CAs won't alert you if someone breaks into your server and replaces your certificate. They won't alert if you if you accidentally push a config change and start serving the wrong certificate to customers... And they certainly will not alert you if you are using a revoked certificate in production.
I've bought multiple certificates from different reputable vendors - I only ever got one Heartbleed notice. (This pattern repeats itself)
Many shops don't have a dedicated admin / webmaster auditing their certificates and even those that do have had public issues (Akamai, Apple, GitHub, Stripe...etc)
The value in a service like Snitch is that we worry about your SSL certificates. Many people don't have the interest or time in rolling their home grown monitoring of this stuff...
You have valid points, my advice would be to make that part of the message as clear as possible. as a sys admin I could be a potential customer but then again, I already have to worry about certs I implement.
Early bird special: Renew your <website> to save
Keep <website> Secure, renew your SSL
Last chance to save: Your <website> is expiring
ACTION REQUIRED: Your SSL needs attention
FINAL NOTICE: Your SSL expires tomorrow
LAST CHANCE: Your SSL expires today
SECURITY ALERT: Your <website> may not be secure
ACTION REQUIRED: Your SSL needs attention
SSL EXPIRED: Renew to rescue
CALL US: SSL for <website> is expired
Your last SSL expiration notice for <website>
And only 25 for enterprise? Our midsize business is currently using 416 certs.
We do more than you can do by scripting OpenSSL. For example: as far as I know OpenSSL won't warn you if your certificate is signed using SHA1 - one of new several features we're about to push out.
More generally scripting OpenSSL requires knowledge, time and infrastructure many people aren't able or willing to invest (what is monitoring the monitor...)
Unless those include SMIME certs, but still...
In any case, very nice execution on the front end. Good job.
We're constantly improving and adding extra checks.
Have >25 certs? Add this check to Nagios: http://exchange.nagios.org/directory/Plugins/Network-Protoco...
Saved you $200/month :)
These are very different services.
Voodooalerts requires you to place JS on your page. Because of this I am sure they cannot run the full suite of audits that Snitch does.
Where are you incorporated, if? The terms says nothing about it. Who is my contract party when I signup?
We're in Oakland, California.
Not a big fan of pricing plans that mix volume with features, always makes me feel I'm being screwed when I only need one or the other. (Even though I might be perfectly fine with paying the same amount if the pricing structure was different.)
Definitely something we'll consider. Email me if I can help out in any way! hn username at currylab.com / gmail.com
though i do wonder if "this is a feature, not a company"?
We're constantly improving and rolling out new features. We're confident that over your question will become less of a question :-)
We've been working on this for a few months and would appreciate any feedback - thanks!
If anyone wants to email me directly it is my username at currylabs.com or gmail.com
PS: If you are an Open Source project we offer free subscriptions.
That is definitely on the roadmap and will go out soon.
Does DigiCert provide any guarantees on how often they monitor your certificates? Do they offer any alert mechanisms other than email? Do they let you monitor certificates that are on your critical path but not necessarily ones you own (partners...etc)
You also mention cost..but since you are not paying them you are not their customer - you are their product.
Snitch is clearly aligned with customers since our goal is to help you succeed at securing your site. Our goal is to make it easy for you (site owner) to do the right thing and provide a good experience to your customers.
Their monitoring includes SSL cert validity, among many other things.