Good SSL providers

namecheap's pretty good, if you buy a lot of certificates you can join their reseller program which gets you a bit of a discount.

You can have certificates for multiple subdomains i.e. http://www.domain.com test.domain.com and domain.com but not for different domains.

…well actually you can but not cheaply.

StartSSL provides free basic SSL certs. (I'm not sure if they allow commercial usage?)

Aside from that, resellers are a dime a dozen, with similar-ish prices. I'd probably just get certs from a decent host, registrar or CA I already do business with if their prices are okay. Namecheap has a good reputation; I've used them for SSL certs in the past, though not for domain registrations.

I use StartSSL for small un-important sites. Free is a great price and there's nothing wrong with the certs. I just wouldn't use them for security critical sites because StartSSL has been compromised in the past.

Some of my clients (who I put on Linode) use GoDaddy for certs and it's just … bad. It's very confusing figuring out how to renew certs and they confuse people into renewing certs early (so in other words these bamboozled clients end up getting only 10-11 months out of a 1-year cert).

I had moved all my domains away from GoDaddy to my own OpenSRS reseller account and have bought certs there, but it's still not particularly cheap.

As for truly cheap, I don't know what their regular prices are but there is a summer sale for $6.95 Comodo certs at GetSSL.me

I was about to go with StartSSL and see if they would actually care that I was giving PO box, but they gave insulting error messages and they seem really suspicious about constantly asking for personal information.

I'll probably go with Namecheap and make the sales pitch to Sturmwächter.

Mostly what it's going to be for is securing the password entry on wikis and any other communication that might happen. I'm not sure how necessary it is for that, but I assume that it's better than not having it. Wikipedia is using SSL.

I've used gogetssl.com and centriohost: https://billing.centriohost.com/cart.php?gid=7

The last One is the cheapest for wildcard ssl i've found.

@nfn:

I've used gogetssl.com and centriohost: https://billing.centriohost.com/cart.php?gid=7

The last One is the cheapest for wildcard ssl i've found.

Thanks. That's really great. Wildcard is important. Only $10 per year is a good price.

EDIT

The Google AdSense bars on all my websites are now giving me ads for SSL providers. GOOGLE KNOWS EVERYTHING I DO!

Just found out this topic about CentrioHost http://www.lowendtalk.com/discussion/12 … -host-gone">http://www.lowendtalk.com/discussion/12234/centrio-host-gone

Can you please clear whether you need multi-domains or multi sub-domain ssl? The price difference will be huge between these two SSL certificates.

For your information: If you are looking for multi-domain SSL, you will have to go with SAN certificate which starts from $159 per year if you choose GeoTrust True businessId multi domain SSL from their authorized resellers like theSSLshop and can save more than $40 on same certificate.

For just a basic SSL level 1 cert, Used to use StartSSL, until they started to decline renewals. Seems they would look at the site and if they found you used a PayPal cart, they would say you had to use a Level2 cert which cost more than a basic level GoDaddy Cert… kind of stupid since the PayPal cart uses PayPal's servers and its certs. They would not budge on this even though the renewal was for a cert they approved the year before.

Now use Namecheap for normal certs (about $9 a year) https://support.namecheap.com. Unlike StartSSL, you can rekey for no extra fee which is especially nice if you are dealing with someone that is giving you a CSR and doesn't know what they are doing.

If I need a UCC/SAN cert (Multiple domains), I use GoGETSSL https://gogetssl.com which was around $105/yr (6 domains).

If you are doing anything merchant level though, you need to use a merchant SSL cert which is class 3 or better.

Has anyone pointed out that the whole SSL certificate setup is compromised by design?

Many organizations can issue certificates for any site and many of these have provably issued fake certificates or had signing keys stolen from them in the past.

I'm not saying don't use them, just don't trust them too far.

I tried the Start SSL using the ADCOM PO box; they can **** it if they decide to cry about that. They should be aware that they seem like * sex predators. I dropped it because I couldn't even find where I download the cert and you apparently don't even create an account; it just puts some file that I don't even know how to keep track of on your browser instead of actually logging in. I can't express how monumentally stupid that is.

The main thing that SSL would be for is logging into MediaWiki. I want to try to keep costs down, because I don't think Sturmwaechter is going to go for anything expensive, especially when many wikis don't use SSL. A wildcard SSL cert would be good on .ssu.lt since it's our "TLD" like .org.uk or sth like that. Wildcard seems expensive though. I could go for cheap individual certs on sturmkrieg.us and sturmkrieg.de, but they also have sturmkrieg.com aliased to them. We also would want to secure the companion wikis that are for canon, in order to avoid the confusion that would result from combining fanfic and canon, as I've seen people do. The canon wikis are also at 40k.en.sturmkrieg.com and 40k.de.sturmkrieg.com. There are also many links to en.sturmkrieg.com, which is no www.sturmkrieg.us.

@Ox-:

I use StartSSL for small un-important sites. Free is a great price and there's nothing wrong with the certs. I just wouldn't use them for security critical sites because StartSSL has been compromised in the past.

I think a few of you guys misunderstand how the whole system works. In order to impersonate your web site to the clients, all I need is a certificate for your web site issued by any of certificate providers. In other words, if I can compromise StartSSL, than I can impersonate your web site, no matter where you got your certificate from.

