Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Are there *any* unbiased SSL review sites?
5 points by ccleve on Dec 4, 2012 | hide | past | favorite | 2 comments
I need to buy a wildcard SSL certificate. I took a look at some of the rating sites like sslreview.com, sslshopper.com, bestsslcertificate.com, all of which appear to be owned by an SSL issuer -- in other words, totally biased and filled with fake reviews. What's a developer to do?


Here you go.

http://www.structure.no/site/ssl-primer


What exactly are you looking for in the review? (I'd note that sslshopper.com isn't owned by any CA as far as I'm aware - though it probably has fake reviews.)

Certs are really broken down into 3 validation 'standards' and 3 'types' of certificate. Some types aren't available in certain validation standards.

Most certificates are technically and functionally identical. The exception being the EV certificates which activate the 'green bar' UI in most modern browsers.

EV - Extended Validation Those you'll pay more for and wait longer to get - and in some cases (dependent on your status as a corporation) you may not be able to get one at all. They are more expensive, but many CAs and resellers have offers on making them more cost-effective. Available as single-domain or multi-domain only. 1-2 year duration.

OV - Organisation or 'business' Validation Full business information is checked and confirmed, usually a telephone call is required from the CA to you. Those business details are signed into the certificate - though the browsers don't really display them in any meaningful sense like EV. Available as single, wildcard and multi-domain.

DV - Domain Validation Issued solely on the basis of you 'proving' you control a domain. The method for doing this is usually an email to an administrative contact or WHOIS contact at your domain. A few CAs offer some other mechanisms using DNS or HTTP. Nothing identifying you beyond your domain name appears in the certificate - but from a user point of view they won't really see the difference. Available as single, wildcard and multi-domain.

Firstly decide if the green EV chrome is important to you or not. If not, then either of the other two validation levels will work fine. It's really then deciding which type you need.

Single domain - covers a single FQDN, sometimes including the 'www' if you request it for 'domain.com', which is useful. Wildcard - covers all subdomains of a domain, like * .domain.com. Useful if you plan on deploying over many subdomains. UCC/Multi-domain - covers multiple separate FQDNs, from different TLDs/ccTLDs. Used often with Exchange, or if you have several ccTLDs on the same site, like domain.com, domain.net, domain.co.uk

Finally, the CA choice. Honestly, there's not a lot of difference. When the cert is correctly installed, you won't have issues in most major browsers and mobiles with any of them. You can pay for the brand (Symantec) and you can pay for extra 'frills' (warranty, logos). That's your call.

Go for any one of the major CAs (Symantec, Comodo, GoDaddy if you can stomach them, Entrust) and you'll not have an issue. You might want to check what their policy is on re-issues if you move hosts or tend to lose all your configurations often! Resellers for those may offer better pricing. There are a number of 'SSL aggregators' who offer products from all CAs together. Check any offers they have. If you really don't want to pay, try StartCom. Eddy runs a great company, and aside from some potential issues you might see with older platforms or older mobile devices, you can't go wrong for free!

* Disclaimer - I work for a major CA, but I've tried not to push them. Email on profile if you've further questions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: