[Discuss] Are there any SSL certificate authorities that don't cost a king's ransom?

Bill Horne bill at horne.net
Sun Jul 28 18:28:52 EDT 2013 

On 7/28/2013 5:33 PM, Tom Metro wrote:
> Bill Horne wrote:
>> ...we're talking about putting up a "donations" page, and that means
>> using SSL.
> Not necessarily. You can outsource that to PayPal or Amazon, both of
> which offer a turn-key payment collection system that runs on their
> secure servers, which can be linked to from a non-secure page.

I suspect that most potential donors would /rather/ have a "neutral 
third party" handle it, but I don't know for sure.

>
>> I want to know where I can get one for less.
> Dreamhost (http://www.dreamhost.com/) charges $15/year for certs, but
> that offer seems to be available only to their customers that host sites
> with them.

Since our site is /on/ Dreamhost, that's /really/ nice to know. They 
might want us to buy a shopping cart, though, but it's a good place to 
start.

> StartSSL (http://www.startssl.com/) starts at free, and goes up to about
> $70/year for an extended validation cert. (I've used them for email certs.)

I'll check them out.

>> I need a certificate from someone who's already in /EVERY/ browser...
> A forum posting from 2010 where someone attempted to catalog the
> browsers and other things that support StartSSL:
>
> https://forum.startcom.org/viewtopic.php?f=15&t=1802
>
> And:
> http://en.wikipedia.org/wiki/StartCom#Trustedness
>
>    In contrast to CAcert.org, which also offers free Class 1 SSL
>    certificates, the StartSSL certificate is included by default in
>    Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5
>    (Leopard), all Microsoft operating systems since 24 September 2009,
>    and Opera since 27 July 2010. Since Google Chrome, Apple Safari and
>    the Internet Explorer use the certificate store of the operating
>    system, all major browsers include support for StartSSL certificates.

I didn't see them in Chrome's certificate list, but it might be under a 
different name.

>
>> ...I don't care if I use a company in South Africa or one in Beijing...
> How about he Hong Kong Post Office[2]? :-) (Not sure what they charge.)
>
> 2. http://www.hongkongpost.gov.hk/product/ecert/apply/certapply.html

As long as they're in the certificate list, I'm interested.

>
>> I only care if the users see a lock icon.
> Sadly, the whole SSL cert model is only as strong as the weakest
> certificate issuer that has widely deployed root certificates. No
> end-user is scrutinizing issuers and rejecting certs based on that. As
> long as the issuer does a good enough job to avoid the browser/OS
> vendors from kicking out their root cert, little else matters.

Bruce Schneier pointed out a while ago that what enables e-commerce 
isn't SSL, but simply the $300 statutory limit on credit-card fraud 
damages.  PKI is, and always will be, 90 percent procedure and ten 
percent technology, and even though all credit-card thefts I've read 
about happened when "back office" servers were compromised, people still 
want to see the lock icon.

Bill

-- 
Bill Horne
339-364-8487

More information about the Discuss mailing list