SSL Certificates
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use. Thanks, -- Michael D. Carey KINBER Network Engineer mcarey@kinber.org M: 814.777.5027 GV: (814) 205-6773 <https://www.google.com/voice#phones> Skype: KINBER.Mike.Carey KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network
AlphaSSL is pretty solid, priced right too. -- Alexander McMillen Chief Executive Officer Sliqua Enterprise Hosting, Inc. - AS32740 Serving up scale and service since 2002. Is your mission critical?™ 1-877-4-SLIQUA - http://www.sliqua.com - http://www.isyourmissioncritical.com On Jan 6, 2012, at 9:15 AM, Michael Carey wrote:
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
Thanks,
-- Michael D. Carey KINBER Network Engineer mcarey@kinber.org M: 814.777.5027 GV: (814) 205-6773 <https://www.google.com/voice#phones> Skype: KINBER.Mike.Carey
KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network
We typically stick with Network Solutions, and DigiCert for SANcertificates. VeriSign's prices are just insane. On Fri, Jan 6, 2012 at 9:15 AM, Michael Carey <mcarey@kinber.org> wrote:
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
Thanks,
-- Michael D. Carey KINBER Network Engineer mcarey@kinber.org M: 814.777.5027 GV: (814) 205-6773 <https://www.google.com/voice#phones> Skype: KINBER.Mike.Carey
KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network
netsol was bought by web.com. "out of the frying pan ... "? On Fri, Jan 06, 2012 at 09:27:27AM -0500, Josh Baird wrote:
We typically stick with Network Solutions, and DigiCert for SANcertificates. VeriSign's prices are just insane.
On Fri, Jan 6, 2012 at 9:15 AM, Michael Carey <mcarey@kinber.org> wrote:
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
-- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't. I wonder if someone has a list comparing root certificate support across platforms? ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: Michael Carey [mailto:mcarey@kinber.org] Sent: Friday, January 06, 2012 9:15 AM To: nanog@nanog.org Subject: SSL Certificates
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
Thanks,
-- Michael D. Carey KINBER Network Engineer mcarey@kinber.org M: 814.777.5027 GV: (814) 205-6773 <https://www.google.com/voice#phones> Skype: KINBER.Mike.Carey
KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network
We have been using GoDaddy for quite some time as they offer good deals if you call them in and buy in bulk. Mind you we manage certs for about 50-100 customers as well. Haven't had any issues with them not being trusted on mobile devices except for old windows mobile 5 and early 6 devices. -----Original Message----- From: Matthew Huff [mailto:mhuff@ox.com] Sent: Friday, January 06, 2012 7:32 AM To: 'Michael Carey'; nanog@nanog.org Subject: RE: SSL Certificates I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't. I wonder if someone has a list comparing root certificate support across platforms? ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: Michael Carey [mailto:mcarey@kinber.org] Sent: Friday, January 06, 2012 9:15 AM To: nanog@nanog.org Subject: SSL Certificates
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
Thanks,
-- Michael D. Carey KINBER Network Engineer mcarey@kinber.org M: 814.777.5027 GV: (814) 205-6773 <https://www.google.com/voice#phones> Skype: KINBER.Mike.Carey
KINBER - Keystone Initiative for Network Based Education and Research - www.kinber.org PennREN - Pennsylvania's Research and Education Network
From: Michael Carey [mailto:mcarey@kinber.org] Sent: Friday, January 06, 2012 9:15 AM To: nanog@nanog.org Subject: SSL Certificates
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
startssl.com - free certs that work in apple-mail, chrome, ff, ie, tbird, across mac/linux/windows... you can't beat free. (you do have to update yearly, but it's not painful, and is probably worth doing as practice anyway) -chris
On Fri, Jan 06, 2012 at 10:08:55AM -0500, Christopher Morrow wrote:
From: Michael Carey [mailto:mcarey@kinber.org] Sent: Friday, January 06, 2012 9:15 AM To: nanog@nanog.org Subject: SSL Certificates
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
startssl.com - free certs that work in apple-mail, chrome, ff, ie, tbird, across mac/linux/windows... you can't beat free.
