Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


startcom SSL vs paid ssl
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

startcom SSL vs paid ssl

raindog308raindog308 Administrator, Veteran
edited May 2012 in General

Is there any advantage to buying an SSL through namecheap, enom, etc. vs. using a free one through startcom?

I am talking about domain verification, not EV.

$10/year or whatever is not a big deal...but I'm wondering if there is any point.

Comments

  • You get a 10k insurance.

  • rds100rds100 Member

    99.9+% of the users can't tell and don't care who issued your SSL, as long as their browser does not complain. This obviously does not apply to EV SSL since green bar is easily visible, but for the regular SSLs as long as the browser displays the padlock and doesn't display warnings - it's all the same.

  • subigosubigo Member
    edited May 2012

    Up until last year they had constant issues with their certificates not being trusted by browsers. That's apparently fixed now... but from what I remember they won't reissue the license for you. After a year, you have to go through the entire process again.

  • gianggiang Veteran
    edited May 2012

    @BassHost said: You get a 10k insurance

    You get 10k insurance with StartCom SSL too :P
    https://www.startssl.com/?app=39

    Up until last year they had constant issues with their certificates not being trusted by browsers. That's apparently fixed now... but from what I remember they won't reissue the license for you. After a year, you have to go through the entire process again.

    It just takes about 5 minutes to reissue :D

  • raindog308raindog308 Administrator, Veteran

    Yeah, but now that I look, it's 5 minutes every 30 days..sheesh.

  • rds100rds100 Member

    What does this 10k insurance give you exactly?

  • gianggiang Veteran
    edited May 2012

    @raindog308 said: Yeah, but now that I look, it's 5 minutes every 30 days..sheesh.

    My SSL works for about a year, they will send email to remind when I got about 1 month left :D

    @rds100 said: What does this 10k insurance give you exactly?

    Same as AlphaSSL, PositiveSSL, RapidSSL?

  • rds100rds100 Member

    @giang yes, i just don't understand what the insurance gives you. It insures for what risks? How / when can you claim the insurance to be payed?

  • yomeroyomero Member

    @rds100 said: @giang yes, i just don't understand what the insurance gives you. It insures for what risks? How / when can you claim the insurance to be payed?

    I guess... if the certificate gets vulnerated in some way? Cracked, or sth... lol

  • marrcomarrco Member
    edited May 2012

    free startssl isn't a wildcard, and it's limited to one year. So you need to issue one for every host and remember to renew annually. No problem with browsers, mail clients for tls etc, you just have to create a correct certificate chain. Plus documentation ain't so great, but apart from this there's no real difference. Standard DV from rapidssl start at about 7USD here: https://www.sslmatrix.com/ssl-brands/rapidssl/rapidssl-certificate

  • qhosterqhoster Member

    Startcom is pretty good SSL cert., we were using it for cPanel and some other https:// secured areas and was working like paid RapidSSL.

  • So, my blog is using Startcom Free SSL.
    Would someone test it, and tell what you think? It did not show something like "Free SSL provided by Startcom" right?

  • mjjohnsonmjjohnson Member
    edited May 2012

    @ErawanArifNugroho said: So, my blog is using Startcom Free SSL.

    Would someone test it, and tell what you think? It did not show something like "Free SSL provided by Startcom" right?

    Using Chrome on Linux and inspecting the certificate, it looks fine to me:

    The identity of this website has been verified by StartCom Class 1 Primary Intermediate Server CA

    However, my browser does complain that you're mixing http and https content on the same page. A quick look shows that a bunch of your images are using http, so that's at least part of the problem. If you're bothering to use SSL, you'll probably want to make sure those (and any other included content) are also going over https when someone is on the https version of the page.

    EDIT: You also might want to look at protocol-relative URLs, which are commonly used (in that link, Wikimedia announced that they were switching and describes what they are). They're a nice solution to automatically picking http/https depending on which version of a page you're on.

