The SSL discussion in another thread led me to look around and I found a site that offers low-cost ($38 per year) SSL certs and even FREE (for six months) SSL certs:

http://certs.ipsca.com/

Anyone have any experience with IPSCA? They say they've been issuing certs since 1995.

I think the main problem with most of the free SSL certs, at least the ones I've looked into, is that they don't have very high browser-compatibility. At least not as high as the paid certs.

FDrive:

Thanks. Based on your comment, I tested the IPSCA cert in IE, Netscape, Opera and Mozilla and it worked in all of them.

Originally posted by hostpath.com
FDrive:

Thanks. Based on your comment, I tested the IPSCA cert in IE, Netscape, Opera and Mozilla and it worked in all of them.

He means older browsers, some people are lazy and never update their browsers...:D

I tested multiple versions of NS and IE. The oldest versions I tested were IE 5 and Netscape 4.7 and it worked in both. Based on the aggregation of all my server logs across multiple sites, anything older than that accounts for so little traffic as to be negligible.

well if you dont have the older browser traffic then you SHOULD be ok.

Just a quick note to say that http://www.freessl.com free certs are back

Originally posted by hostpath.com
I tested multiple versions of NS and IE. The oldest versions I tested were IE 5 and Netscape 4.7 and it worked in both. Based on the aggregation of all my server logs across multiple sites, anything older than that accounts for so little traffic as to be negligible.

It's the IE3 users I'd mainly be concerned about... there are still a surprising number of users...

Anyway, if free certs work, then that's great. I just personally don't mind paying $49 to get a cert that works with 95% of all browsers.

Originally posted by hostpath.com
I tested multiple versions of NS and IE. The oldest versions I tested were IE 5 and Netscape 4.7 and it worked in both. Based on the aggregation of all my server logs across multiple sites, anything older than that accounts for so little traffic as to be negligible.

How did you manage to get it work with Netscape? I checked their website and they clearly state that they are ONLY compatible with IE 5.01 and above and NOT Netscape!? here is what they say on their website:

"ipsCA root Certificate (IPS SERVIDORES) was incorporated in Internet Explorer 5.01 and since then Microsoft distributes it in every release of Internet Explorer and Operating System. Today our root certificate is present in more than 90% of todays browsers. " at http://certs.ipsca.com/ChainedCAs/index.htm

neither www.freessl.com nor IPSCA is compatible with any version of Netscape. And while AOL is toying around launching new version of Netscape to every AOL customer and while there are still many large organisations (like Morgan Stanley etc) still use Netscape as their default browsers, I see it dangerous to use these false economy certificates. (but hey thats only my opinion)

:D


Hosty

Originally posted by hosty
neither www.freessl.com nor IPSCA is compatible with any version of Netscape

False. It is compatible with Netscape, the ipsCA root certificate is simply not distributed in the release of the product. IE 5.01 and up include that root cert, you have to tell Netscape it's okay.

It is compatible, just not recognized by default, and it DOES create a secure session.

Originally posted by hosty
How did you manage to get it work with Netscape? I checked their website and they clearly state that they are ONLY compatible with IE 5.01 and above and NOT Netscape!?

I visited their site using Netscape and clicked on the link marked "Click Here to Test a Server with one of our Certificates". NS asked me if I wanted to install the cert and I did, and the https:// page opened in SSL mode.

Simple.

Originally posted by hostpath.com


False. It is compatible with Netscape, the ipsCA root certificate is simply not distributed in the release of the product. IE 5.01 and up include that root cert, you have to tell Netscape it's okay.

It is compatible, just not recognized by default, and it DOES create a secure session.



I visited their site using Netscape and clicked on the link marked "Click Here to Test a Server with one of our Certificates". NS asked me if I wanted to install the cert and I did, and the https:// page opened in SSL mode.

Simple.

well in a world where words are used interchangebly without defining what one means does lead to misunderstanding.