(you do have to update yearly, but it's not painful, and is probably worth doing as practice anyway)
i think their "free" certificates are for personal/individual use only, and may not be as useful for company/business usage. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
theSSLstore has good reseller pricing on a variety of certs. ~ $10 domain validated rapidssl certs in about 5 minutes. More expensive and time consuming certs are available, Verisign, Geotrust, Thawte, greenbars, wildcards, etc.. Ken On 1/6/2012 8:15 AM, Michael Carey wrote:
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
Thanks,
-- Ken Anderson Pacific Internet - http://www.pacific.net
I second The SSL Store (http://www.thesslstore.com/) -- Paul Norton Systems Administrator Neoverve - www.neoverve.com Neoverve Blog - http://blog.neoverve.com/ On 1/6/2012 7:31 AM, Ken A wrote:
theSSLstore has good reseller pricing on a variety of certs. ~ $10 domain validated rapidssl certs in about 5 minutes. More expensive and time consuming certs are available, Verisign, Geotrust, Thawte, greenbars, wildcards, etc.. Ken
On 1/6/2012 8:15 AM, Michael Carey wrote:
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
Thanks,
On Jan 6, 2012, at 6:15, Michael Carey wrote:
Looking for a recommendation on who to buy affordable and reputable SSL certificates from? Symantec, Thawte, and Comodo are the names that come to mind, just wondering if there are others folks use.
Almost everyone are basically just selling an "activation" with one of the SSL certificate authorities. I usually buy a "RapidSSL" (Verisign) certificate from https://www.sslmatrix.com/ -- they seem to have some of the best prices and the rapidssl enrollment process is very efficient (at least for the cheap automatically "validated" products). Ask -- http://askask.com/
Almost everyone are basically just selling an "activation" with one of the SSL certificate authorities.
I usually buy a "RapidSSL" (Verisign) certificate from https://www.sslmatrix.com/ -- they seem to have some of the best prices and the rapidssl enrollment process is very efficient (at least for the cheap automatically "validated" products).
I get my RapidSSL and Comodo from these guys. Prices look about the same: http://www.cheapssls.com/ If you order a cert for example.com, Comodo's also work for www.example.com, no extra charge. R's, John
On Wed, Feb 15, 2012 at 4:17 PM, John Levine <johnl@iecc.com> wrote:
Almost everyone are basically just selling an "activation" with one of the SSL certificate authorities.
I usually buy a "RapidSSL" (Verisign) certificate from https://www.sslmatrix.com/ -- they seem to have some of the best prices and the rapidssl enrollment process is very efficient (at least for the cheap automatically "validated" products).
I get my RapidSSL and Comodo from these guys. Prices look about the same:
If you order a cert for example.com, Comodo's also work for www.example.com, no extra charge.
The problem with anything related to Verisign at the moment is that they either don't know or haven't come clean yet how far the hackers got into their infrastructure over the last few years. The early February 2012 announcements were woefully devoid of actual content. The possibility of their root certs being compromised is nonzero. There may be no problem; they also may be completely worthless. Until there's full disclosure... -- -george william herbert george.herbert@gmail.com
On Wed, Feb 15, 2012 at 6:49 PM, George Herbert <george.herbert@gmail.com> wrote:
On Wed, Feb 15, 2012 at 4:17 PM, John Levine <johnl@iecc.com> wrote: The problem with anything related to Verisign at the moment is that
The possibility of their root certs being compromised is nonzero.
The possibility of _ANY_ CA's root certs having been compromised is non-zero. There's no evidence published to indicate Verisign's CA key has been compromised, and it's highly unlikely. Just as there's no evidence of other CAs' root certificate keys being compromised.
