GeoTrust founders offer free SSL
Four former GeoTrust executives have returned to the SSL market after a five-year absence with the formation of a new company, AffirmTrust, which will compete with their alma mater. Expected to launch in July, AffirmTrust plans to kick off its marketing by giving away three-year basic validation certificates for free. Extended …
This topic is closed for new posts.
Market $450 against $50?
After being voluntarily eaten by the borg these guys are back to do it again? What a come back plan - market a $450 cert against a $50 cert! How intelligent of them! Maybe they will sell 10 of them and then be aquired by Sony.
Not to mention
that even a free basic validation cert doesn't do you a hell of a lot of good until the common browsers know about the issuing CA -- until that happens, people will be getting certificate-validation warnings whenever they go to your site, which has pretty much the opposite of the confidence-building effect provided by a proper cert from a CA anyone knows or cares about.
Also GoDaddy EV certs are currently $37.50 a year, which, if my figures are right, works out by comparison to roughly "you'd have to be stupid to buy an EV cert from these GeoTrust morons".
Need to read more carefully ...
OK, it's easy to get mixed up as the article isn't all that clear without careful reading, but this outfit is pitching "free" against $50 from Go Daddy. $450 is for their enhanced certificates, which the article doesn't give a comparable price for from Go Daddy.
Try reading the article
They are marketing a $0 cert against a $50 cert. Although they are marketing the $450 against a $100 cert so that is not going to do so well.
$50?
$8.95/year at namecheap for a Comodo PositiveSSL certificate and they work fine. $139 for a green bar.
Bought a GoDaddy cert recently
Cost me £50 for 5 years - only basic validation obviously, but it's hardly bank-breaking stuff nowadays. Hell, I pay more than that to the company hosting my domain name, and my hosting is another bill of a lot more still.
If you have a need for SSL for securing transactions, the prices for basic certs are a drop in the ocean compared to everything else (e.g. PCIDSS standards, hosting, commission, etc.). If you have a need for SSL just for the encryption, then you can get stupidly cheap certs that fit the bill.
And when it comes to security, I'm not sure "Our website uses a free SSL certificate!" is particularly confidence-inspiring in either the website or the certificate issuer.
Does anyone care
Provided they have the padlock on the screen and no error messages, does anyone actually look at the SSL certificate? I know I generally don't. Certainly if it is for my own internal exchange server which I know is legit anyway, I'm just looking for something to save me the hassle of installing self-signed certificates in every browser I use.
indeed
we use a dirt cheap SSL cert too - its for OWA and our alfresco portal. Only staff use it anyway so as long as it avoids browser CA rejections we are good to go.
But - Offline?
There website is offline for the next four days....
Not something I'd expect from a company running critical infrastructure... What if you need to revoke a cert?
indeed
plus is their CA in modern browsers?
IPSCA offer free *wildcard* SSL to education too.
Already accepted by Mozilla, Chrome, Opera, Microsoft, Apple
(spullin mistax figxed)
Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=633546
Chrome: http://code.google.com/p/chromium/issues/detail?id=48608
Opera: http://my.opera.com/rootstore/blog/2010/07/28/new-roots-new-ev-and-a-new-public-suffix-file
Microsoft: http://social.technet.microsoft.com/wiki/contents/articles/may-2010-root-update-new-cas-and-new-root-certificates.aspx
Apple (iOS 4.1+, OSX 10.6.4+): http://support.apple.com/kb/HT4415
Of course,,,
None of this will do anything to address the fact that the whole SSL certicate chain and "trusted issuer" system is fundamentally broken; the Reg ran an article on exactly this point a month or two ago.
Already accepted by Mozilla, Chrome, Opera, Microsoft, Apple
Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=633546
Chome: http://code.google.com/p/chromium/issues/detail?id=48608
Opera: http://my.opera.com/rootstore/blog/2010/07/28/new-roots-new-ev-and-a-new-public-suffix-file
Microsoft: http://social.technet.microsoft.com/wiki/contents/articles/may-2010-root-update-new-cas-and-new-root-certificates.aspx
Apple (iOS 4.1+, OSX 10.6.4+): http://support.apple.com/kb/HT4415
Never liked GoDaddy myself
GoDaddy may be cheap for SSL certs but the last time I used them they had the sharp practice of defaulting to auto-renewing the SSL and taking the money off me with no warning.
After that debacle, I use Servertastic now - the cheapest UK reseller of RapidSSL certs - buying in batches of 10 or more works out at about 6.50+VAT each. Nice to be billed by a UK company in UK pounds for your SSL certs too!
BTW, b166er, StartSSL.com is "offline until 20th June" - doesn't inspire much confidence in them!
StartSSL offline for several days!
Not a great inspirer of confidence in a 'free' provider:
"We apologize for the temporary inconvenience. The service will be offline until Monday, the 20th June 2011. Thank you for your understanding."
http://www.startssl.com/
Hidden agenda?
>"AffirmTrust plans to kick off its marketing by giving away three-year basic validation certificates for free. Extended validation certs will cost $450."
Sounds to me like they're trying to make basic (i.e., no) validation even more worthless than it already is, in order to boost the market for the supposedly-more-secure extended validation certs. Commoditize the complement and all that.
The flaw in their plan, of couse, is that a $0 basic validation cert doesn't actually offer your end-users any more or less guarantee of security than a $450 enhanced cert.
The non-flaw in their plan, of course, is that most big web hosts don't actually care about the security of their end-users, and most of their end-users don't know the difference.
Everyone is going to want SSL soon ...
if the google sponsored SPDY extension to the HTTP protocol comes in. (This is the thing that is supposed to make a 50% improvement in downloading a web page.) SSL is integral to SPDY, ie google is trying to make everyone use SSL all the time -- the speed improvement will be a strong motivator for most people.
StartSSL
Cert still works, what conclusion have you jumped to?
yes
but what if you need to *REVOKE* a certificate. Oh its ok, i'll wait till monday. (It is a friday afterall!)
I just wish...
...it was possible to turn on encryption without certs or warnings. I'm not selling anything, I'm not asking for personal details, but in this day and age the ability to leave the realm of "all in the clear" would be welcomed. My server can SSL, so can my browser. Why is there no "make it so" option that doesn't involve scary warnings from a browser?
DNSSEC, and an SSLkey record type
See title
Then we can forget about all of these dappy certificate issuing bodies and roll our own without warnings - the browser (or other application which wishes to communicate securely) can simply look up the required certificate via a secured sideband transmission.
If we want to get all clever about it then why not add DNSCurve to the list as well, encrypt the DNS queries as well...
I still miss the Web of Trust
anyone remember the Thawte Web of Trust? For personal certs it was a great idea that scaled well and added the ability to actually sign emails (though not gen SSL certs)
I wonder what the opportunity would be to take that idea though and deploying it for extended validation SSL certs and undercut all these guys
This topic is closed for new posts.
