Hello all,
I was told by MANY people that it's possible to get completely free SSL certificates, not having to spend like $15 - 150 dollars each certificate like some people do. I can't remember who all told me or what community it was, but I thought it was at this one.

Does anyone know how I can sign up and get a free SSL for my website?

Thank you.

You could generate one yourself from your server but it wouldn't be considered safe by any browser.

ok and what would that mean? That would mean they would have to hit "ok" or something when the little thing pops up?

What else is there, I thought you have to hit ok for each cert the first time you visit.

You only click ok if its not valid or doesnt have a signer. If its valid and signed you wont get the popup box.

i am also more interested in an at least DIRT :) cheap ssl cert.

Originally posted by mouseattack
I thought you have to hit ok for each cert the first time you visit.

Browsers use a Trust relationship to accept the SSL certificate used on a website. Each certificate generated and used on a website contains the domain name the certificate has been issued to, the date it was issued and the date it will expire as well as the issuer of the certificate.

If you try to use a certificate on a different domain that that it was issued to even using it for domain.com when it was issued to www.domain.com then you will get an error. You will also get an error if the certificate has expired.

The last error is the Trust part, for the certificate to be accepted by the browser without you having to manually click on the Ok button your browser must have the issuer in its list of trusted Certificate Issuing Authorities. Geotrust and the other major players pay for this priviledge to have their CA Root certificates accepted by most browsers. When you purchase a certificate it is issued from this Trusted Root certificate and tied to it, as you are now part of the Trusted chain the browser automatically trusts your certificate and no error. Because they have to pay to be included plus their own running costs they will then set how much they believe their product is worth, brand name factors into that so you get a wide range of prices for what is essentially the same product.

For a Free certificate you can generate a self signed certificate but because it is not trusted you get the popup, you can manually add the issuer to the browsers trusted list so you do not get the popup and this is the suggested option if you wish to use one of these certificates for your own security to access your website.

Trying to get you visitor who wants to make a purchase on your website to understand this may be more trouble than it's worth. If you purchase a "Trusted" certificate then you will not popup a warning each time.

cacert.org provides free certs. But you can just generate your own self signed ones.

But those SSL will get a popup warning saying that the cert was issued by a company you have not chosen to trust, really annoying...

The cheapest I can find is starterSSL ($14.95 from http://www.ev1servers.net/english/starterssldetails.asp)

They used to have a SSL promotion for $4.95 :eek: but it's no longer available ;) )

Originally posted by boonchuan
cacert.org provides free certs. But you can just generate your own self signed ones.

A lot of the SSL providers give a level of warranty with their certs, so you can't expect to get them for free.

Signup as a RapidSSL reseller, They are AWESOME to say the least, and heck you can a FREE ssl cert for 30 days, and after that it is cheap to get their standard cert

yes you are corrct some hosting service provide you with a shared ssl certificate...but if you want an indivduall you will have to pay for it

We use self certs and they work fine (They are just as secure as one you'd get from Geotrust etc)

We've found that explaining that they'll get a popup, and what the information means made a big difference in our customers accepting the certificates. We also accept Paypal for those who decide not to trust the certificates.

We don't have 1 account that hasn't purchased because of it.

Originally posted by bitfuzzy
We don't have 1 account that hasn't purchased because of it. [/B]

Then that is extremely sad.

When people spend ages and lots of money trying to educate consummers to the dangers of e-commerce trading and fake information.

Originally posted by Goldwing
Then that is extremely sad.

When people spend ages and lots of money trying to educate consummers to the dangers of e-commerce trading and fake information.

What information is fake?

The security layer is exactly the same as a purchased cert.
It will tell you (the visitor) if the certificate does not match the domain

In fact the only difference actually is the site didn't spend $$ so the visitor wouldn't get a popup saying the organization that signed the cert has not been accepted as a trusted signature.

You're just as open to fraud with purchased certificates.

As long as the security layer (ssl/https) is providing the proper security level, the buyer isn't in any more or less danger of fraud

What is fake is the info about organization.

One of the things that certificates should do is allow customer to authenticate the organization that stands behind the domain.
How otherwise could you check that paypal.com is real site, belonging to eBay, and some paypalverify.com is not?

