Comments on: Mozilla and certification authorities

By: Anonymous

Anonymous — Mon, 29 Sep 2008 00:17:20 +0000

“Also, StartCom offers SSL certificates at no charge whatsoever, though at present these certificates are recognized only in Firefox.”

StartCom is supported by Apple keychain (Safari).

By: Mike

Mike — Mon, 08 Sep 2008 04:31:22 +0000

Regardless of the cost factor, the current user experience for allowing an exception for self-signed certs is incredibly complicated and most users will tend to just avoid the site after all the warnings and dialogs; which imply that the site is really bad when all the site operators wanted to do was provide encryption of a login transaction – which is a legitimate and common use of self-signed certs.

It would make much more sense for the browser to simply flag these in some manner as ’secure but not trusted’.

Currently a large number of smaller sites have given up on secure authentication due to complaints about the process and gone back to plaintext over the wire for logins – which really is really bad.

By: Bruce

Bruce — Wed, 03 Sep 2008 20:16:00 +0000

A couple of final thoughts. Although the cost of hosting a domain that allows SSL is higher than hosting one that doesn’t, it usually isn’t that much higher if you’re willing to shop around.

The only other alternative is to host the site yourself – which is probably not an option anymore on most consumer-grade Internet connections. That means a business Internet line, which is somewhat higher than a consumer line although not necessarily a lot higher for the lower priced options.

Still, as pointed out in the parent article, the cost of SSL isn’t all that high – say $30/year for a basic cert from Godaddy, and a few dollars extra a month for the hosting costs. Not enough for even most small businesses to worry about much, but for small volunteer organizations it can be a barrier to the use of SSL in general as well as to the use of third-party signed certificates.

By: Bruce

Bruce — Wed, 03 Sep 2008 20:05:09 +0000

Or perhaps I should say that the SSL protocol requires a UNIQUE IP – however since typical hosting sites use a single IP for hosting many HTTP sites, that means that they can’t have your HTTPS site share an IP with other HTTPS sites. That usually implies a static IP, since allocating a static IP from the block of IP addresses available to the hosting vendor will be a whole lot cheaper than for them to host you on a separate dynamic IP connection.

If they don’t tell you that you need a static IP address, that just means that they’re bundling the cost of that in with the cost of hosting the domain. One way or another you’ll find that the cost of hosting a domain that requires SSL will be higher than one that doesn’t.

By: Bruce

Bruce — Wed, 03 Sep 2008 19:57:23 +0000

The SSL protocol requires a static IP – that’s why hosting sites will require you to pay extra for one. If you’re able to use their certificate that’s certainly an option, but then you’d have to have your protected area be a subdomain of your host’s domain.

As for TLS, I’m not sure that the adoption of that by potential client software sites (read: web users) is high enough for it to be useful for many situations..

By: Name

Name — Fri, 22 Aug 2008 14:57:37 +0000

“Unless you have information to the contrary, I’m happy to assume their plans remain the same. The results certainly haven’t.”

I meant the results certainly haven’t changed, of course.

By: James

James — Thu, 21 Aug 2008 12:17:20 +0000

To repeat my comment on the post you link: “It’s not like using your own CA is easy either – due to the braindeadness of NSS the list of CAs is hardcoded in a file, necessitating a recompile to install a CA for all users of an application, or installation in each user’s profile individually. And there’s no computer-wide CA repository either, so you have to recompile both Thunderbird and Firefox – double fail.”

By: Heikki Toivonen

Heikki Toivonen — Thu, 21 Aug 2008 06:36:18 +0000

A related issue regarding SSL costs is that many (most?) hosting providers will require their customers to purchase static IP addresses before they can set up SSL. TLS Extensions does allow virtual servers, and while it is not universally supported, it would be nice to see more hosting providers offer that as an option. If it was available for free, or cheaper than static IP, it would probably lead to SSL being adopted more widely for low value websites (low value site passwords in the wrong hands can lead to compromise on high value sites due to users reusing passwords).

By: Name

Name — Wed, 20 Aug 2008 17:15:51 +0000

“(Although you could certainly try to get multiple no-charge certs for the various subdomains.)”

Yeah, one at a time, for something that would make no difference to 90% of users. No thanks.

“Eddy Nigg of StartCom is a very active participate on the mozilla.dev.tech.crypto newsgroup, and you can certainly contact him again to see if things have changed.”

Unless you have information to the contrary, I’m happy to assume their plans remain the same. The results certainly haven’t.

By: hecker

hecker — Wed, 20 Aug 2008 16:52:50 +0000

You’re correct, wildcard certs are more expensive from any CA; even StartCom doesn’t offer wildcard certs for free. (Although you could certainly try to get multiple no-charge certs for the various subdomains.)

On StartCom and Microsoft, I can’t and won’t speak for StartCom’s plans. Eddy Nigg of StartCom is a very active participate on the mozilla.dev.tech.crypto newsgroup, and you can certainly contact him again to see if things have changed.