Skip to content

Top Best Ask Show New Jobs

Ask HN: Where should someone buy a SSL certificate?

22 pointsmihok12y ago13 comments

There always seems to be talk about some SSL cert service (VeriSign) that has been hacked or gone under. I'm trying to buy my first SSL certificate and there are so many options out there that its hard to know which one, what are the risks? Is any certificate authority okay? Will self signed certs be good enough?

Clearly the issue is the man-in-the-middle attack, which I have a high level understanding of, and makes every CA susceptible to the same attack if they are compromised.. but are there good CA's that people have had experience with? Is it less safe to get a wildcard cert than individual certs for each domain?

Thanks HN

13 comments

13 comments · 6 top-level

sillysaurus312y ago· 2 in thread

If you're worried about certain governments MITMing you, the answer is that it's hopeless to rely on SSL to provide protection.

I don't know a good recommendation. I just wanted to clarify that SSL provides no protection in that particular case.

mihokOP12y ago

Makes sense, does that in turn mean that SSL is really a 'hopeless' cause and using self-signed just for the image of 'https' showing in the location bar on a browser enough? Seems like a pointless exercise to me knowing that someone somewhere (government or not) could still access it

sillysaurus312y ago

Just to clarify, I think using some reliable and trustworthy SSL cert vendor is the way to go. It just won't protect you from the aforementioned parties. Nothing will at this point.

SSL protects you and your users from many other attack vectors, and is important. It wasn't my intention to argue against SSL, just to point out the truth of our modern day situation.

jipy912y ago· 2 in thread

I used StartSSL class 1 certificate for my app (unherd.co). Its free and valid for one year. Here is a good guide that might be of help - https://konklone.com/post/switch-to-https-now-for-free?hn

akg_6712y ago

I also used StartSSL class 1 for my site (peercube.com) and will highly recommend the help link you provided for getting and installing the certificate.

OWaz12y ago

I used the same certificate from StartSSL and got an A- grade from SSL Labs.

ch21512y ago· 2 in thread

You get a standard SSL certificate free for a year with domain names at Gandi.net. I think I'm also right in saying transfers are included. Can't really vouch for their security but from what I have read the company's "no bullshit" approach is right up my alley. The riseup.net collective recommend them too.

euantorano12y ago

+1 on Gandi.net from me too. Got several domains/SSL certs from them. The base (free) SSL certificate is pretty basic, but they also offer higher levels of security at a cost.

amybe12y ago

Thanks for the recommendation. I can confirm that you get a free one-year cert whether the domain has been registered at Gandi or transferred in.

fsk12y ago· 1 in thread

My domain registrar (namecheap) offers SSL certificates cheap.

All you need is for your domain to show up with the little special icon in the browser when you use https. Other than that, it doesn't matter. Get the cheapest one that browsers recognize.

Patrick_Devine12y ago

I just bought a Comodo PositiveSSL Wildcard cert from them last week. It was a little confusing, but they were quite responsive when I pointed out some bugs in the registration service. I would definitely recommend them.

clinton_sf12y ago

StartCom/StartSSL thwarted a recent hack attack, according to: http://www.informationweek.com/attacks/how-startcom-foiled-c...

Their due diligence on verifying who is requesting the cert probably helped; but I've seen some people complain that it's not a quick/easy process: http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_sta...

ancarda12y ago

>Will self signed certs be good enough?

For public consumption, no. For anything internal, yes.

j / k navigate · click thread line to collapse