I'm looking to put in place a wildcard SSL certificate for a server that will be providing REST style web services to multiple subdomains.
We use NameCheap.com for our DNS services and they offer a choice of 2 very competitively priced wildcard certs:
PositiveSSL Wildcard $129.99/yr RapidSSL Wildcard $148.88/yr
Is there any reason to choose one of these branded certs over the other?
Or are there problems with these low cost certs that we should aware of? If so, what SSL vendor/products do you recommend and why do you recommend them?
Thank you, Malcolm
-
We use GoDaddy and we like it :)
You could use this website to get an opinion: http://www.sslshopper.com/ssl-certificate-wizard.html
Lukas Loesche : I second that. We're very satisfied with GoDaddy too.From Alexandre Nizoux -
The short answer is that cheaper certificates tend to be chained certificates and/or the issuing Certificate Authority (CA)'s root certificates may be included in fewer browsers, in particular in older browser versions. Most issuers advertise 99% browser compatibility, so I don't know if this is a major issue anymore.
In addition if this was for an e-commerce web site, using a well-known CA may been seen as being better for having an established reputation for better trust-worthiness. I'd not send my credit card to a site using a SSL certificate from HappyLuckyBrand that I've never heard of.
Lukas Loesche : So true! Though sadly you're probably one of the 0.000001% that actually know and/or care which CA issued the cert. I think the CA is more of an issue with EV certs where you see the name of the issuer next to the URL. Not so much with the traditional standard SSL certs. And to the best of my knowledge there's no EV wildcard certs yet.Robert : Almost all CAs issue chained certificates now (even VeriSign) because it is better for security. And the only CAs that aren't included in 99% of current and older browsers are super-cheap CAs like StartCom and CACert. Brand is definitely an important consideration for an e-commerce site but it is hard to tell how important.From mctylr -
I've used RapidSSL for years for my clients and have no problem with them at all with browser support.
Pros: Super-fast verification: some of them require you to fax in company letterhead, and/or their "verification team" takes 3-4 business days to activate. RapidSSL uses an automated system whereas you're presented with a verification code on the screen that must be keyed into the phone when they call.
Cons: Phone support is a bit spotty, although I've only had to call them once when I didn't have a direct line to use... which brings me to the second minor con: you need a direct line, no extensions, etc. and it can't be a cell phone for the verification to work. This usually isn't an issue though as you can give the receptionist a heads-up that you're expecting a call in x amount of seconds (you can specify how long to wait to dial).
Again, these are all really minor when you factor in the low cost and the near-instant access to your certificates.
gravyface : Strange. I just bought another one today and went through the same automated phone verification as I always do; done in 15 minutes.From gravyface -
I use RapidSSL. Clients that access my site are all Fortune 500 type companies. None of them have ever had a problem with the certificate that I use.
I use Qualys to scan against my network. I have customers that use IBM's AppScanner against my network. These tools (on of their jobs is to) evaluate the certificate. Never have they complained about the certificate.
RapidSSL calls every year to remind me to renew, and to sell me their more expensive certificate. The only difference in the more expensive certificate is the name from the end user's point of view. The reality is that a RapidSSL certificate has been issued without full verification of the user or business purchasing it.( As mctylr is saying with "trust-worthiness")
And with wildcard certificates, you cannot always use the base name with the cert. For instance: I buy a wildcard for *.mydomain.com and can put anything in for the star. But cannot use it for just http://mydomain.com. Some others allow you to do this.
From Leo -
Over the years I have moved through Verisign, GoDaddy, RapidSSL, InstantSSL and a couple of others and have now ended up with StartSSL.
So far had no problems with certs from StartCom's StartSSL. Like many they have an intermediate on the server but no client problems have shown with FF, Chrome or IE. Good fast support too.
The powerful thing with StartCom is they verify the person (and organization) for class2 certs and once the person is approved they can have certs issued for any domains they can validate as under their control. They do individual validation with two forms of photo id and a phone call.
Domains are as commonly done, via the registry email contacts for the required domains.
Organizations need registration documents etc and a call along with the prerequisite individual validation
The one off fee of $50 or so allows an individual unlimited certs on the domains they validate.
This brings the cost down dramatically and makes perfect sense as the main costs are not actually issuing the certs but validating the identity of the certificate recipient and then their right to get domains validated. Different but a good business model for both sides I think.
I also think (regrettably) few site users are concerned by the issuer though some have been confused by the bar on the EVs and wondered where the info was going!
jnaab : I also like the StartCom CA pricing model--you pay for the level of validation you desire (right up through EV) and generate the certificates you require at no additional cost. They even provide a WoT model to provide additional value to the free certificates for things like S/MIME signed/encrypted e-mail (a welcome alternative since the demise of the Thawte Freemail WoT in November 2009). The biggest drawback is the dearth of StartCom notaries in most localities.
0 comments:
Post a Comment