  • edited May 2012

    @mjjohnson said: A quick look shows that a bunch of your images are using http

    Ah.. Yes. That's the problem because I'm using Wordpress. And for normal viewers, I just put http. :)

    So, basically I enable the https for the whole website. But I use it for some specific pages, like login and some server status :D

    And thank you for giving the link. :)
    I will try it

  • CloudxtnyHostCloudxtnyHost Member, Host Rep

    Guys if this is for a commercial business you shouldn't be using startcom, you should be using StartSSL verified.

    If its a personal website or server then startcom free is fine.

  • raindog308raindog308 Administrator, Veteran

    @httpzoom said: Guys if this is for a commercial business you shouldn't be using startcom, you should be using StartSSL verified.

    Why? That's the essence of my question.

  • vedranvedran Veteran

    Because if you pay for it, it must be better. Actually, the more you pay for something the better it is.

  • subigosubigo Member
    edited May 2012

    @raindog308 said: Why? That's the essence of my question.

    It doesn't matter. Encryption is encryption, and as long as it doesn't throw up a browser warning, you're fine. Clients don't go around checking where you got your SSL certificate from. Nobody cares. Hell, most providers around here use third-party payment processors for everything, so I wouldn't even care if they had an SSL certificate installed.

  • dwilddwild Member

    @raindog308 said: Why? That's the essence of my question.

    StartSSL verified imply that you pass a verification process to make sure that you exist. It's not about encryption, it's about trust. That way, the user can know that you actually exist.

  • subigosubigo Member

    @dwild said: StartSSL verified imply that you pass a verification process to make sure that you exist. It's not about encryption, it's about trust. That way, the user can know that you actually exist.

    Heh. The verification process is responding to an email. That's it.

  • raindog308raindog308 Administrator, Veteran

    @subigo said: Heh. The verification process is responding to an email. That's it.

    Same thing is true of a RapidSSL cert I got through Namecheap.

  • CloudxtnyHostCloudxtnyHost Member, Host Rep

    @raindog308 because its the Startcom rules:

    The StartSSL™ Free (Class 1) digital certificates are provided by StartCom without charge. They provide modest assurances and are meant to secure personal web sites, public forums or web mail. Verification is done automatic and instantly by electronic means and mostly without the interference and involvement of our personnel.

  • @raindog308 said: Same thing is true of a RapidSSL cert I got through Namecheap.

    RapidSSL required phone verification for me.

  • subigosubigo Member
    edited May 2012

    @dmmcintyre3 said: RapidSSL required phone verification for me.

    I've ordered dozens of RapidSSL certs over the years and I've never had to do anything other than respond to an email. I don't think they even have my phone number.

  • @subigo said: I've ordered dozens of RapidSSL certs over the years and I've never had to do anything other than respond to an email. I don't think they even have my phone number.

    Maybe it was because I was using the free replace a competitor's SSL thing.

  • CloudxtnyHostCloudxtnyHost Member, Host Rep

    @subigo when ordering for customers we've had one SSL that required phone verification, so its very rare.

  • qhosterqhoster Member

    Startcom is pretty good SSL cert., we were using it for cPanel and some other https:// secured areas and was working like paid RapidSSL.

  • dwilddwild Member

    @subigo said: Heh. The verification process is responding to an email. That's it.

    @dwild said: StartSSL verified imply that you pass a verification process to make sure that you exist. It's not about encryption, it's about trust. That way, the user can know that you actually exist.

    http://www.startssl.com/?app=2
    I suppose you speak about StartSLL Free, I speak about StartSSL Verified and StartSSL Extended Validation (the two paid alternative from StartSSL). To get them you need to prove that you exist, for StartSSL Verified you need to send a scan copy of your passport and your driver license, for the Extended Validation you need much more (and I don't understand all of it, you can read it if you want).

    For me this is the reason you would pay for a SSL certificate. If you don't have any verification, then why would you care to pay for it? At the end you get the same... The only reason to pay that I see is for resale.

Sign In or Register to comment.