[tjohns]

There are some minor caveats, but nothing really worth worrying about. Most browsers accept StartCom certs these days, so that's not a concern unless you're supporting ancient systems. The big difference is in how much validation is done.

The cheap certs only offer domain verification; in other words, they verify that the person holding the certificate owns the domain in question. Typically via an automated email to one of the contact addresses associated with the domain. The catch here is that you're only allowed to fill out the CN= (domain) field in your cert; the others are blanked out. For what most people use SSL for, that's sufficient.

The more expensive certs will go a step further and verify the identity of the entity or person holding the certificate. This entails things like checking your articles of incorporation if your'e a business; things that tend to require a human operator at the CA reviewing your submission. In return, you get to fill out more fields in your certificate. However, nobody ever looks at the details for certs, so this is pretty much wasted money, IMHO.

The only point at which the more expensive certs get you something of value is:

1. You pay to get a wildcard cert, which lets you use your cert on as many subdomains as you want. If you actually need it for technical reasons (e.g. you let users create their own subdomains), this might be worthwhile. Most folks won't need this.

2. You pay to get an "Extended Validation" or "EV" cert, which gets you a little green box in the address bar with your company name. There's strict requirements on identity validation to get these, and it's supposed to engender more trust on the part of users. They're also very expensive. Personally, I suspect nobody really cares about these and it's just a racket for the CAs. But opinions vary.

[rurounijones]

The fact that EV certificates exist in the first place is an indication in my mind just how badly CAs messed up the certs originally. ("We need to sell more! Get rid of the checks")

It also drives me nuts that browsers still class self-signed certs below normal (non-ev) certs when they basically offer the same level of guarantees (in terms of "this person is who they claim to be")

[ivanr]

You are wrong. Attacks against sites with self-signed certificates are trivial to execute (you just need to download the tools and learn how to run them) and can be fully automated. Obtaining fraudulent certificates is occasionally possible (getting more difficult every day), but it generally needs to be done one site at a time, and requires a _lot_ of resources.

That said, there are many ways in which browsers could improve the handling of self-signed certificates. For example, having a Convergence-like system to fall back to seems useful. Another possibility would be to use opportunistic encryption, where all access is encrypted even without a certificate. (This would defend only against passive attackers, but it's better than no encryption.)