New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
startcom SSL vs paid ssl
raindog308
Administrator, Veteran
Is there any advantage to buying an SSL through namecheap, enom, etc. vs. using a free one through startcom?
I am talking about domain verification, not EV.
$10/year or whatever is not a big deal...but I'm wondering if there is any point.
Comments
You get a 10k insurance.
http://www.instantssl.com/ssl-certificate-support/ssl_faqs/ssl_warranty.html
99.9+% of the users can't tell and don't care who issued your SSL, as long as their browser does not complain. This obviously does not apply to EV SSL since green bar is easily visible, but for the regular SSLs as long as the browser displays the padlock and doesn't display warnings - it's all the same.
Up until last year they had constant issues with their certificates not being trusted by browsers. That's apparently fixed now... but from what I remember they won't reissue the license for you. After a year, you have to go through the entire process again.
You get 10k insurance with StartCom SSL too :P
https://www.startssl.com/?app=39
It just takes about 5 minutes to reissue
Yeah, but now that I look, it's 5 minutes every 30 days..sheesh.
What does this 10k insurance give you exactly?
My SSL works for about a year, they will send email to remind when I got about 1 month left
Same as AlphaSSL, PositiveSSL, RapidSSL?
@giang yes, i just don't understand what the insurance gives you. It insures for what risks? How / when can you claim the insurance to be payed?
I guess... if the certificate gets vulnerated in some way? Cracked, or sth... lol
free startssl isn't a wildcard, and it's limited to one year. So you need to issue one for every host and remember to renew annually. No problem with browsers, mail clients for tls etc, you just have to create a correct certificate chain. Plus documentation ain't so great, but apart from this there's no real difference. Standard DV from rapidssl start at about 7USD here: https://www.sslmatrix.com/ssl-brands/rapidssl/rapidssl-certificate
Startcom is pretty good SSL cert., we were using it for cPanel and some other https:// secured areas and was working like paid RapidSSL.
So, my blog is using Startcom Free SSL.
Would someone test it, and tell what you think? It did not show something like "Free SSL provided by Startcom" right?
Would someone test it, and tell what you think? It did not show something like "Free SSL provided by Startcom" right?
Using Chrome on Linux and inspecting the certificate, it looks fine to me:
However, my browser does complain that you're mixing http and https content on the same page. A quick look shows that a bunch of your images are using http, so that's at least part of the problem. If you're bothering to use SSL, you'll probably want to make sure those (and any other included content) are also going over https when someone is on the https version of the page.
EDIT: You also might want to look at protocol-relative URLs, which are commonly used (in that link, Wikimedia announced that they were switching and describes what they are). They're a nice solution to automatically picking http/https depending on which version of a page you're on.
Ah.. Yes. That's the problem because I'm using Wordpress. And for normal viewers, I just put http.
So, basically I enable the https for the whole website. But I use it for some specific pages, like login and some server status
And thank you for giving the link.
I will try it
Guys if this is for a commercial business you shouldn't be using startcom, you should be using StartSSL verified.
If its a personal website or server then startcom free is fine.
Why? That's the essence of my question.
Because if you pay for it, it must be better. Actually, the more you pay for something the better it is.
It doesn't matter. Encryption is encryption, and as long as it doesn't throw up a browser warning, you're fine. Clients don't go around checking where you got your SSL certificate from. Nobody cares. Hell, most providers around here use third-party payment processors for everything, so I wouldn't even care if they had an SSL certificate installed.
StartSSL verified imply that you pass a verification process to make sure that you exist. It's not about encryption, it's about trust. That way, the user can know that you actually exist.
Heh. The verification process is responding to an email. That's it.
Same thing is true of a RapidSSL cert I got through Namecheap.
@raindog308 because its the Startcom rules:
The StartSSL™ Free (Class 1) digital certificates are provided by StartCom without charge. They provide modest assurances and are meant to secure personal web sites, public forums or web mail. Verification is done automatic and instantly by electronic means and mostly without the interference and involvement of our personnel.
RapidSSL required phone verification for me.
I've ordered dozens of RapidSSL certs over the years and I've never had to do anything other than respond to an email. I don't think they even have my phone number.
Maybe it was because I was using the free replace a competitor's SSL thing.
@subigo when ordering for customers we've had one SSL that required phone verification, so its very rare.
Startcom is pretty good SSL cert., we were using it for cPanel and some other https:// secured areas and was working like paid RapidSSL.
http://www.startssl.com/?app=2
I suppose you speak about StartSLL Free, I speak about StartSSL Verified and StartSSL Extended Validation (the two paid alternative from StartSSL). To get them you need to prove that you exist, for StartSSL Verified you need to send a scan copy of your passport and your driver license, for the Extended Validation you need much more (and I don't understand all of it, you can read it if you want).
For me this is the reason you would pay for a SSL certificate. If you don't have any verification, then why would you care to pay for it? At the end you get the same... The only reason to pay that I see is for resale.