I see tucows has their secure certs on offer now. Had anyone actually seen one? The reason I ask is if it's the same as what it appears to be on their site I'm not sure if I'd jump at the chance for one.

As SSL is designed to increase security (and therefore the sense of trust for customers), having my secure cert depicting two lovable cows might not quite instill the same sense of dependability as Verisign or Thawte.

The tucows brand is pretty well known I know but it's mainly related to downloads and screensavers etc. Even Opensrs doesn't use the two moo-ing ones. The price is good, but I think I might stick with something a little more comforting.

Greg Moore

I haven't used their certificate service, but I'll tell ya... if they do certificates as well as they do domains, their competitors are in trouble.

Originally posted by akashik
I see tucows has their secure certs on offer now. Had anyone actually seen one? The reason I ask is if it's the same as what it appears to be on their site I'm not sure if I'd jump at the chance for one.

As SSL is designed to increase security (and therefore the sense of trust for customers), having my secure cert depicting two lovable cows might not quite instill the same sense of dependability as Verisign or Thawte.


An SSL certificate has nothing to do with the security seal (like this one (http://www.verisign.com/images/seals/Secure-White98x102.gif)) that Verisign and others have. The security seal is just to comfort the user by "verifying" that the site is secure.

The real information about the digital information can be seen when you double-click on the lock in the status bar of your browser when you're on a secure site. The certificate dialog will tell you whether the cert is valid, who it was issued to, and lots of other information. In that respect, the Tucows certs will be perfectly normal.

Their price, $99/yr for resellers, is not as low as certs through Equifax ( https://www.equifaxsecure.com/s3/process.html -- $68 )... But they did considered both Entrust and Equifax before choosing Entrust primarily because of long-term stability.

Originally posted by Rehan
The real information about the digital information can be seen when you double-click on the lock in the status bar of your browser when you're on a secure site.I may be erroneously speaking for Greg, but I think you missed his point. However the Tucows cert may in reality stack up against those from Verisign or Thawte, perception is important. And that's perception as held by the inexperienced user, many of whom have no idea that you can access the details of the cert by clicking on a broswer icon. It will be enough to try to build the Tucows cert reputation enough that people will be confident in it; that effort won't be helped by a cutesy logo with smiling cows.

At least I think that's his point, and it's why my company will stick with offering Thawte and Equifax certs for now, in spite of being completely sold on Tucows in general and OpenSRS in particular.
But they did considered both Entrust and Equifax before choosing Entrust primarily because of long-term stability. That's kind of surprising, considering that Equifax is an older company and has been a major player in the credit reporting business for decades. It's a pretty stable organization.

Originally posted by JayC
It will be enough to try to build the Tucows cert reputation enough that people will be confident in it; that effort won't be helped by a cutesy logo with smiling cows.

Probably 99% of people don't click on the lock to look at the certificate details. So the user doesn't know (or care) whether the web server is using a certificate from Verisign, Entrust, Equifax or anybody else. So in that respect, they're all equal. As long as the root CA is embedded in the browser, the process is transparent for the users.

I'm sure Tucows won't be pushing out a "secured by a couple of cow heads" seal program. :)

That's kind of surprising, considering that Equifax is an older company and has been a major player in the credit reporting business for decades. It's a pretty stable organization.

Tucow's stance on it is described here (http://www.opensrs.org/archives/discuss-list/0102/0147.html).

Originally posted by Rehan
I'm sure Tucows won't be pushing out a "secured by a couple of cow heads" seal program. :)

Why not? Have you ever been duped by a cow? :) Their motto can be "As safe as a cow".

Thats a god one freakysid...LMAO

Originally posted by Rehan
Tucow's stance on it is described here (http://www.opensrs.org/archives/discuss-list/0102/0147.html). OK, that makes sense: they're not concerned with the long-term viability of Equifax itself, but with whether EquifaxSecure -- that division of the company that sells the certs -- will last. Thanks for the link, I've gotten hopelessly behind on reading the OpenSRS discussion lists!

On the other point, perhaps you're right and I'm overreacting. To be clear, my hesitation isn't the cert itself, it is that for certain commerce applications there's a value to displaying the seal of the appropriate CA, and in those cases that seal's appearance carries an amount of weight in addition to that of the Cert Authority itself. But I took Greg's original post to mean that there is a Tucows Cert seal with the cow logo; I've just looked through their site and don't see anything like that. So perhaps they do have something more "professional" in store.

It probably still won't mean we'll resell them: there's no compelling reason to offer one more cert, and Tucows' reseller pricing isn't so attractive as to change my mind about that.

My friend has SSL from Tuscows, they are ALRIGHT!

I took Greg's original post to mean that there is a Tucows Cert seal with the cow logo; I've just looked through their site and don't see anything like that.

JayC,

Close.. I was hoping it *wasn't* smiling cows though your earlier post about my thinking of customer perception was spot on. I'm in the same boat as you, not seeing a copy of one on their site so had to had the little logo as an indication...

Anyone got a link to a site with one?

Greg Moore

Go to https://certs.tucows.com/images/certs-logo.gif and click on the lock in the status bar. The cert for certs.tucows.com was signed a few days ago by an Entrust CA, so it's probably the same format as the certs OpenSRS will issue.

Well certs all look the same from the status bar :)

The image on that page is interesting though - looks like they might be using the opensrs logo...

Greg Moore

Personally, I've not seen too many people care or think about or look at the cert's information. I'd use any that are reliable and secure, which they all are, pretty much. And, the cheaper, the better, if not free.

Tim,

I'd have to disagree there. Personally I like the fact that certs aren't free. It shows to me that people are ready to make an investment in security, and have something to lose if they don't honour that trust. I know it doesn't mean you can trust the merchant, only that your data isn't going to be picked off along the way, but I think they go somewhat hand in hand to a certain extent.

Free certs would help the card holder privacy in the wider scheme of things to be sure, but as a buyer I think I'd be looking for a merchant prepared to fork out a bit of cash for providing that service. We very nearly went with a Verisign cert following this ideal. Eventually settled on Thawte though.

Greg Moore

And while certainly a way to offer them for free could and someday might be found, it makes sense to pay for a cert since a considerable amount of work can and does go into the process. That is, it can't easily be completely automated; a real live person has to look at documentation, and track down details to assure that an entity submitting an application really is what it claims to be.

Sometimes it's a hassle having to come up with (or help clients come up with) everything they need to satisfy the requirements, but that red tape is really what makes the thing work.

That's true as well. I had phone calls being fired back and forth to South Africa trying to confirm a phone number of mine to those guys at Thawte. I doubt a free cert would be too worthwhile in regards to actually confirming those details.

Greg Moore

I agree with what both of you are saying. However, I supposed I meant it more in a sense of not being a secure connection for a credit card or private information, but in the spirit of the many site's that just allow SSL connections to encrypt the information on a service, such as protecting data and passwords from outside sniffers, not the system that will hold and check information against anyway. Such as Yahoo or Hotmail web based email programs.

Well, maybe a bad example (since I've personally never use web based email for anything important, but other's might and do), but just some general SSL connections, such as to secure the information when submitting a password and username to a general site that doesn't rick anything much, other than taking over someone's membership... Like here. It's not that common, but not that rare either and it's not important enough to worry about it being a real company's cert. Such as, you can generate and use your own in those instances and pay nothing, and offer your user's more secure data transfer, even if it is trivial, since it'll be free.