I agree with your expanded definition: ipsca is not recognised by default by netscape. nor www.freessl.com. I never thought of standard X.509 certificate issued by any one of these people to have compatibility problem as its fairly a standard routine and based on fairly clear RFCs. hence i assumed you meant browser recognition.

assumption is mother of all f**k ups!

anyway, it is true that for a netscape user neither ipsca nor www.freessl.com could offer trust. with AOL trying to bring netscape back into picture, i don't see the attraction of the above two.

hosty

Originally posted by hosty
anyway, it is true that for a netscape user neither ipsca nor www.freessl.com could offer trust. with AOL trying to bring netscape back into picture, i don't see the attraction of the above two.

I guess I'm missing something. IPSCA does create a SSL session for Netscape browsers. You say that IPSCA doesn't offer trust for a NS user -- unless I'm misunderstanding your comment, IPSCA does work with NS.

That being said, I'm not advocating the use of free certs, just pointing out that in my examination of the certs issue in light of the Thawte price increase, I did find a viable free cert.

Hey, if you're price sensitive and don't want to go the free route, just become an InstantSSL affiliate and buy certs for $30 a piece.

Look at freessl.com... free for the first 3 months, then its paid like every other cert.

Originally posted by hostpath.com


I guess I'm missing something. IPSCA does create a SSL session for Netscape browsers. You say that IPSCA doesn't offer trust for a NS user -- unless I'm misunderstanding your comment, IPSCA does work with NS.

That being said, I'm not advocating the use of free certs, just pointing out that in my examination of the certs issue in light of the Thawte price increase, I did find a viable free cert.

Hey, if you're price sensitive and don't want to go the free route, just become an InstantSSL affiliate and buy certs for $30 a piece.

trust as far as the implentation and use of SSL is concerned is:
when seeing the padlock you are assured (in theory anyway) of 2 things:
you are dealing with a legitimate entity
you have an encrypted link

and the assumption is if you are in the browser as a root key you are trusted. So seeing a padlock will in theory mean:
a trusted authority have issued a valid ssl certificate to an entity that exist and they are who they say they are etc etc.

so not being trusted by the browser (browser recognition) the link is broken hence assumed not trusted. that is the interpretion of the industry etc and this is why, according to gartner report the industry doesn't like geotrust for not validating the companies. here is an excerpt from that report i got from www.instantssl.com

*****************
As a recent Gartner report (April 2002) into the current SSL market states; "If SSL certificates are issued without adequate identity checking of the enterprises applying for the certificates, the opportunity for fraud vastly increases." The report continues to explain why this may be the case; "If legitimate enterprises can obtain certificates for domains that they don't own, or if nonexistent companies can obtain certificates for domains masquerading as legitimate (e.g., amazom.com pretending to be amazon.com), then it will be increasingly easy to create fraudulent Web sites."

The value of SSL is protected by the strength of a standard two-point validation process. The first step is to verify that the applicant owns, or has legal right to use, a domain name. The second step is to verify that the applicant is a legitimate entity. The compromise of either step potentially undermines the level of security provided though SSL to the end consumer.
*************************

so, the way that the end user is educated it is fair to say that ipsca certs and freessl.com certs would be untrusted in netscape

again, its all about definition hostpath.com.

hosty

I signed up, and only have a status page, i don't see where to get my certificate id, I went throguh process and confirmed all accounts.

Even a server created certificate will produce a secure connection, that shouldn't be what you are worried about. The difference between trusted/non-trusted certs is that a dialog pops up saying that this type of cert is not in the browser's list of trusted certs. One other comment...people that don't upgrade their browsers aren't typically prone to going to many e-commerce sites and entering their credit card info, so personally I wouldn't be afraid that you will lose many paying customers.

Just a quick note on the value of a good certificate:

If you lose one paying customer per year and that customer would be spending more than $90 with you during that year, you've already lost out by using a lower quality cheap or free certificate.

And a note on compatibility:

Certificate compatibilty is an important factor in trust and has nothing to do with the underlying SSL protocol. If your browser doesn't trust the certificate, all is still secure but you can't be guaranteed that you are talking to the intended party.