top | item 7461783

Ask HN: Where should someone buy a SSL certificate?

22 points| mihok | 12 years ago | reply

There always seems to be talk about some SSL cert service (VeriSign) that has been hacked or gone under. I'm trying to buy my first SSL certificate and there are so many options out there that its hard to know which one, what are the risks? Is any certificate authority okay? Will self signed certs be good enough?

Clearly the issue is the man-in-the-middle attack, which I have a high level understanding of, and makes every CA susceptible to the same attack if they are compromised.. but are there good CA's that people have had experience with? Is it less safe to get a wildcard cert than individual certs for each domain?

Thanks HN

13 comments

[+] sillysaurus3|12 years ago|reply

If you're worried about certain governments MITMing you, the answer is that it's hopeless to rely on SSL to provide protection.

I don't know a good recommendation. I just wanted to clarify that SSL provides no protection in that particular case.

[+] mihok|12 years ago|reply

Makes sense, does that in turn mean that SSL is really a 'hopeless' cause and using self-signed just for the image of 'https' showing in the location bar on a browser enough? Seems like a pointless exercise to me knowing that someone somewhere (government or not) could still access it

[+] jipy9|12 years ago|reply

I used StartSSL class 1 certificate for my app (unherd.co). Its free and valid for one year. Here is a good guide that might be of help - https://konklone.com/post/switch-to-https-now-for-free?hn

[+] akg_67|12 years ago|reply

I also used StartSSL class 1 for my site (peercube.com) and will highly recommend the help link you provided for getting and installing the certificate.

[+] OWaz|12 years ago|reply

I used the same certificate from StartSSL and got an A- grade from SSL Labs.

[+] fsk|12 years ago|reply

My domain registrar (namecheap) offers SSL certificates cheap.

All you need is for your domain to show up with the little special icon in the browser when you use https. Other than that, it doesn't matter. Get the cheapest one that browsers recognize.

[+] Patrick_Devine|12 years ago|reply

I just bought a Comodo PositiveSSL Wildcard cert from them last week. It was a little confusing, but they were quite responsive when I pointed out some bugs in the registration service. I would definitely recommend them.

[+] clinton_sf|12 years ago|reply

StartCom/StartSSL thwarted a recent hack attack, according to: http://www.informationweek.com/attacks/how-startcom-foiled-c...

Their due diligence on verifying who is requesting the cert probably helped; but I've seen some people complain that it's not a quick/easy process: http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_sta...

[+] ch215|12 years ago|reply

You get a standard SSL certificate free for a year with domain names at Gandi.net. I think I'm also right in saying transfers are included. Can't really vouch for their security but from what I have read the company's "no bullshit" approach is right up my alley. The riseup.net collective recommend them too.

[+] euantorano|12 years ago|reply

+1 on Gandi.net from me too. Got several domains/SSL certs from them. The base (free) SSL certificate is pretty basic, but they also offer higher levels of security at a cost.

[+] amybe|12 years ago|reply

Thanks for the recommendation. I can confirm that you get a free one-year cert whether the domain has been registered at Gandi or transferred in.