Forgot your password?
typodupeerror

SSL: How to Choose a Certificate Authority 72

Posted by Hemos
from the make-sure-you're-too-legit-2-to-quit dept.
lessthan0 writes "Secure Sockets Layer (SSL) is the backbone of e-commerce on the web. It is the protocol used to encrypt communications between a web browser and web server, though it can also be used for other applications. To use SSL on your own web server, you often need to deal with an external company called a certificate authority (CA). Three major considerations come into play when choosing a CA: trust, audience, and cost."
This discussion has been archived. No new comments can be posted.

SSL: How to Choose a Certificate Authority

Comments Filter:
  • Re:Wrong (Score:5, Interesting)

    by daviddennis (10926) <david@amazing.com> on Monday June 05, 2006 @10:18AM (#15472058) Homepage
    I just wanted to support this statement.

    I was ready to write the exact same thing you were.

    Of course things have gotten a bit better over the years.

    When I first started on the Internet, the only way to get a secure certificate was to buy a Netscape server ($5,000) and then to buy a Verisign certificate. I don't even remember how much the certificate was at the time, just that it was expensive.

    I remember feeling that crypto people, with their curious obsessions about identity and the like, were creating a world way too complex for anyone but other crypto people to manage, and events seem to have borne me out.

    D

    (PS Anyone else feel the new format seems to have sapped the vitality out of Slashdot? Maybe because it now looks like every other site on the web. It does load faster but I don't know if this change was really that brainy a scheme.)
  • by scgops (598104) on Monday June 05, 2006 @10:23AM (#15472097)
    Microsoft does it. Going to https://licensing.microsoft.com/ [microsoft.com] in Firefox asks whether or not you want to trust the certificate.

    The US military does it. Going to https://www.mol.usmc.mil/ [usmc.mil] in either IE or Firefox asks if you want to trust the cert.

    I'm not sure about IIS, but openssl certainly has a mechanism for signing your own ssl certs, as do load balancers with ssl acceleration support. Commercial, "trusted" ssl certs seem to be useful primarily for preventing security warning popups.

    From my own experience with Equifax (currently GeoTrust & soon to be Verisign thanks to acquisitions and consolidation) I know that it took them years to get their root certificate added into the Java keystore. Any application using a not-very-current version of the jdk will still generate errors when faced with GeoTrust certs. Buying certs from a smaller CA with less penetration into end-user keystores can be little or no better than signing certs yourself.

    From my viewpoint, the only two viable options are paying top dollar for the certs that will work for most people or signing your own. Which option to go with is largely a budget issue.

    -DaveU
  • by WillAffleckUW (858324) on Monday June 05, 2006 @11:44AM (#15472734) Homepage Journal
    Quite seriously, we save a bundle on the license fee by having our own University of Washington issue the certificate and be the verifying authority, rather than pay a fairly steep SSL fee. Now, admittedly, you need a user base that will "trust" a certificate "verified" by the University of Washington, but in the research world this is fairly common.

    If you don't trust us, why are you sharing data with us?

    That's the question we ask.

    Now, if you're going commercial, I think you need to use one of the standard SSL authorities, even though it is more expensive.
  • by fm6 (162816) on Monday June 05, 2006 @12:40PM (#15473238) Homepage Journal
    I don't have the backgroun in security to seriously disagree with you. But I do think the two examples you offer are not exactly compelling. Microsoft can get away with signing its own certificates for the same reason they get away with having a browser that isn't very standards compliant: they control 90% of the user base. And the military can require all its users to install special certificates because, well, they're the military.
  • Re:Wrong (Score:2, Interesting)

    by muaddie (107943) on Monday June 05, 2006 @01:22PM (#15473582)
    I drive a Honda CRV, so I'm with you for my own purposes: find the cheapest CA found in the bundles.

    However, some people drive BMW's, Lexii, or Mercedes for reasons I don't quite fathom, but their major consideration is probably NOT cost, cost and cost. I imagine these people want to be associated with reputable enterprises, and are willing to pay a somewhat meager fee just in case someone happens to follow them out of the business rooms to see what care they actually drive. I don't think the CEO of my company drives a Honda, and I'm pretty sure that I won't convince him to buy one with a solely "cost, cost, and cost" argument, anymore than I'll convince him to buy our certs from Bob's Discount Browser Trusted Certs.

Optimism is the content of small men in high places. -- F. Scott Fitzgerald, "The Crack Up"

Working...