That's right. I remember that wikipedia was saying all browsers under XP but I just made a test and chrome is compatible. Still I suspect that most users who are still using XP either don't have a choice of browser (locked down corporate environment) or aren't sophisticated enough to worry about changing browser. And XP usage is still shockingly high.
The cheapest wildcard certificate I can find is £99 per annum. No matter the security requirements I just do not believe it costs that much to run this service. I suspect that we have a bit of a cartel there.
$60 one off payment to be verified, then you can issue unlimited wildcard certs for any and all domains you control. i.e., the certs themselves are free, you just pay for verification.
Beware, they claim they will issue unlimited certs, but even after completing a domain validation via email to an admin account on the domain, they might refuse your cert if they care to look at the WHOIS data and decide it's not "you" (for example, a different business name or admin contact). They might even change their mind on this when you try to renew a cert they had previously issued.
I actually started that and stopped midway through.
The process was absolutely hostile, the requirements insane and I haven't stripped like that, ever.
Plus, it's plain BROKEN (Really? Like, requiring a utility bill for verification? What? Why?).
Obviously I didn't finish it (I did send most of my documents but stopped at some point and told them that this is crazy, I don't care anymore), so my advice might be crap. But I would advice everyone to avoid. this. process.
The process is hostile and the UI confusing at times, but the requirements aren't insane. They're doing what they're supposed to do: verify you are who you say you are and that you're the owner of the domain. Just sending a mail to the webmaster is weak verification (and a SPOF, if nothing else).
A sane version in this country is PostIdent. It's a way to verify a person & address using the post. Think postman arrives, asks you to pull out your ID and sign something, hits okay. Company knows that you are a real person with the specified name living at that place. They _might_ have access to the number on your national ID afterwards, but I'm not even sure about that one.
Have you checked what kind of documents you're to send to a random foreign company for verification?
On top of that, the process doesn't WORK internationally. I still don't understand what kind of utility bills you have in Israel (StartSSL) or the US (usually the source for.. things), but mine are different. Plus, what does a random letter in a random language prove? Sending in an ID is understandable - it's a state issued document and protected by law, forging one would be a Bad Idea. A "utility bill"... Well, as I said: Insane. And arbitrary.
For the fun of it I looked up the mail exchange.
Documents they asked for (* denoting that I sent them):
- Mobile bill
- Utility bill* (sent a cable provider's bill)
- Passport & ID *
(I think I provided my driving license as well)
The first two documents are absolutely braindead requirements. They certainly don't have the expertise to know all utility providers/mobile network providers on a global level. So I could hand in ANYTHING and it would a) be probably legal (there's no law to prevent me from 'forging' a utility bill.tell ..) and impossible to prove. That is .. unless they call your utility/mobile provider to check the information, which wouldn't work in the first place (data protection laws) unless you IMPERSONATE the person you try to check. Which would be crazy on a different level.
In the end they wanted to send me a registered letter by snail mail and I cancelled the whole ordeal. Doing that would've been an option of course, but not after they asked for random documents proving my address. EITHER send me a registered letter OR ask for crazy stuff that contains my name and address in the header.
Plus, transparency. This whole process took a while and was a lot of "Now please send this", "We really need that", "Since you have no mobile bill to offer, we fall back to snail mails". I discovered this in painful mails, after handing over enough of my data to do mostly anything in my name.
I fail to understand how this process could be acceptable and I certainly consider it broken, hostile and inefficient.
(Handing in my utility bill was difficult as well - I blacked out all but the letter head, which caused them to complain again and again. Ignoring that the letter contained the SIP credentials for my landlines, what the..? I cannot _invent_ a reason for this requirement. My creativity is too limited, it seems)
A current utility bill shows a link to an address; a lot of IDs don't, and from memory passports don't (anyway, they last for years and don't require updates...). Yes, it's not foolproof, but it raises the bar. Most people have access to this thing and are able to send it in - so it's a cheap way to raise the bar.
Possibly you raised such a fuss that you tripped their 'possibly a forger, probably not worth it' spider-sense, so you got more hoops to jump through.
That's exactly my issue. Maybe that's the case in your country of origin, but not here. The ID lists your address and you're required by law to update it whenever you move.
Plus, they got that (address/name, a header of a utility bill), but complained about blacked out passwords/details.
Plus, if your fallback is to send a registered letter to verify an address, why .. not list that from the start and just do it that way? Slower, but less crap.
We won't find some common ground here, of course. I don't think that I 'made a fuss', not before the process became utterly broken and laughable.
I haven't tried this service. But I think it is fair to say that SSL certificates being as they are (complex and expensive), we will not see an all-https web anytime soon. SSL certificates need to be fixed first, it must be cheap and easy to set up SSL on a shared server with limited technical knowledge before we see it generalised.
And $25 to revoke. Miskey the CN? Cough it up. A bug in openSSL gets your private key owned? Pay up. Want a different type of cert for the same domain? Pay the man.
It's not like they invented the pricing during heartbleed, it was always out there.
StartSSL can make the certificate for free because their infrastructure is all automated. You don't know if certificate revocation requires human intervention or not.
Plus certificate revocation is useless in case of MITM. Browsers need to be able to contact the certificate authority and will just ignore it on timeout. So the only difference is that the MITM has to blackhole the CA on top of the usual routine.
All you can do is hope nobody stole your SSL certificate.
My understanding is that it's all automated for level 1 trust where you can only generate basic single-domain SSL certs. I don't remember getting a call.
If you have 2 domains, and no subdomains, that might as well be the case.