There may be no problem; they also may be completely worthless. Until there's full disclosure... [snip]
They are not completely worthless until revoked, or distrusted by web browsers. There is a risk that any CA issued SSL certificate signed by _any_ CA may be worthless some time in the future, if the CA chosen is later found to have issued sufficient quantities fraudulent certificates, and sufficiently failed in their duties. I suppose if you buy a SSL certificate, you should be looking for your CA to have insurance to reimburse the cost of the certificate should that happen, and an ironclad "refund" clause in the agreement/contract under which a SSL cert is issued E.g. A guarantee such that the CA will refund the complete certification fee, or pay for the replacement of the SSL certificate with a new valid certificate issued by another fully trusted CA, and compensate for any tangible loss, resulting from the CA's signing certificate being marked as untrusted by major browsers, revoked, or removed from major browsers' trust list, due to any failure on the CA's part or compromise of their systems, resulting in loss of trust. -- -JH
I suppose if you buy a SSL certificate, you should be looking for your CA to have insurance to reimburse the cost of the certificate should that happen, and an ironclad "refund" clause in the agreement/contract under which a SSL cert is issued
These certs cost $9.00. You're not going to get much of an insurance policy at that price. R's, John
On Thu, Feb 16, 2012 at 8:33 AM, John R. Levine <johnl@iecc.com> wrote:
I suppose if you buy a SSL certificate, you should be looking for your CA to have insurance to reimburse the cost of the certificate should that happen, and an ironclad "refund" clause in the agreement/contract under which a SSL cert is issued
These certs cost $9.00. You're not going to get much of an insurance policy at that price.
again, startssl.com - free. why pay? it's (as you say) not actually buying you anything except random bits anyway... if you can get them for free, why would you not do that?
These certs cost $9.00. You're not going to get much of an insurance policy at that price.
again, startssl.com - free. why pay? it's (as you say) not actually buying you anything except random bits anyway... if you can get them for free, why would you not do that?
The free ones are supposed to be used only for personal sites. Also, the fact that they tell me to go away and use a different browser when I try to sign up using Chrome does not fill me with warm feelings. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On 2012-02-16 17:13 , Christopher Morrow wrote:
On Thu, Feb 16, 2012 at 8:33 AM, John R. Levine <johnl@iecc.com> wrote:
I suppose if you buy a SSL certificate, you should be looking for your CA to have insurance to reimburse the cost of the certificate should that happen, and an ironclad "refund" clause in the agreement/contract under which a SSL cert is issued
These certs cost $9.00. You're not going to get much of an insurance policy at that price.
again, startssl.com - free. why pay? it's (as you say) not actually buying you anything except random bits anyway... if you can get them for free, why would you not do that?
Because they do not have a wildcard one for 'free', which is useful when one wants to serve eg example.com but als www.example.com from the same location along with other variants of the hostname. Except for that, it is a rather great offer. Though one can of course just serve the example.com one and force people after they accept to the main site. I tend to stick CAcert ones on hosts and tell people to either just accept that single cert and store it for future checks or just install the CAcert root cert, that covers a lot of hosts in one go, given of course that one trusts what CAcert is doing, but that goes for anything. The method that Firefox is using with the unchained certificates "save this unverified cert and as long as it is the same it is great" is in that respect similar to SSH hostkeys, one can verify those offline and just keep on using them as as long as that cert is the same you are likely talking to the same host (ssl etc still don't cover compromised hosts). In the end, they are just bits, and this whole verification thing at the verification of owner adds nothing except for an ease-of-use factor for the non-techy folks on the Internet. Greets, Jeroen
On (16/02/12 11:13), Christopher Morrow wrote:
again, startssl.com - free. why pay? it's (as you say) not actually buying you anything except random bits anyway... if you can get them for free, why would you not do that?
They may not charge money, but it's not really free. You have to provide them so much personal information, it feels like an invitation to identity theft. At the least what they collect would be valuable information to sell to marketeers. They demand a valid residential address for the free personal-use certificate; a business address will not do (and they check). Our mixed-use building did not qualify. Next option is one of their cheap business certificates, but then you must send scanned images of: 1. The cover of your passport 2. The first pages of the passport 3. The picture of you with your personal detail of your passport and 1. Both sides of your drivers license or identity card or 2. Photo ID document issued by a local, state or federal authority. In order to save a couple bucks, I'm gonna scan all this and send it off to somewhere in Israel??? Geotrust or Comodo don't put you through this. For $10, I'll keep my info, thanks.
