Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
ECC SSL Certificate Providers?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

ECC SSL Certificate Providers?

elijahpaulelijahpaul Member
edited April 2014 in General

Anyone know of any major CA providers other than Symantec and Entrust (those are the only two I could find so far) currently offering ECC format certificates?

Comments

  • any reason not to go with symantec?

  • elijahpaulelijahpaul Member
    edited April 2014

    Nope, no reason at all really.

    I just expected there'd be more CA providers offering ECC certs. Was hoping for a better price comparison than just two vendors.

  • @elijahpaul said:
    Nope, no reason at all really.

    Didn't even know that we could buy ECC yet. Another question, why ECC certificates?

  • elijahpaulelijahpaul Member
    edited April 2014

    Yep. Symantec started offering them around Feb last year I think. Not sure when Entrust started offering em.

    Got a few clients who are building mobile targeted ecommerce apps. ECC certs due their shorter key length can offer better performance (speed), less bandwidth, and security for the same volume of connections as a regular RSA 2048bit cert on mobile devices... (supposedly!)

    EDIT: I got conflicting messages from Comodo as to whether they're currently offering public ECC certs. Got an email from them saying their CTO will get back to me with a definitive answer within 36 hrs.

  • @elijahpaul said:
    Got a few clients who are building mobile targeted ecommerce apps. ECC certs due their shorter key length can offer better performance (speed), less bandwidth, and security for the same volume of connections as a regular RSA 2048bit cert on mobile devices... (supposedly!)

    Interesting, but I'm not sure about that. What I know of ECC is general bad news. For example, NSA back doors (they created ECC), theoretical quantum computing attacks (that RSA can resist), etc. But I do know that Microsoft uses ECC for their Bitlocker software (audited?) so the issues are probably not issues.

    Would be interesting to test through.

  • elijahpaulelijahpaul Member
    edited April 2014

    Yeah.

    I’ve seen a few speed comparisons, and the performance benefit seems to be negligible when compared to say a 2048bit RSA key in low traffic situations. Not seen/found any meaningful high volume traffic comparisons yet.

    Heard of the backdoors too, and am dubious myself. I think the backdoors do pertain specifically to particular (NSA/NIST recommended) curves though. But then again as you say, the whole thing was NSA sponsored. Feel like we'll never know, what we don't know, till we do know, when it comes to the NSA (but then again, I guess that's the whole point of a backdoor!)

    I'm personally sticking with RSA keys for now.

    Have made the clients aware of these potential issues, but alas, the client wants what the client wants.

  • iceTwyiceTwy Member
    edited April 2014

    Only Dual_EC_DRBG (which was sponsored by the NSA) is known to have backdoors - Bruce Schneier suspected it as early as 2007. So, yep, you're better off sticking to the recognized standards if you're going for an ECC SSL certificate.

    However, I don't think that major services providers (i.e. Google, Facebook, Snapchat, WhatsApp & co) actually bother to use ECC SSL certificate, simply because there is not much of a performance difference between those and the usual ones. On the other hand, getting one is much more of a hassle. Too bad your client has decided to stick to their decision!

Sign In or Register to comment.