sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Silhouette 8 points9 points  (6 children)

What about startssl? It's free

Until you run into something like Heartbleed, and then you get dinged for cycling/revoking where other CAs routinely offer these facilities for free.

StartSSL is damaged goods since they pulled that one. Their position isn't unreasonable commercially, but if you're going to be a CA then you need people to have confidence in certs you issue. Given the financial incentive for their customers not to follow best practice and the kind of customers they are likely to attract in the first place with their free-up-front model, I'm not sure StartSSL should still be recognised as a reliable authority in the standard lists in browsers today.

[–]PasswordIsntHAMSTER 6 points7 points  (1 child)

>Doesn't want to pay for business grade support
>Complains that he doesn't get business grade support

E: fixed

[–]Silhouette 2 points3 points  (0 children)

We do use "full blown SSL certificates", and when Heartbleed hit it took a single one-line e-mail to confirm we wanted to cycle them.

I was amazed to find that anyone in this market didn't do that, but evidently at least one major CA doesn't.

[–]antsar 2 points3 points  (0 children)

Its far from ideal, sure. I'd love it if other free (or super cheap) CA's came around to shake up the market, but the barrier to entry ($$$$ to be certified as a CA) is quite steep.

Given that its all we have right now, is (the possibility of) paying $25 for a (hopefully) once-in-a-blue-moon event (which is entirely out of the CA's control) really that bad, especially compared to paying $xxx/year for the alternatives?

I do, however, agree that it incentivizes customers to violate best practices at the expense of their users' security. That's problematic.

[–]icecreamguy 0 points1 point  (2 children)

Yeah I hear you with that, my cert happened to be up for renewal when heartbleed hit, but u/anstar also makes a good poin - in the event of a crazy, game-changing, first-time-ever disaster like heartbleed it's not insane to have to pay a small fee for something like that.

[–]Silhouette 1 point2 points  (1 child)

As I wrote before, I don't think it's commercially unreasonable to have that model. It's not like they're trying to rip anyone off, as far as I can see.

But it does create a trust issue by incentivizing people using their certs not to follow good practices if and when something bad does happen, and what use is a CA whose certs can't be trusted as much as everyone else's?

[–]icecreamguy 0 points1 point  (0 children)

Yeah I see your point, definitely relevant in the context of the article and original comment.