Hi

Anyone who has a rackshack cert, can you please let me know whether these certificates issued from Equifax root key or Fressl root key (UTN....). I looked at one at https://www.deahost.com/ and it was a UTN (freessl ) root, and was wondering if they were all Freessl certificates that Rackshack charge $49 for? :confused:

thanks
hosty

Rackshack certs are from GEOTRUST (they are resellers).

So equifax is the root cert used.

Originally posted by mlovick
Rackshack certs are from GEOTRUST (they are resellers).

So equifax is the root cert used.
thanks for the reply mlovick.

that is what I initially thought.

But have a look at https://www.deahost.com/ they claim they have got it from Rackshack and I know Rackshack are geotrust resellers, but freessl is a geotrust product as well.

So I would appreciate any feedback by looking at the certificates rackshack has issued to see who the root key is from. Maybe this would explain why Rackshack charge only $49 for their ssl, cos its not an equifax root?

your help is greatly appreciated.

hosty

Here is my Geotrust cert purchased from RackShack:

https://genesis.2hostdns.com

You can see it is equifax.

RS sells at a lose as I remember..

The RS certs I've installed are all Equifax

Originally posted by Marty
Here is my Geotrust cert purchased from RackShack:

https://genesis.2hostdns.com

You can see it is equifax.

Thanks Marty. Thats great. I had a look and you are right.

What puzzles me is that even though geotrust does not validate the "identity" of an application, your cert (well all geotrust certs, not just yours) says "Ensures the identity of a remote computer", exactly same as Verisign one. isn't this a bit confusing to an end user who is used to interpreting this statement as both identity of the applicant as well as the domain name ownership has been validated?

I believe "joe webserver" just understands that it's secure. Very few people actually understand that the Versign/Thawte etc. certs actually verify the identity of the holder.

Frank

My certs came from RS as well and they are both signed by Equifax. If you would like to see, go to https://www.digitalisles.com/css/order/

I hope this helps you out.

-Robert

Originally posted by ffeingol
I believe "joe webserver" just understands that it's secure. Very few people actually understand that the Versign/Thawte etc. certs actually verify the identity of the holder.

Frank

I fully agree with you that joe webserver only understand about an encrypted link, but the meaning of that "yellow padlock" to a user is slightly different, rightly or wrongly. I think when people see that yellow padlock they think of two things:

1)the website owner is legitimate (because the ability to show that padlock is given by a certification authority and they rely on the certification authority to have validated the legitimacy of that company)
2)the information they (the user) enter on that webpage will securely get to that "authenticated" website owner.

I am saying that the user should or should not think the above 2, but they just do. I don't think an average internet user think of that yellow padlock as "only" encrypted link but they think seeing a yellow padlock also mean the entity who owns the website is validated.

Do you think this is a fair assumption of what average users think of what that yellow padlock is?

thanks
hosty

I would agree with that. To give an example, if you use a SSL Accelerator to load balance SSL connections, the connections from the Accelerator to the servers is actually unencrypted and on port 80. If a person would sniff that network, they would see all of the private information flying by. Just goes to show that #2 is not at all the case.

-Robert

Sorry, I made a typo. I ment "joe webuser" not webserver.

I don't think that 99% of the people out there understand anything about certs, ssl, ca's etc.

If they understand anything, it's that the see the padlock and know it's secure. They assume that since they are at "amazon.com" (or whatever) that they are really dealing with amazon.

Frank

Geotrust != Equifax. They may be the same company, but the certificates are not the same as they were when they were Equifax. When they were Equifax, their certificates used a Thawte root certificate for great compatibility. They no longer use a Thawte root and not nearly as compatible as they were when they were Equifax. So, if you have Geotrust, please don't say you have an Equifax certificate. It's just not true.

Originally posted by ffeingol
Sorry, I made a typo. I ment "joe webuser" not webserver.

I don't think that 99% of the people out there understand anything about certs, ssl, ca's etc.

If they understand anything, it's that the see the padlock and know it's secure. They assume that since they are at "amazon.com" (or whatever) that they are really dealing with amazon.

Frank

so would it be a fair assumption to assume that the user goes to a website called https://www.abcd.com sees a yellow padlock and the company name displayed (at that web page) as XYZ Inc and because the user sees a padlock they will trust that XYZ Inc is a legitimate entity who owns www.abcd.com?

thanks

hosty,

From my observations, yes. If they understand anything, it's just that it is secure.

Frank

Feel free to check the certs on my site, they both show Equifax as being the CA.

Issued By:
Organization: Equifax
Organizational Unit: Equifax Secure Certificate Authority

Looks like Equifax...

-Robert

Originally posted by DigitalIsles
Feel free to check the certs on my site, they both show Equifax as being the CA.

Issued By:
Organization: Equifax
Organizational Unit: Equifax Secure Certificate Authority

Looks like Equifax...