In a message written on Thu, Feb 16, 2012 at 12:57:25AM -0600, Jimmy Hess wrote:
There is a risk that any CA issued SSL certificate signed by _any_ CA may be worthless some time in the future, if the CA chosen is later found to have issued sufficient quantities fraudulent certificates, and sufficiently failed in their duties.
One thing I'm not clear about is, are there any protocol or implementation limitations that require only one CA? I would think I could take my private key and get multiple CA's to sign it, then present all of those signatures to the client. Should one CA be revoked, my certificate would still be signed by one or more others. Does this work? Does anyone do it? -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
In article <20120216162108.GA11808@ussenterprise.ufp.org> you write:
-=-=-=-=-=-
In a message written on Thu, Feb 16, 2012 at 12:57:25AM -0600, Jimmy Hess wrote:
There is a risk that any CA issued SSL certificate signed by _any_ CA may be worthless some time in the future, if the CA chosen is later found to have issued sufficient quantities fraudulent certificates, and sufficiently failed in their duties.
One thing I'm not clear about is, are there any protocol or implementation limitations that require only one CA?
I've had the same cert signed by multiple CAs, although rarely at the same time. Never tried to present both versions in the same session, though. R's, John
On Wed, Feb 15, 2012 at 10:57 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Wed, Feb 15, 2012 at 6:49 PM, George Herbert <george.herbert@gmail.com> wrote:
On Wed, Feb 15, 2012 at 4:17 PM, John Levine <johnl@iecc.com> wrote: The problem with anything related to Verisign at the moment is that
The possibility of their root certs being compromised is nonzero.
The possibility of _ANY_ CA's root certs having been compromised is non-zero. There's no evidence published to indicate Verisign's CA key has been compromised, and it's highly unlikely.
Just as there's no evidence of other CAs' root certificate keys being compromised.
Please recall that this HAS happened to another CA in the last year.
There may be no problem; they also may be completely worthless. Until there's full disclosure... [snip]
They are not completely worthless until revoked, or distrusted by web browsers. ...
I think that's highly ass-backwards. If it's been compromised and the compromise is not yet "fully known" - revoked by the CA or distrusted by browsers - we exist in a nether region where the customers connecting to "your" servers can be transparently Man-in-the-Middle attacked. If someone doing MiiM to your customers would be a significant problem, then it's incumbent upon you to not put your head in the sand when there's a higher-than-normal risk that one CA may have A Problem. The situation is in fact *worse* than "completely worthless". In that situation it has an active negative value. This is complicated by the fact that you don't even need to be a customer of that CA for that to be a risk. If browsers trust that CA, and that CA's keys are loose, then anyone with those can impersonate anyone else on the net transparently. But the fix for that revokes the root cert and all the signed certs for that CA. Immediately, if the browser vendors response to the prior incident carries through to a new one. Buying new certs or continuing to use certs that have a noticable risk of immediate revocation seems ... unwise. Again - I don't know if it's been compromised. The vendor is not being forthcoming at that level of detail yet. They are evidently still trying to figure out how bad the penetration was. That is not a good sign, but does not automatically mean the worst by any means. -- -george william herbert george.herbert@gmail.com
On Thu, Feb 16, 2012 at 12:17:00AM -0000, John Levine wrote:
Almost everyone are basically just selling an "activation" with one of the SSL certificate authorities.
I usually buy a "RapidSSL" (Verisign) certificate from https://www.sslmatrix.com/ -- they seem to have some of the best prices and the rapidssl enrollment process is very efficient (at least for the cheap automatically "validated" products).
I get my RapidSSL and Comodo from these guys. Prices look about the same:
If you order a cert for example.com, Comodo's also work for www.example.com, no extra charge.
R's, John
Comodo ever get "fixed" ?? /bill
participants (18)
-
Alexander McMillen -
Ask Bjørn Hansen -
Blake T. Pfankuch -
bmanning@vacation.karoshi.com -
Christopher Morrow -
George Herbert -
Henry Yen -
James Triplett -
Jeroen Massar -
Jimmy Hess -
John Levine -
John R. Levine
-
Josh Baird -
Ken A -
Leo Bicknell -
Matthew Huff -
Michael Carey -
Paul Norton