Ask HN: Is StartSSL worth the $0 price tag?

9 pointsnZac11y ago12 comments

I am trying to secure a low traffic site but need a certificate. Is StartSSL a good option or should I spend money on another service?

I am helping a non-profit that has a very low budget and I want to be helpful without causing long-term ramifications (of which I am currently ignorant of). Thanks for any help, this stuff is confusing and I am new to it!

12 comments

lsc11y ago

I have a related, and broader question. Is there any difference, practically speaking, between one CA and another, besides browser compatibility? Assuming that it's accepted by browsers, is there any reason to go with a more expensive provider that does a stronger verification of you rather than a cheaper provider that just sends a confirm to an email in your domain whois?

dm211y ago

No, they're not a company that I personally would suggest.

I highly recommend Comodo bought from NameCheap: https://www.namecheap.com/security/ssl-certificates/comodo.a...

Another heartbleed type incident could happen in the near future (lots of eyes on that codebase now) and their strict policy will leave you choosing between coughing up $35 per certificate or leaving your site vulnerable.

There has even been a large amount of discussion regarding removing them from the trusted list of certificate authorities because most of their users can't afford to revoke certificates and have no choice but to leave their sites vulnerable.

logn11y ago

I also like Comodo+NameCheap. I once tried to buy Comodo elsewhere and the cert activation process was much less friendly (they didn't recognize my authorized whois email of record). Another nice perk I just realized, NameCheap gives you the whole term of the cert from the time you activate the cert, not from the time you purchase (maybe that's common though).

That said, I think the bad press StartSSL is getting is mostly undeserved. You can either choose a free cert with the outside chance you'll want to pay to revoke it, or just automatically pay up front every term. Probabilistically, they still have the cheapest option. And are site admins who can't/won't pay $35 really that likely to have a very secure server anyhow? That means they would have never bought SSL anyhow without StartSSL.

samhamilton11y ago

We used them to secure internal only apps we ran, to stop staff getting used to ignoring the warning pages if the certs are self-signed. Yer ok the signup process is a pain but we had an amazing system admin who knew their stuff so got up and running in no time.

TheLoneWolfling11y ago

Whatever happened with "StartSSL, please revoke me"?

dm211y ago

"Sure, pay us $35."

I believe the exact quote during the Heartbleed incident was, "Dead serious." https://twitter.com/startssl/status/453631038883758080

TheLoneWolfling11y ago

I meant the fate of the person who posted his private key trying to work around that more-than-issue. (as, IIRC, under the terms of being in the Mozilla repository StartSSL was obligated to revoke certificates that were known to be compromised)

jburwell11y ago

I have used them in the past with no issues for personal sites. What are your concerns? In many aspects, a cert either "works" or it doesn't (in most cases, a SSL trusts the cert without warning). Generate a private and CSR that meet your security requirements (e.g. key length, cipher set, etc), submit it to StartSSL, and verify the resulting cert. If it meets your specs and is trusted by the SSL engines you use then you are good. If not, you will need to find another CA.

nZacOP11y ago

My concern revolves around credibility. They took a beating after Heartbleed regarding the cost of revocation for certificates/credentials affected. While that is mostly a business decision on their end– it raises concerns about what their business is about. Nothing is "free", it just might not cost currency. "If you don't pay for the service, you are the service."

Since I don't have experience with them I am looking for some level of assurance that they are a legitimate service. In my opinion it is difficult to gain that assurance just from their website.

jburwell11y ago

Heartbleed had nothing to do with certs themselves, but instead, with how OpenSSL implemented an aspect of connection negotiation. Hence, the issue was isolated to OpenSSL not other SSL implementations or the SSL/TLS standards themselves.

In terms of "credibility", the issue comes down to how many browsers include their root cert by default. As far as I know, IE, Firefox, and Chrome include it meaning that it will be trusted by default.

The way they make money is selling other types of services such as wildcard and "green bar" certs. I think the folks running it want to see a wider use of SSL, and see providing free host-based certs as a good way to accomplish that goal. Bear mind, there zero cost to signing a cert ...

ansid11y ago

I have paid wildcard certs with them. Their site is weirdly designed and heavy on the self-service, but I have no complaints about them. I have revoked certs with them and everything has been reasonable.

That said, why does it matter if they're "credible"? Their certs are accepted by pretty much every browser, OS and library, and they have a long track record as a CA.

Regardless, as a business I have had business dealings with, let me assure you they are a "legitimate service".

1 more reply

j / k navigate · click thread line to collapse

12 comments

lsc11y ago

dm211y ago

No, they're not a company that I personally would suggest.

I highly recommend Comodo bought from NameCheap: https://www.namecheap.com/security/ssl-certificates/comodo.a...

logn11y ago

samhamilton11y ago

TheLoneWolfling11y ago

Whatever happened with "StartSSL, please revoke me"?

dm211y ago

"Sure, pay us $35."

I believe the exact quote during the Heartbleed incident was, "Dead serious." https://twitter.com/startssl/status/453631038883758080

TheLoneWolfling11y ago

jburwell11y ago

nZacOP11y ago

Since I don't have experience with them I am looking for some level of assurance that they are a legitimate service. In my opinion it is difficult to gain that assurance just from their website.

jburwell11y ago

ansid11y ago

That said, why does it matter if they're "credible"? Their certs are accepted by pretty much every browser, OS and library, and they have a long track record as a CA.

Regardless, as a business I have had business dealings with, let me assure you they are a "legitimate service".

1 more reply

j / k navigate · click thread line to collapse