SSL: How to Choose a Certificate Authority 72
lessthan0 writes "Secure Sockets Layer (SSL) is the backbone of e-commerce on the web. It is the protocol used to encrypt communications between a web browser and web server, though it can also be used for other applications. To use SSL on your own web server, you often need to deal with an external company called a certificate authority (CA). Three major considerations come into play when choosing a CA: trust, audience, and cost."
Wrong (Score:5, Insightful)
Commercial SSL certs are 100% scam. CAs pay browser vendors for the ability to extort money from website owners.
My grandmother doesn't know that Verisign exists, nor AddTrust, nor any other CAs. She particularly doesn't know how or why Verisign checks a certificate before signing it, and she wouldn't understand the differences in the way that any other CA does it either. The one and only one thing that she does know is that the error that pops up if a site tries to use a certificate that hasn't paid Microsoft a fat wad of cash confuses her.
If you just woke up from the early 90s and still have some misplaced faith in the SSL CA system, by all means, read this. If you are a consultant pushing a CA that gives you kickbacks, give this to your customers. If you just want people to be able to click your https links, get the cheapest certificate you can find, no one will ever know the difference.
Do they even check? (Score:3, Insightful)
They mail root. (Score:3, Insightful)
cost alone (Score:2, Insightful)
a certified page represents just that, and nothing more. you should look at the cost aspect of it alone.
if you can dish-out the dough to get a certificate, by all means, go for it. if you can't then you can go for a cheaper certificate, or even your own certificate. you can ask your clients to trust your certificates and add them to the list of trusted certificates, or trust the certificate on a per-session basis.
you don't lose anything; and still get the job done.
it's a whole different ball-o-wax though if you're using your site for credit-card transactions. somehow, i wouldn't feel comfortable putting up the numbers on any site not verisign certified.
* lon3st4r *
Re:Mac certificate configuration (Score:3, Insightful)
Sounds like a lot of FUD to me.
Re:Wrong (Score:3, Insightful)
No, no-one knows the the difference between high and low, but a person does actually have to do something.
Yeah, someone has to sit there in front of the fax machine waiting for the ultra-secure signed letterheads to come in.
-matthew
I trust you but not the network (Score:2, Insightful)
If you don't trust us, why are you sharing data with us?
It's not that I don't trust you as a business entity; it's that I don't trust the network between us. When I visit www.washington.edu to download University of Washington's root certificate, how do I know that, say, the DNS isn't being spoofed and there isn't a transparent proxy acting as a man in the middle?
Only one solution.... (Score:2, Insightful)