Thats exactly where certificates should have played. 3rd parties (CA) - are supposed to verify that they issue certificate to particular organization. That is why all high assurance providers require you to fax your corporate paper before they issue the certificate. They validate you as a company - that you exist, where you say you exist (and not someone from Mongolia claming to reside on the Indiana). This is done to make sure that customer can authenticate who you are, by using the certificate. (See oid field in certificate, and if it states your domain name, and not your company name - you have low assurance certificate)

Of course there are low assurance certificates, that don't verify the company - and all they do - check that you host/own domain - which is worthless in terms of authenticating who you are - since defeating some of the purpose of certificates. They make sense only if the "client" already knows who this site belongs too (like when you have two computers talking to each other over ssl). They are about the same level in this as self signed certificates - which dilutes the value of certificates overall.

Originally posted by bitfuzzy
What information is fake?

The security layer is exactly the same as a purchased cert.
It will tell you (the visitor) if the certificate does not match the domain

In fact the only difference actually is the site didn't spend $$ so the visitor wouldn't get a popup saying the organization that signed the cert has not been accepted as a trusted signature.

You're just as open to fraud with purchased certificates.

As long as the security layer (ssl/https) is providing the proper security level, the buyer isn't in any more or less danger of fraud

Please tell me you don't actually believe that and more importantly you are not telling your customers that !!

Iseletsk above has saved me some typing ;) thanks

Low cost cheap and nasty and self signed certificates are exactly that they have no real value in site security for professionals

a user won't know paypal is a ebay company from it's ssl cert

I'll agree that there is a potential problem for man in the middle attacks, or dns poisioning but I don't buy this.

exactly how hard is it to provide false information when setting up a domain (for CA's that verify via whois)

how hard is it to fax a dummy letterhead and or modified utility bill

how hard is it to get a temporary phone number to use for those who verify via phone (or pre-paid cells would work great also)

asside from the information assigned to the CC number used (if it wasn't stolen)

I don't see how physical information for a company is any more or less prone to fraud than a self-signed

Please note: I'm not trying to start a flame war, nor a arguement..

If you check latest opera broser - it will display organization id (company name) on the top of the browser, right below the URL. As much as I know, other browser plan to do it as well (due to phishing). So, while today only smart user can check what organization site belongs too, in 6 moths - 18 months - there is a chance that everyone will see it.

CAs that do verify via whois only are doing "low assurance" certificate - meaning they are checking only domain name, not the business behind it.
There will be no company name in thouse certificates, only domain names.
High assurance requires you to fax driver license/corporate papers/etc - and will place company name in the certificate.

Regarding how hard is it to fake documents - harder then you think - some info is not easelly available, and most CAs have a way to verify it. It is the same as applying for credit cards/mortgages, etc... identify fraud is possible - but it is not as easy as just generating self signed certificate or aquiring low assurance one.

Please note: I'm not trying to start a flame war, nor a arguement..

Sorry if I came across that way - old age ( and heat) making me cranky ;)

I see self signed certs as having their place, however true e-commerce sites need to provide ( an in some cases move to) a securer environment for their customers - I simply disagree that it is enough to provide "any" certificate and will do more damage than good to the industry in the long run.
Customers have had their trust knocked in recent years and it is up to us ( the supposedly professionals :rolleyes: ) to build the systems they can trust and use.

If you have recently applied for a trusted CA certificate you will realise just how difficult it can be to gain approval ( at least I did have trouble) even to the point I was getting a bit annoyed at the process but overall I can see the reasoning behind it and on reflection I am glad these types of checks and assurances are made.

[it will display organization id]

right, however nowhere in paypals certificate is Ebay mentioned (though it could be).

Hmmm, I think I see your point.

While I won't agree that self-signed certs as a whole are a problem for surfers, as we and many other self-signed users are legitimate, I do see that there is a potential for abuse for those who 's intentions are otherwise.

This is definatly something I've got to think about.

Thanks to iseletsk and goldwing for having patience enough to explain this further

Originally posted by bitfuzzy
[it will display organization id]

right, however nowhere in paypals certificate is Ebay mentioned (though it could be).



Sorry, they go under "PayPal, Inc."
See the Organization line in the certificate.