There always seems to be talk about some SSL cert service (VeriSign) that has been hacked or gone under. I'm trying to buy my first SSL certificate and there are so many options out there that its hard to know which one, what are the risks? Is any certificate authority okay? Will self signed certs be good enough?<p>Clearly the issue is the man-in-the-middle attack, which I have a high level understanding of, and makes every CA susceptible to the same attack if they are compromised.. but are there good CA's that people have had experience with? Is it less safe to get a wildcard cert than individual certs for each domain?<p>Thanks HN
If you're worried about certain governments MITMing you, the answer is that it's hopeless to rely on SSL to provide protection.<p>I don't know a good recommendation. I just wanted to clarify that SSL provides no protection in that particular case.
I used StartSSL class 1 certificate for my app (unherd.co). Its free and valid for one year. Here is a good guide that might be of help - <a href="https://konklone.com/post/switch-to-https-now-for-free?hn" rel="nofollow">https://konklone.com/post/switch-to-https-now-for-free?hn</a>
My domain registrar (namecheap) offers SSL certificates cheap.<p>All you need is for your domain to show up with the little special icon in the browser when you use https. Other than that, it doesn't matter. Get the cheapest one that browsers recognize.
StartCom/StartSSL thwarted a recent hack attack, according to:
<a href="http://www.informationweek.com/attacks/how-startcom-foiled-comodohacker-4-lessons/d/d-id/1100043" rel="nofollow">http://www.informationweek.com/attacks/how-startcom-foiled-c...</a><p>Their due diligence on verifying who is requesting the cert probably helped; but I've seen some people complain that it's not a quick/easy process:
<a href="http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_" rel="nofollow">http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_sta...</a>
You get a standard SSL certificate free for a year with domain names at Gandi.net. I think I'm also right in saying transfers are included. Can't really vouch for their security but from what I have read the company's "no bullshit" approach is right up my alley. The riseup.net collective recommend them too.