@Inquisitor Sasha:

I dropped it because I couldn't even find where I download the cert and you apparently don't even create an account; it just puts some file that I don't even know how to keep track of on your browser instead of actually logging in. I can't express how monumentally stupid that is.
This is not "stupid"; this is you not understanding the technology.

You do have an account; your authenticator is a SSL certificate and not a password. In theory this is stronger than password authentication and so protects your login at startssl better than a mere password.

Of course this is "advanced" use. Indeed, on Firefox, you'll find this under the "Advanced" tab in the preferences menu, sub-tab "certificates".

However you appear to have a hard-on for being anti-startssl, so I don't suppose you care about any of this.

@sweh:

@Inquisitor Sasha:

I dropped it because I couldn't even find where I download the cert and you apparently don't even create an account; it just puts some file that I don't even know how to keep track of on your browser instead of actually logging in. I can't express how monumentally stupid that is.
This is not "stupid"; this is you not understanding the technology.

You do have an account; your authenticator is a SSL certificate and not a password. In theory this is stronger than password authentication and so protects your login at startssl better than a mere password.

Of course this is "advanced" use. Indeed, on Firefox, you'll find this under the "Advanced" tab in the preferences menu, sub-tab "certificates".

However you appear to have a hard-on for being anti-startssl, so I don't suppose you care about any of this.

Thanks for explaining, I find it useful. So it basically uses an SSL certificate like SSH only log in. That is stronger, but they do a poor job of explaining that, plus I failed to see where anything was being downloaded to. I might go with with wildcard SSL, since it will be needed for sturmkrieg.com and .ssu.lt. What I really would want is sth that doesn't require multiple IP addresses.

Yeah, SSL Certs are similar to ssh keys, but they're X509 format.

You would have had to click a button to accept the certificate into your browser.

Wildcard SSL certificates will not do cross-domain; a cert for *.sturmkrieg.com will not work for *.ssu.it; you'll need at least two wildcard SSL certs for that.

@Inquisitor Sasha:

That is stronger, but they do a poor job of explaining that, plus I failed to see where anything was being downloaded to.

It's explained on their enroll page and their FAQ details how to back up your certificate.

http://www.startssl.com/?app=32

http://www.startssl.com/?app=25#4

Just to let you know: http://lowendtalk.com/discussion/12984/ … 2nd-intake">http://lowendtalk.com/discussion/12984/alphassl-wildcard-standard-at-2-5-only-cheapest-wildcard-ssl-offer-2nd-intake

@neo:

@Ox-:

I use StartSSL for small un-important sites. Free is a great price and there's nothing wrong with the certs. I just wouldn't use them for security critical sites because StartSSL has been compromised in the past.

I think a few of you guys misunderstand how the whole system works. In order to impersonate your web site to the clients, all I need is a certificate for your web site issued by any of certificate providers. In other words, if I can compromise StartSSL, than I can impersonate your web site, no matter where you got your certificate from.

Correct, but (usually) a compromised CA is removed from root certificates. This, in affect, revokes your cert. I say usually because StartCOM seems to be an exception. I think they take security seriously, and I wouldn't even be surprised if they are more "hardened" than most CA's, but it still makes me hesitant to use them for a high security site.

@Ox-:

@neo:

@Ox-:

I use StartSSL for small un-important sites. Free is a great price and there's nothing wrong with the certs. I just wouldn't use them for security critical sites because StartSSL has been compromised in the past.

I think a few of you guys misunderstand how the whole system works. In order to impersonate your web site to the clients, all I need is a certificate for your web site issued by any of certificate providers. In other words, if I can compromise StartSSL, than I can impersonate your web site, no matter where you got your certificate from.

Correct, but (usually) a compromised CA is removed from root certificates. This, in affect, revokes your cert. I say usually because StartCOM seems to be an exception. I think they take security seriously, and I wouldn't even be surprised if they are more "hardened" than most CA's, but it still makes me hesitant to use them for a high security site.
Many of certificate providers have been compromised over the years (not only StartCOM) and most of those are still in the browser's root certificates list.

The only security aspect of this system that actually does work (protection of client/server communication from anyone who can not compromise ANY of the providers), works equally well with certificate from ANY provider.

@nfn:

Just to let you know: http://lowendtalk.com/discussion/12984/ … 2nd-intake">http://lowendtalk.com/discussion/12984/alphassl-wildcard-standard-at-2-5-only-cheapest-wildcard-ssl-offer-2nd-intake

Gave one a shot for a test domain. Just like any different process, but it was easy to use and install. Even without the promo, $10 a year for a wildcard low level cert is not bad.

Had awful experience with godaddy in the past and their pricing policy is just strange. More recently I tried the same provider Ox- mentioned - getssl.me and had a great experience with them. However for non-profit/personal websites startssl is a no-brainer.

@nfn:

Just to let you know: http://lowendtalk.com/discussion/12984/ … 2nd-intake">http://lowendtalk.com/discussion/12984/alphassl-wildcard-standard-at-2-5-only-cheapest-wildcard-ssl-offer-2nd-intake

Looks like that's good. $10 per year for a wildcard SSL. That's doable with pricing also, with just 4-5 domains.