2

what do i risk [besides obvious - cc number getting stolen] when buying ssl certificate for https use from one of many rapidssl resellers rather then directly from rapidssl ? disproportion in prices seem quite high: 10$ vs 79$ per year.

where's the catch? do you have any experience with any of resellers? thanks!

pQd
  • 29,981
  • 6
  • 66
  • 109

3 Answers3

4

If it's signed by the same root, it comes down to the price and the infrastructure for purchasing (can you do it all online with a credit card, is it easy, etc).

You have to watch out for chained root certificates, where (someone like) RapidSSL signs a certificate, and that company then uses that certificate to sign yours. Unless you have a good reason, stay away from them.

I've bought certificates from Namecheap.com before - they will give you a single root certificate. See this question for more.

Community
  • 1
crb
  • 7,998
  • 1
  • 38
  • 53
  • namecheap showed up as well in my search results and i was considering getting cert from that. so you're saying there ware no problem with them. right? – pQd Jul 03 '09 at 22:23
  • 1
    None whatsoever - we bought something like 20 certificates for our customers at my last job. – crb Jul 03 '09 at 22:39
  • 1
    No problems myself either, though if you already have an account with a registrar for domains it would be worth seeing if they resell certificates too. Unless you'd prefer not to have both domains and certs in the same account, of course. – David Spillett Jul 03 '09 at 22:44
1

The risk is low in most cases, though I would recommend going with a company that either you personally have dealt with previously or one that comes with a recommendation from a source you trust.

For instance, most registrars also sell certificates through this sort of reseller agreement, and you'll most likely get the same price or not much more from them.

A short while ago NameCheap were offering a free SSL cert with every new domain registration which is where I got my last couple. You might find that offer still on, or that other registrars are offering something similar.

There is no need to go with a firm you have any reason not to trust, given how many out there resell at more-or-less the same price.

David Spillett
  • 22,754
  • 45
  • 67
1

If cost is really the biggest driving factor - why not consider self-signing? It is super easy, and you can add the certificate to the trusted store for your browser - piece of cake for a small business or personal site. Granted, you won't get automatic recognition in a browser - but for cost, you can't beat it:

For Windows/IIS: SelfSSL.exe from the resource kit - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/993a8a36-5761-448f-889e-9ae58d072c09.mspx?mfr=true

Apache: Just fire up openssl to generate your certificates.

Goyuix
  • 3,214
  • 5
  • 29
  • 37
  • 2
    -1 - You should never put a self-signed certificate on the Internet. If you must use a $Free certificate, sign one with a CA you control, so you can add that root to your "trusted roots" list, and revoke it later if you need to. – crb Jul 03 '09 at 22:40
  • 2
    Self signed certificates are very worrying to non-understanding users in modern browsers. Try visit a site with a self-signed certificate in either Firefox 3 or IE7 and see what I mean. Self signing is fine for a closed audience, but you would not want to do it for a public site. – David Spillett Jul 03 '09 at 22:46
  • it's mostly curiosity – pQd Jul 03 '09 at 22:51
  • David S- luckily most users don't understand certs and will just blindly click through and ignore the cert errors, once they learn the requisite clicks... ;-) – Jason Tan Jul 05 '09 at 18:14