Follow Slashdot stories on Twitter


Forgot your password?

SSL: How to Choose a Certificate Authority 72

lessthan0 writes "Secure Sockets Layer (SSL) is the backbone of e-commerce on the web. It is the protocol used to encrypt communications between a web browser and web server, though it can also be used for other applications. To use SSL on your own web server, you often need to deal with an external company called a certificate authority (CA). Three major considerations come into play when choosing a CA: trust, audience, and cost."
This discussion has been archived. No new comments can be posted.

SSL: How to Choose a Certificate Authority

Comments Filter:
  • Wrong (Score:5, Insightful)

    by Orgasmatron ( 8103 ) on Monday June 05, 2006 @10:02AM (#15471958)
    This article is wrong. The three major considerations are cost, cost and cost.

    Commercial SSL certs are 100% scam. CAs pay browser vendors for the ability to extort money from website owners.

    My grandmother doesn't know that Verisign exists, nor AddTrust, nor any other CAs. She particularly doesn't know how or why Verisign checks a certificate before signing it, and she wouldn't understand the differences in the way that any other CA does it either. The one and only one thing that she does know is that the error that pops up if a site tries to use a certificate that hasn't paid Microsoft a fat wad of cash confuses her.

    If you just woke up from the early 90s and still have some misplaced faith in the SSL CA system, by all means, read this. If you are a consultant pushing a CA that gives you kickbacks, give this to your customers. If you just want people to be able to click your https links, get the cheapest certificate you can find, no one will ever know the difference.
  • by Poromenos1 ( 830658 ) on Monday June 05, 2006 @10:13AM (#15472013) Homepage
    Does CAcert even check the validity of your site? I don't mean that the others do or that they're better, but I don't think that this is any better than a self-signed certificate, since anyone can get a certificate automatically.
  • They mail root. (Score:3, Insightful)

    by Grincho ( 115321 ) on Monday June 05, 2006 @11:06AM (#15472384) Homepage
    Before CACert will believe you own, you have to demonstrate that you can read email sent to,, or any of a few others. I think it's a pretty good tradeoff between convenience and security, since, if somebody can read your root mail, you're pwned anyway.
  • cost alone (Score:2, Insightful)

    by lon3st4r ( 973469 ) on Monday June 05, 2006 @11:17AM (#15472481)
    it is widely known in the developer community that a certificate does not invoke any sense of "trust". it just implies that someone paid a big wad of money to somebody in the "default trust 'em" list (verisign, et al.)!

    a certified page represents just that, and nothing more. you should look at the cost aspect of it alone.

    if you can dish-out the dough to get a certificate, by all means, go for it. if you can't then you can go for a cheaper certificate, or even your own certificate. you can ask your clients to trust your certificates and add them to the list of trusted certificates, or trust the certificate on a per-session basis.

    you don't lose anything; and still get the job done.

    it's a whole different ball-o-wax though if you're using your site for credit-card transactions. somehow, i wouldn't feel comfortable putting up the numbers on any site not verisign certified.

    * lon3st4r *

  • by geoffspear ( 692508 ) on Monday June 05, 2006 @11:17AM (#15472483) Homepage
    Are you implying that anyone with a cert "trusted" by an Intel Mac can easily get root access to that Mac, and can your provide any evidence whatsoever?

    Sounds like a lot of FUD to me.

  • Re:Wrong (Score:3, Insightful)

    by misleb ( 129952 ) on Monday June 05, 2006 @11:23AM (#15472532)
    At the end of the day, does it really matter?
    No, no-one knows the the difference between high and low, but a person does actually have to do something.

    Yeah, someone has to sit there in front of the fax machine waiting for the ultra-secure signed letterheads to come in.

  • If you don't trust us, why are you sharing data with us?

    It's not that I don't trust you as a business entity; it's that I don't trust the network between us. When I visit to download University of Washington's root certificate, how do I know that, say, the DNS isn't being spoofed and there isn't a transparent proxy acting as a man in the middle?

  • by gencom ( 244277 ) on Tuesday June 06, 2006 @12:16AM (#15477602)
    See [] for a solution to getting CA's at the price they SHOULD BE ... ZERO, NADA, ZILCH. If enough people get in here, then it'll be a likely candidate for a Root level certificate in all browsers and systems.

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson