Choosing an SSL Provider on Slashdot
An anonymous user on AskSlashdot asked about how to pick a SSL Certificate Provider:
I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision.
There were a variety of answers. Some recommended the cheapest certificates that are available in all browsers:
I've had reasonably good experiences with Godaddy, and as far as I know, they're one of the cheapest around. SSL cert signing is mostly just snake oil anyway. It's not like the company signing your cert for you has any impact on the actual security of your site, and I can't imagine that many customers look at the cert signer and go "RapidSSL? No way! F*** those guys! I'm gonna go spend my money at some other dildo store". So, your best bet is to go with the cheapest one around that's likely to be in all the major browsers' trusted CA list.
Others explained why they use VeriSign:
The company I work at goes with Verisign, but that's only because Verisign is one of our customers. Unless your customers are financial houses or some equally paranoid group no one is going to give a rip where the certificate comes from as long as their browser automagically recognizes it. I've only met one person in my decade in IT who checks web site certificate validity (she works at a major investment firm) on a regular basis, and that's only because her job requires that she do so before transferring X-many millions of dollars.
Others strayed into the purpose of SSL Certificates and PKI systems:
But the purpose of the SSL certificate isn't really to stop interception of data en route. It is to tell you whether or not the site you are visiting really belongs to who they say it belongs to.
I get emails every other day trying to persuade me to that they are from Natwest Bank or Halifax Bank and I should visit their site to enter my security details. This is a major problem, and that's why we have these error pages.
Choosing an SSL Provider? - [Slashdot]
Originally posted on Sun May 4, 2008