Cheap and fast certs.

Jason Holt jason at lunkwill.org
Sun Feb 19 22:26:57 MST 2006


On Sun, 19 Feb 2006, Carl Youngblood wrote:

> You get what you pay for.


Unfortunately, SSL certs seem to be an exception to that rule.  SSL certs 
convey almost no useful information, and the low barriers for attackers make 
the quality of security low even for the small class of users who can discern 
between "safe" and "dangerous" scenarios.  Still much better than nothing, but 
the extra money some CAs charge doesn't seem to be providing much additional 
security.


> If all you want is encryption, Godaddy certs are fine.  But if you look at 
> the fact that even their most expensive cert only comes with $1000 of 
> insurance, while instantssl.com and verisign certs come with $1,000,000, you 
> can see the difference.  Granted you'll probably never use the insurance, 
> but customer confidence is an important issue.  If I were running a business 
> that used SSL I would use instantssl for that reason alone.  I think their 
> price/value ratio is the best out there.

While I have seen Verisign and "consumer confidence" in adjacent sentences 
before, this might be the first time I've seen them used with that relative 
polarity from anyone other than their marketers.  (Verisign/netsol has been 
harshly criticized for a number of unethical behaviors, including sending 
deceptive domain renewal notices to customers of other registrars and 
redirecting every single unregistered .com domain to their own signup site). 
Incidentally, I can't find anything about a $1M guarantee on their site -- do 
you have a URL for that?

Instantssl.com appears to be Comodo, who I once exchanged emails with about my 
friend's erroneous choice of a 512-bit RSA certificate -- the tech claimed 
that 512-bits was plenty secure and refused to reissue a stronger cert.  512 
bit RSA modulii were broken years ago, and would probably take a modern PC, 
say, a month to factor.  Unfortunately, the $1M guarantee from Comodo doesn't 
seem to cover you if the attacker gets his cert for your domain from somebody 
else.

 						-J



More information about the PLUG mailing list