SSL scam now slightly cheaper
I have always viewed the entire SSL regime as nothing but the worst of scams - even worse than Verisign’s control of .com. I would say it’s a license to print money, but they don’t even have to print it - it’s a license to generate money, day in day out, via a simple set of scripts. And let’s not even get into the fact that they are basically useless - there has never, ever been even one single verified case of sensitive information being stolen while in transit! - but I admit that the psychological value is high. Still, I loathed the system so much that I’ve never bought an SSL certificate for personal use.
Until recently, that is. The price of the certificates has massively decreased - so that instead of straight-up daylight robbery, it’s now more akin to night-time pilfering, maybe of your milk delivery, the paper, and some garden gnomes. While I remember in the bad old days of NetSol and Web 1.0 these tiny text files could set you back multiple hundreds of dollars, the value has dropped continuously - slowly but surely creeping more into line with the vanishingly small cost of actually delivering the service - and now is kind-of, sort-of acceptable.
The price I’m finally willing to pay is USD$13.95 from ServerTastic, who resell RapidSSL, ultimately issued by GeoTrust. The certificates are pretty good quality, appearing as being signed by “Equifax Secure Global eBusiness CA-1″ and utilising a single root certificate - none of this chaining bullshit. Service is good, and RapidSSL sure are rapid - a confirmation email to the domain owner, an automated phone call, and you’re done.
So yeah. It’s still a scam, but at least it’s a cost-of-a-6-pack scam instead of a cost-of-an-iPod scam. And I highly recommend ServerTastic.
BTW, if you’re coming off a nasty chained cert like those issued by the previous lowest-price provider, Comodo, RapidSSL has a promotion where you can switch to them for free.
January 4th, 2007 at 11:46 pm
Thanks a lot for the heads up on the free switch-over deal. Have written a weblog entry about it here:
http://wincent.com/a/about/wincent/weblog/archives/2007/01/ssl_fun.php
Just one point, however:
You should probably mention that SSL certificates have nothing to do with encryption and everything to do with authentication of the remote server’s identity. There is absolutely nothing stopping you from running an HTTPS server with a self-signed certificate or no certificate at all; all communications will still be encrypted. The sole value of a properly signed certificate is that the remote user can be reassured that the server really is the site it claims to be. If the certificate is missing, expired, the browser doesn’t have the required root certificate, or the server administrator has failed to correctly set up the certificate chain, then the user will see a warning message about the inability to validate the certificate, but all communications will still be encrypted. Unfortunately, these warnings tend to freak users out so if you’re doing business on the web you pretty much need to get a properly signed certificate.
Maybe if you’re PayPal then you have to be worried about a spoofing attack (attacker poses as ); but for most other uses the security afforded by authentication is minimal. What could an attacker gain by somehow posing as secure.wincent.com? About the worst they could do is read my mail, and almost all email is sent over the wire in plaintext anyway so it just doesn’t matter. Even the online store at https://secure.wincent.com/a/store/ never deals with any sensitive content; things like banking details, passwords and credit card numbers only ever go to the payment processors, Kagi and PayPal.
So yes, I tend to think that the certificates are way overpriced and of limited real value in most applications. The “cost” to the certificate authority of signing your certificate is probably only a few hundred milliseconds of CPU time or less. After that there are no maintenance costs. The only real element of “service” here is that they supposedly have to verify your identity before issuing the certificate but that chore is clearly not worth hundreds of dollars, and given the ease with which some authorities issue certificates it seems that their checks are not exactly rigorous anyway.
January 5th, 2007 at 12:50 am
Well, *you* know and *I* know that the certificates are supposed to provide a kind of identity check. But the problem is, the check is based on the domain - making them absolutely worthless, since without control of the domain, people wouldn’t be coming to the site anyway.
Seriously. It’s a joke. The only way anyone is getting to your secure.wincent.com site is if DNS - controlled by you - points them there. All the certificate does is confirm that the domain owner of wincent.com authorised the certificate - but if you lost control of the domain, the attacker can get a new certificate anyway. Either way, the certificate adds nothing to the simple fact of control of the domain. The only practical way to “steal” that web address is to hijack the domain, and if you can do that, you can get another certificate anyway, removing any point at all to the identity portion of the certifcate’s value proposition.
99.9% of users believe that seeing “https” means the connection is encrypted, and really that is all that is necessary - as I mentioned, if control of the domain has been compromised you’re fucked anyway. Most of the time, all I want is an encrypted connection, and there is NO WAY to implement that without buying a certificate, unless you want to spook your tech-unsavvy users with warnings. Believe me, they don’t understand those warnings - the only thing they know is https = “secure” (ie encrypted), http = non-secure but probably ok anyway, warnings from the browser of any kind = run away! And only the top 10% of users even know that much. Hell, for years I thought it was nothing but encryption and the check was just a formality. Well, regardless, it is.
Because there is no way to implement warning-free encryption without a certificate, and because the verification is a total waste of time security-wise, I call the whole thing a scam. The only thing that has changed is that the price is now bearable.
Before the days of fully automated current-domain-ownership-status checks, i might have agreed that a human check - basically a phone call - might have been worth a few dollars. But not now.
And don’t even get me started on “Extended Verification” which is basically “SSL Scam II: The Raising” - nothing but an attempt to go back to the good old days (if you’re Verisign) of multi-hundred-dollar certificates! Maybe the identity check *is* worth something. But it’s not worth hundreds of dollars. You can bet that we’ll be paying through the nose for them soon enough, though, when the users have been fear-managed sufficiently to demand them …
January 5th, 2007 at 11:40 am
Yes, and like I said, the odds of a spoofing or DNS attack are minimal and the consequences trivial. More likely attack vectors are social ones (trying to hijack the domain). For most cases it’s just a waste of time, but like you say browser warnings are enough to freak out the non-savvy users. Note that I chose the subdomain “secure.wincent.com” instead of just getting the certificate for “wincent.com” precisely for psychological reasons.
January 6th, 2007 at 4:16 am
Good thinking there, but to be honest I don’t like the gratuitous use of subdomains. I used to, sure! But these days they just annoy me. It is difficult for me to think of any case where a subdomain of a web site should be necessary except for your “secure” example, where you’re technically limited by the nature of SSL, or if you really have to divide server locations up at the DNS level for some reason .. eg us.mozilla.org, jp.mozilla.org .. perhaps located in different countries, or using different server software where integration is impossible. Anything else just strikes me as sloppy and, often, gimmicky. Then again, I even hate the “www” subdomain, so maybe I’m a bit extreme!
I understand the reasons for your use but to me subdomains on web sites are just so old-fashioned. I’d rather do a wincent.com/secure and just redirect to 443 and back on all entries and exits to/of that page. Or do the whole domain in SSL, which is what I’m doing with the new cert which is the subject of this post : )
Paypal-style CPU-wastage, here we come! Again, going for psychological effect .. “Wow, the whole domain is secure! These guys must be serious about security! Even my bank doesn’t start with the SSL until I try to log in ..” etc : ) Thank god there’s no way to see how the sausage is actually being made …
January 12th, 2007 at 10:23 pm
Well for me it’s not gratuitous; I basically set up subdomains wherever I think that I might conceivably want to run a service on a different server or even just a different IP, and that’s definitely the case with the secure sections of my website (where as you know it is only possible to have one SSL-enabled virtual host per IP address).
January 13th, 2007 at 7:10 am
Indeed, that limitation of SSL can be a good reason to use a subdomain- if you’re running multiple secure sections! Do you have more than one?! What are they? I only know of secure.wincent.com. Got another one for svn or something?