-Robert

I just checked it. It does say Equifax, but it does not have the Thawte root like the old Equifax certificates. So, you're right, it IS an Equifax certificate, but it isn't as compatible as the old Equifax certificates.

Originally posted by ffeingol
hosty,

From my observations, yes. If they understand anything, it's just that it is secure.

Frank

Frank

Thanks. Ok, so we have established that the yellow padlock means two things to an end user. But Geotrust/rackshack are issuing certificates without validating the companies. So to an end user they will see the yellow padlock and they will assume that whatever the company name is showing can be trusted, because they will assume the CA has validated them. Well, the CA geotrust has NOT validated them. Just like selling cars but not including the engine. there is nothing wrong with selling cars without engines, its just that a buyer's expectation is that they expect to see the engine inside the car when they buy it.

So my logic is: Are we not damaging our livelihood (ecommerce etc as without ecommerce we wouldn't have many companies require webhosting) by changing the end user's perception (well trying to anwyay) about what that yellow padlock means, hence confusing them and effectively turning them off?

I don't know if you have a motive for your posts or not, Hosty. Don't you sell Comodo certificates, aka InstantSSL certificates?

Anyway, if what you say is true, then Geotrust is no different than the others. All CAs have done people wrongly, IMO. InstantSSL spams, Thawte doesn't keep their promise on prices, Verisign rips people off, etc. So, it seems to me that All of the SSL Certificate Authorities have little to no scruples. People have had problems with all of them.

Originally posted by chrisb
I don't know if you have a motive for your posts or not, Hosty. Don't you sell Comodo certificates, aka InstantSSL certificates?

Anyway, if what you say is true, then Geotrust is no different than the others. All CAs have done people wrongly, IMO. InstantSSL spams, Thawte doesn't keep their promise on prices, Verisign rips people off, etc. So, it seems to me that All of the SSL Certificate Authorities have little to no scruples. People have had problems with all of them.

Chrisb, Yes I DO resell instantssl certificates. I was purely looking from the angle of future of SSL and what this means to us and to our users. I wasn't looking into what companies do, as my interest more on the lines of SSL eg(the yellow padlock) and what that means to users and now, we have taken the first step into changing this perception. Where will this lead us? Just a discussion and to hear people's view.

I know we shared discussions in the other forums but I was trying to keep it at conceptual level and have a discussion (a bit of a mental exercise) about future of SSL and what it means to end users and how any change in that area would effect us?! I would love to hear your views on that.

thanks
hosty

Originally posted by hosty


Chrisb, Yes I DO resell instantssl certificates. I was purely looking from the angle of future of SSL and what this means to us and to our users. I wasn't looking into what companies do, as my interest in this thread is more on the lines of SSL eg(the yellow padlock) and what that means to users and now that we have taken the first step into changing this perception I would like to see what everyone thinks where this will lead us? Just a discussion and to hear people's view.

I know we shared discussions in the other forums but I was trying to keep it at conceptual level and have a discussion (a bit of a mental exercise) about future of SSL and what it means to end users and how any change in that area would effect us?! I would love to hear your views on that.

thanks
hosty

sorry for the double entry, I was trying to edit:o

hosty.

Originally posted by hosty


Frank

So my logic is: Are we not damaging our livelihood (ecommerce etc as without ecommerce we wouldn't have many companies require webhosting) by changing the end user's perception (well trying to anwyay) about what that yellow padlock means, hence confusing them and effectively turning them off?
You are right, incorporating a certification authority in a country where the government has legal access to commercial encryption keys such as the UK is insane.
Of course other countries such as Singapore, Russia, and Malaysia suffer similar backward legislations; but then again I do not know of any CA based in those countries.

Originally posted by Marshall

You are right, incorporating a certification authority in a country where the government has legal access to commercial encryption keys such as the UK is insane.
Of course other countries such as Singapore, Russia, and Malaysia suffer similar backward legislations; but then again I do not know of any CA based in those countries.

Marshall, please post relevant post. I know we don't see eye to eye, but its not fair on others for you to come and post irrelevant stuff here. We are trying to discuss the issue of SSL (the yellow padlock), what this padlock mean to the user and future of this yellow padlock now that the perception of this padlock might change. We don't care which company is doing this or not doing it, all we care in this thread is our opinion about possible implication of changing the perception of what SSL (the yellow padlock) mean to end users.

You are more than welcome to post relevant information but please respect others by not posting irrelevant stuff.

Thank you for your understanding

Hosty

Sorry, I misunderstood Hosty. I saw "root key" in the thread title, and that's why I was discussing the Geotrust root key, and thought I was on-topic.

Anyway, I do have some thoughts on the future of SSL, but got to run now, so maybe I'll post about it later.

Originally posted by chrisb
Sorry, I misunderstood Hosty. I saw "root key" in the thread title, and that's why I was discussing the Geotrust root key, and thought I was on-topic.

