On 2012-02-16 17:13 , Christopher Morrow wrote:
On Thu, Feb 16, 2012 at 8:33 AM, John R. Levine <johnl@iecc.com> wrote:
I suppose if you buy a SSL certificate, you should be looking for your CA to have insurance to reimburse the cost of the certificate should that happen, and an ironclad "refund" clause in the agreement/contract under which a SSL cert is issued
These certs cost $9.00. You're not going to get much of an insurance policy at that price.
again, startssl.com - free. why pay? it's (as you say) not actually buying you anything except random bits anyway... if you can get them for free, why would you not do that?
Because they do not have a wildcard one for 'free', which is useful when one wants to serve eg example.com but als www.example.com from the same location along with other variants of the hostname. Except for that, it is a rather great offer. Though one can of course just serve the example.com one and force people after they accept to the main site. I tend to stick CAcert ones on hosts and tell people to either just accept that single cert and store it for future checks or just install the CAcert root cert, that covers a lot of hosts in one go, given of course that one trusts what CAcert is doing, but that goes for anything. The method that Firefox is using with the unchained certificates "save this unverified cert and as long as it is the same it is great" is in that respect similar to SSH hostkeys, one can verify those offline and just keep on using them as as long as that cert is the same you are likely talking to the same host (ssl etc still don't cover compromised hosts). In the end, they are just bits, and this whole verification thing at the verification of owner adds nothing except for an ease-of-use factor for the non-techy folks on the Internet. Greets, Jeroen