If you have more than a couple of domains, certificate costs can go up exponential -- it's 10$/year for a single domain cert, but 50$/domain/year for a multidomain one.
I have maybe about a dozen or two of active domains; I cannot afford to have my domain costs go up exponentially all for some thin air.
The cost of SSL certificates scales linearly, not exponentially, with the number of domains. Just buy a certificate for each domain and don't bother with the "multidomain" or "wildcard" rackets.
Oh, you need multiple IPv4 addresses for that? Just buy them, SSL is a valid jusstification for consuming IPv4 addresses. It's also a lot cheaper than multidomain certificates. Again, the cost increase is only O(N), not exponential.
If it costs you more than $150/year to secure a dozen domains, each with its own IPv4 address, it's not because you're being ripped off, it's because you didn't do your homework. The very fact that some companies can still get away with selling $500 certificates in a purportedly free market implies that most people aren't doing their homeworks.
Why do you need multiple IPs when SNI is supported on most major operating systems and most server platforms. Just look on Wikipedia for a full list of technology that supports Server Name Indication. It is free.
$500 certificates are Extended Validation certificates that require man power to verify many details about a company. There are other costs involved in the certificate issuance process that is mandated by the CA/Browser forums.
There are multi-domain certificates for less than $100 that allow wildcard in the certificate. If you really knew what you were doing you would only need one certificate and it would cost less than the $150 you are talking about.
If you have an ecommerce site that Extended Validation certificate is worth it. Our sales increased by better than 40% by having an Extended Validation certificate. So YMMV. Do what makes the best sense for your site.
Self signed certificates are just as secure but they give the warning unless you import your CA certificate into your browser. So you can get away with free if the sites are only for internal use only pretty easily.
IPv4 addresses are more like 2 EUR/IPv4/month now -- already more than twice more expensive than the domain names, plus, there is generally a limitation of, say, 8 or 16 addresses per non-enterprise hosting accounts. And these prices will only go up in the future!
Plus, are you suggesting that I even get separate certificates (and IPs!) for subdomains? Because I don't actually have to pay anything for my own subdomains to anyone! (Other than the https certificate companies, apparently.)
Plus, having to manually re-install all of these certificates every year? No, thanks! Fix it first! I don't have to re-install my STARTTLS in SMTP, noone gets any self-signed warnings, yet all my email is still immune from passive eavesdropping or any kind of passive tapping of the traffic.
I was just trying to point out that the cost increases linearly and nowhere near $50/domain/yr.
Besides, it was your choice to get a dozen different domains and create a bunch of subdomains on them, instead of, say, subdirectories. You should have been fully aware of the costs and limitations of existing protocols and market conditions when you did that. It's also entirely your choice whether or not to support non-SNI clients. Some of us stopped supporting IE8/XP a long time ago, some of us keep supporting it at a significant cost (often many thousands of dollars). Either way, it's your choice.
Every choice has pros and cons to it. No use complaining about it because you happened to choose a less widely supported and more costly option. Hell, I'd love to get a thousand different domains and an entire /20 for personal use. Why should I pay $10K/yr for my preferences?
If you don't want to pay for overpriced certificates on your gazillion subdomains, just don't. Consolidate your domains and subdomains, or at least consolidate the parts that need SSL. It's as simple as that. If nobody ever fell for the wildcard and/or multidomain certificate racket, CAs would have to price their products more competitively. Stop whining and start voting with your wallet, it's the only vote that matters.
> I was just trying to point out that the cost increases linearly and nowhere near $50/domain/yr.
Not sure on your math. 2EUR/IPv4/year is 24EUR/IPv4/year, say, you have just two subdomains -- that's already 48EUR/IPv4/year, for a single TLD domain!
> Besides, it was your choice to get a dozen different domains and create a bunch of subdomains on them
Yes, based on best practices and technological needs; or maybe consolidation of a legacy architecture (where each domain used to have a different physical machine); or maybe the future compartmentalisation through IPv6 (where each domain has a separate logical IPv6-only machine, all sharing IPv4 through a single non-fail-safe legacy proxy); or maybe just outright security for cookies between separate applications I run to protect against XSS attacks.
Or do you suggest I make my choices in technology based on the racketeering of the certification cartel instead? Use inflexible, stagnated and insecure operating practices just to please the certificate authority cartels? No thanks.
> your choice whether or not to support non-SNI clients
What did non-SNI clients did to you to block them from allowing access to your personal web-site? Android had no SNI support until very-very recently, for example. I don't want to not be able to access my own web-site from my own phones! However, the separate `https` address scheme would guarantee that my site wouldn't simply work if I follow someone's https link to it on my Android 2.2 device, and there is no way to avoid someone from giving out https links should I enable https (which will never happen, BTW).
> I'd love to get a thousand different domains
You can -- you don't have to pay anyone for your subdomains! Other than the certificate authorities, apparently!
> If you don't want to pay for overpriced certificates on your gazillion subdomains, just don't. Consolidate your domains and subdomains, or at least consolidate the parts that need SSL. It's as simple as that.
Aha! Parts that need SSL? It'd be nice to have, but none require it -- I'm not running a bank and don't collect payment details! And, no, I will not revisit sound engineering and marketing decisions based on the political limitations of the certificate authorities. Not gonna happen. CAs will not dictate the rules of the game for me.
Fix encryption for HTTP to be as easy as SSH and STARTTLS in SMTP (I don't need no https access scheme for my non-commercial pages!), and I'll gladly enable it for all of my domains. Until then, thanks, but no thanks.
Win XP with non-IE browser supports SNI.