificate authority, and has already validated your domain ownership.)

There are also companies you can outsource the e-commerce portion to -
basically hosted shopping carts. They offer varying levels of
integration, with some bundling a shopping cart with a payment gateway
and merchant account.

This comes down to a usual trade-off between control and convenience. If
you host the donation page yourself, you can make it perfectly integrate
into the look of your site, and not send the user off to another domain
or subdomain, but in addition to having to maintain a current SSL cert,
you'll need to maintain some additional software (at minimum, code that
talks to a payment gateway), and a merchant account.


> I want to know where I can get one for less.

DigiCert (http://www.digicert.com/) is quite popular, and their
entry-level cert starts at $175/year, if you buy a 3-year term. Same
~$200/year as you found elsewhere if you buy a 1-year term. Extended
validation certs are not much more, starting at $234/year over 2-year term.

Dreamhost (http://www.dreamhost.com/) charges $15/year for certs, but
that offer seems to be available only to their customers that host sites
with them.

StartSSL (http://www.startssl.com/) starts at free, and goes up to about
$70/year for an extended validation cert. (I've used them for email certs.)

The StartSSL web site doesn't seem to point this out, but the Wikipedia
page below notes several times that the free certs are for
non-commercial use only. They reference section 3.1.2.1 of StartSSL's
"Certificate Policy & Practice Statements"[1], which says, "Subscribers
MUST upgrade to Class 2 or higher level for any domain and site of
commercial nature, when using high-profile brands and names or if
involved in obtaining or relaying sensitive information such as health
records, financial details, personal information etc."

1. http://www.startssl.com/policy.pdf


> I need a certificate from someone who's already in /EVERY/ browser...

A forum posting from 2010 where someone attempted to catalog the
browsers and other things that support StartSSL:

https://forum.startcom.org/viewtopic.php?f=15&t=1802

And:
http://en.wikipedia.org/wiki/StartCom#Trustedness

  In contrast to CAcert.org, which also offers free Class 1 SSL
  certificates, the StartSSL certificate is included by default in
  Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5
  (Leopard), all Microsoft operating systems since 24 September 2009,
  and Opera since 27 July 2010. Since Google Chrome, Apple Safari and
  the Internet Explorer use the certificate store of the operating
  system, all major browsers include support for StartSSL certificates.


> ...I don't care if I use a company in South Africa or one in Beijing...

How about he Hong Kong Post Office[2]? :-) (Not sure what they charge.)

2. http://www.hongkongpost.gov.hk/product/ecert/apply/certapply.html


> I only care if the users see a lock icon.

Sadly, the whole SSL cert model is only as strong as the weakest
certificate issuer that has widely deployed root certificates. No
end-user is scrutinizing issuers and rejecting certs based on that. As
long as the issuer does a good enough job to avoid the browser/OS
vendors from kicking out their root cert, little else matters.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org