http://www.corybantic.org/2005/09/13/ssl-certificates-a-rip-off/ Tue, 06 Jan 2009 19:52:26 +0000 http://wordpress.org/?v=2.5 http://www.corybantic.org/2005/09/13/ssl-certificates-a-rip-off/#comment-338 mas Fri, 18 May 2007 09:49:20 +0000 http://www.udlug.org/wp/wordpress/2005/09/13/ssl-certificates-a-rip-off/#comment-338 cacert.org sounds like a good idea, but really it is quite useless right now and I dont expect it to change anytime soon. That is so because NONE of the mainstream browsers include their root certs, hence all visitors have to click away 2 warnings (which most will do however). Now what is the difference to using a SELF-signed certificate then? None actually, encryption works, same warnings to be clicked away unless you manually import a root cert. So where's the point to go through the tedious cacert process? None really. That is a bit sad but it simply is that the browser manufacturers exploit their monopol and charbe big bucks for audits to get your root ca included. And those going through that process want big ROI and hence charge rip-off prices. Really a realistic price for a email-response validated cert is like 1$ / year and for a manually document validated about 20$. But the certs that work without warning on the browsers are always way more expansive so simply keep your hands off em I would say. Alternatives with at least some merits are: 1. http://www.startssl.com/, free, only firefox 2.0 on, but at least one major browser. Sigh. Currently the best truly free version. 2. Use a commodo test certificate. Renew it every 90 days. Not really handy but saves the rip-off prices. Commodo is a little less rip-off than verisign and so but still by a large factor too expansive. cacert.org sounds like a good idea, but really it is quite useless right now and I dont expect it to change anytime soon.
That is so because NONE of the mainstream browsers include their root certs, hence all visitors have to click away 2 warnings (which most will do however).
Now what is the difference to using a SELF-signed certificate then? None actually, encryption works, same warnings to be clicked away unless you manually import a root cert. So where’s the point to go through the tedious cacert process? None really.
That is a bit sad but it simply is that the browser manufacturers exploit their monopol and charbe big bucks for audits to get your root ca included. And those going through that process want big ROI and hence charge rip-off prices. Really a realistic price for a email-response validated cert is like 1$ / year and for a manually document validated about 20$. But the certs that work without warning on the browsers are always way more expansive so simply keep your hands off em I would say.
Alternatives with at least some merits are:
1. http://www.startssl.com/, free, only firefox 2.0 on, but at least one major browser. Sigh. Currently the best truly free version.
2. Use a commodo test certificate. Renew it every 90 days. Not really handy but saves the rip-off prices. Commodo is a little less rip-off than verisign and so but still by a large factor too expansive.

]]>