Hacker News new | ask | show | jobs
by nZac 4348 days ago
My concern revolves around credibility. They took a beating after Heartbleed regarding the cost of revocation for certificates/credentials affected. While that is mostly a business decision on their end– it raises concerns about what their business is about. Nothing is "free", it just might not cost currency. "If you don't pay for the service, you are the service."

Since I don't have experience with them I am looking for some level of assurance that they are a legitimate service. In my opinion it is difficult to gain that assurance just from their website.
2 comments
jburwell 4348 days ago
Heartbleed had nothing to do with certs themselves, but instead, with how OpenSSL implemented an aspect of connection negotiation. Hence, the issue was isolated to OpenSSL not other SSL implementations or the SSL/TLS standards themselves.

In terms of "credibility", the issue comes down to how many browsers include their root cert by default. As far as I know, IE, Firefox, and Chrome include it meaning that it will be trusted by default.

The way they make money is selling other types of services such as wildcard and "green bar" certs. I think the folks running it want to see a wider use of SSL, and see providing free host-based certs as a good way to accomplish that goal. Bear mind, there zero cost to signing a cert ...

link
ansid 4348 days ago
I have paid wildcard certs with them. Their site is weirdly designed and heavy on the self-service, but I have no complaints about them. I have revoked certs with them and everything has been reasonable.

That said, why does it matter if they're "credible"? Their certs are accepted by pretty much every browser, OS and library, and they have a long track record as a CA.

Regardless, as a business I have had business dealings with, let me assure you they are a "legitimate service".

link
tarminian 4348 days ago
I currently use them and have no issues. I'm a validated customer and they take even the personal validations very seriously. They even check based on domain names, if you have financial in your domain name, be prepared to be questioned on why you are getting a free ssl certificate.
link