| Posted by SpaceWalker, 03-19-2010, 10:35 AM | | I was wondering, what is the idea behind SSL certificates?
Who gave those companies the right to sell certificates like Geotrust and the others?
Can anybody generate & sell SSL Certificates? If not, then isn't that considered as a monopoly which is unlawful in almost all countries?
As I understand if we go ahead and switch cPanel to use https for example, Then Firefox & Internet explorer will tell us "This site cannot be trusted" which means you should go to one of the big guys and pay for it. but why !!!
Why would I pay even $10 for 10 lines of code for those SSL certificate sellers? I know they write something about warranty, but I cannot recall any incident they had to pay something to someone ? even if some info got lost or stolen there will be debate about badly written code ...etc.
My question is:
- Can I generate and sell SSL Certificates on my own.
- Why would anybody pay a lot of money for this? Don't you think it's stupid ???
- I don't think they put any effort in doing this, why it cost too much to get something like EV Certificate ?
|
| Posted by fwaggle, 03-19-2010, 11:35 AM | | It's not really a monopoly - if you set up the infrastructure then petition each browser to include your root cert, you can get setup too. The older companies started first, and so are more ubiquitous in their acceptance.
It's not a monopoly, the barrier of entry is just high. It's like saying a bank is a monopoly because an 18 year old high school dropout can't get FDIC insured and start one.
You're paying for the assurance, that a third party has checked and will verify that you are who you say you are (to the extent of the information included in your cert, anyway).
Yes, theoretically. But it's implausible, see above caveats.
SSL assurance is broken in many ways, but the cost isn't really one of them. FWIW, check out StartSSL - they're supported in most of the common browsers (but some mobile browsers for example may choke on their root) and domain-verified-only certs are free. If you want more assurance, you have to pay.
Clearly you have no idea what's involved in getting an EV cert signed... you have to pay someone to check out that you're a legitimate company and that the person trying to get the certificate signed is an officer for the company privileged to do so.
Considering what's at stake (eg, the warranty on EV certs), that's quite a bit of effort.
|
| Posted by badboyx, 03-19-2010, 01:19 PM | | check this
http://www.akadia.com/services/ssh_t...rtificate.html
|
| Posted by Toby H, 03-19-2010, 01:40 PM | | This will still cause the certificate error in virtually all browsers, just so you know
|
| Posted by SpaceWalker, 03-19-2010, 06:51 PM | | Well, I still do not get it, why they're taking that money without providing any service ?
Who made those people trusted ?
What effort you are talking about for the EV Certificate? unless they are going through the company's cashflow and check their accounts, it's not worth that amount of money you pay for it.
In my opinion, Everybody should be able to get a FREE SSL Certificate not the Extend validation, but the normal one.
To my knowledge they do not even verify anything for the normal/rapid SSL.
I wonder what infrastructure you are talking about, What does it take to establish something like that ?
|
| Posted by SpaceWalker, 03-19-2010, 06:55 PM | | That's what I was pointing at, why did the browsers manufacturer implemented such a thing ?
I remember back in the old days we were able to get through without these big useless warnings, it was a tiny little warning at the top of the url bar that notify you about the website.
basically what happened is just pushing people to either pay to get a certificate or just use the normal connection (Non SSL).
|
| Posted by fwaggle, 03-19-2010, 08:48 PM | | StartSSL.
To get an EV cert, you have to provide evidence of a legal entity using a company name, the real person who's making the request, etc. Go read.
They verify domains, usually via a postmaster email address or something similar. By infrastructure, you have to take steps to ensure that your key is protected (the whole system falls apart if someone can sign a cert for a domain that's not theirs), and that you can properly validate CSRs to ensure that again, someone doesn't try to sign a cert for a domain/hostname that's not theirs.
A couple of the bigger CAs have screwed up before in this regard, and they have the capital to make these issues go away by throwing money at the problem. That's the reason they're trusted, because they have enough money to cover their butts if they mess something up and someone loses a substantial amount of money over it.
Because we're all led to believe that assurance that a site you're connecting to is who it says it is is important? Personally I feel that having a nasty warning dialog is probably counter-productive, because even without the assurance that a site is who it says it is, the encryption is still slightly useful (it ups the bar anyway)... but if you go to Paypal.com, you do not want your browser silently accepting a self-signed certificate!
Or your clients have to understand that you've not had anyone sign your certificate... it's only ~$11/year for a RapidSSL from Namecheap. There's also StartSSL, which are free for domain-validated-only certs but lack some support in legacy mobile devices.
There are alternatives, I don't entirely know what you want from this conversation. You can feasibly start your own CA, there are alternatives to paying the steep costs (for most people's purposes, StartSSL or RapidSSL (free or $11/year respectively) will work just fine. That's not exactly breaking the bank even if we were to take you at your word that they're selling nothing.
I really don't know what you want? If you want certificates for free, use StartSSL - just watch out for the caveats of such a certificate. If you don't like those caveats and think you can do better, then do it.
|
|
 Add to Favourites
 Print this Article
|
