Ask HN: Is StartSSL worth the $0 price tag?
I am trying to secure a low traffic site but need a certificate. Is StartSSL a good option or should I spend money on another service?
I am helping a non-profit that has a very low budget and I want to be helpful without causing long-term ramifications (of which I am currently ignorant of). Thanks for any help, this stuff is confusing and I am new to it! I have a related, and broader question. Is there any difference, practically speaking, between one CA and another, besides browser compatibility? Assuming that it's accepted by browsers, is there any reason to go with a more expensive provider that does a stronger verification of you rather than a cheaper provider that just sends a confirm to an email in your domain whois? No, they're not a company that I personally would suggest. I highly recommend Comodo bought from NameCheap: https://www.namecheap.com/security/ssl-certificates/comodo.a... Another heartbleed type incident could happen in the near future (lots of eyes on that codebase now) and their strict policy will leave you choosing between coughing up $35 per certificate or leaving your site vulnerable. There has even been a large amount of discussion regarding removing them from the trusted list of certificate authorities because most of their users can't afford to revoke certificates and have no choice but to leave their sites vulnerable. I also like Comodo+NameCheap. I once tried to buy Comodo elsewhere and the cert activation process was much less friendly (they didn't recognize my authorized whois email of record). Another nice perk I just realized, NameCheap gives you the whole term of the cert from the time you activate the cert, not from the time you purchase (maybe that's common though). That said, I think the bad press StartSSL is getting is mostly undeserved. You can either choose a free cert with the outside chance you'll want to pay to revoke it, or just automatically pay up front every term. Probabilistically, they still have the cheapest option. And are site admins who can't/won't pay $35 really that likely to have a very secure server anyhow? That means they would have never bought SSL anyhow without StartSSL. We used them to secure internal only apps we ran, to stop staff getting used to ignoring the warning pages if the certs are self-signed. Yer ok the signup process is a pain but we had an amazing system admin who knew their stuff so got up and running in no time. Whatever happened with "StartSSL, please revoke me"? "Sure, pay us $35." I believe the exact quote during the Heartbleed incident was, "Dead serious." https://twitter.com/startssl/status/453631038883758080 I meant the fate of the person who posted his private key trying to work around that more-than-issue. (as, IIRC, under the terms of being in the Mozilla repository StartSSL was obligated to revoke certificates that were known to be compromised) I have used them in the past with no issues for personal sites. What are your concerns? In many aspects, a cert either "works" or it doesn't (in most cases, a SSL trusts the cert without warning). Generate a private and CSR that meet your security requirements (e.g. key length, cipher set, etc), submit it to StartSSL, and verify the resulting cert. If it meets your specs and is trusted by the SSL engines you use then you are good. If not, you will need to find another CA. My concern revolves around credibility. They took a beating after Heartbleed regarding the cost of revocation for certificates/credentials affected. While that is mostly a business decision on their end– it raises concerns about what their business is about. Nothing is "free", it just might not cost currency. "If you don't pay for the service, you are the service." Since I don't have experience with them I am looking for some level of assurance that they are a legitimate service. In my opinion it is difficult to gain that assurance just from their website. Heartbleed had nothing to do with certs themselves, but instead, with how OpenSSL implemented an aspect of connection negotiation. Hence, the issue was isolated to OpenSSL not other SSL implementations or the SSL/TLS standards themselves. In terms of "credibility", the issue comes down to how many browsers include their root cert by default. As far as I know, IE, Firefox, and Chrome include it meaning that it will be trusted by default. The way they make money is selling other types of services such as wildcard and "green bar" certs. I think the folks running it want to see a wider use of SSL, and see providing free host-based certs as a good way to accomplish that goal. Bear mind, there zero cost to signing a cert ... I have paid wildcard certs with them. Their site is weirdly designed and heavy on the self-service, but I have no complaints about them. I have revoked certs with them and everything has been reasonable. That said, why does it matter if they're "credible"? Their certs are accepted by pretty much every browser, OS and library, and they have a long track record as a CA. Regardless, as a business I have had business dealings with, let me assure you they are a "legitimate service". I currently use them and have no issues. I'm a validated customer and they take even the personal validations very seriously. They even check based on domain names, if you have financial in your domain name, be prepared to be questioned on why you are getting a free ssl certificate.