Anyway, I do have some thoughts on the future of SSL, but got to run now, so maybe I'll post about it later.


look forward to it:)

Originally posted by hosty


Marshall, please post relevant post. I know we don't see eye to eye, but its not fair on others for you to come and post irrelevant stuff here. We are trying to discuss the issue of SSL (the yellow padlock), what this padlock mean to the user and future of this yellow padlock now that the perception of this padlock might change. We don't care which company is doing this or not doing it, all we care in this thread is our opinion about possible implication of changing the perception of what SSL (the yellow padlock) mean to end users.

You are more than welcome to post relevant information but please respect others by not posting irrelevant stuff.

Thank you for your understanding

Hosty
Educating the end user about the importance of the provider of the "yellow padlock" is crucial, don't you think?

But Geotrust/rackshack are issuing certificates without validating the companies. So to an end user they will see the yellow padlock and they will assume that whatever the company name is showing can be trusted, because they will assume the CA has validated them.


You're having this discussion on WHT which is prob the top 1% of web users/hosts in the world.

I highly doubt that an average webserver has any idea the process of obtaining a SSL cert and have no idea if they validate the organization.

I help admin some movie film related sites. Lots of people buy stuff off those sites (affiliate links etc). I'm going to post a poll there and see what the padlock means to them. I'll post a link once there are some replies.

Frank

Originally posted by Marshall

Educating the end user about the importance of the provider of the "yellow padlock" is crucial, don't you think?

of course this is also important but I would apreciate if you stick to the topic in this thread, alternatively you are more than welcome to start a thread about ssl suppliers in a different thread. You are again posting irrelevant information in this post. If you continue, i will have to ask the moderator to remove your irrelevant postings.

Please show some respect to people in this forum for once!

Thank you.

Hosty

Originally posted by ffeingol


You're having this discussion on WHT which is prob the top 1% of web users/hosts in the world.

I highly doubt that an average webserver has any idea the process of obtaining a SSL cert and have no idea if they validate the organization.

I help admin some movie film related sites. Lots of people buy stuff off those sites (affiliate links etc). I'm going to post a poll there and see what the padlock means to them. I'll post a link once there are some replies.

Frank

Wow! Thanks Frank!This is priceless. Much appreciate it. Look forward to your post.
just a quick thought: are you going to give them options to choose from? if so could I possible suggest the two elements:
1)Does padlock mean your information secure?
2)Does padlock mean the company you see can be trusted?

thanks
hosty

Originally posted by hosty


of course this is also important but I would apreciate if you stick to the topic in this thread, alternatively you are more than welcom to start a thread about ssl suppliers in a different thread. You are again posting irrelevant information in this post. If you continue, i will have to ask the moderator to remove your irrelevant postings.

Please show some respect to people in this forum for once!

Thank you.

Hosty
It's hard to stick to a topic that first starts by questioning Rackshack's ethics and slowly moves to who knows where.

Originally posted by Marshall

It's hard to stick to a topic that first starts by questioning Rackshack's ethics and slowly moves to who knows where.

I was not questioning RackShack's ethics but merely trying to establish how widespread this SSL practice of not validating companies is. Rackshack is a respectable company. I hope this now clarifies the issue and now you can let us carry on with our discussion in this thread or join us with relevant postings.

Thank you

Hosty

Originally posted by hosty


But have a look at https://www.deahost.com/ they claim they have got it from Rackshack and I know Rackshack are geotrust resellers, but freessl is a geotrust product as well.

So I would appreciate any feedback by looking at the certificates rackshack has issued to see who the root key is from. Maybe this would explain why Rackshack charge only $49 for their ssl, cos its not an equifax root?

hosty
If this is not questioning Rackshack's business ethics, I wonder what is.

Originally posted by Marshall

If this is not questioning Rackshack's business ethics, I wonder what is.

Marshall I explained my position once. I said I do not question Rackshack's ethics. You are entitled to your own interpretation and opinion.

Now can you please leave us to discuss our topic.

thanks

hosty

Originally posted by hosty


I was not questioning RackShack's ethics but merely trying to establish how widespread this SSL practice of not validating companies is.

Thank you

Hosty
You do not establish the above by first implying that Rackshack is reselling Freessl certificates.

Originally posted by Marshall

You do not establish the above by first implying that Rackshack is reselling Freessl certificates.

Marshall we know you are the CEO of Geotrust and because I cought you lying about your competition and exposed you in these forums your are pissed off. Understandable. But hey you should not try to build business based on deciet and lies. There are number of us who have been subject to your childish attitude and subject to your blatant deceit and lies.

you can find how I cought Geotrust and GeotrustCEO's (Marshall) lies and deceit and how I exposed them on this forum but here is one of the recent discussions:

http://www.webhostingtalk.com/showthread.php?postid=548958#post548958

Some excerpts from this discussions about the CEO of Geotrust made by Hilda from ePerfect.net:

"The attitude of the Geotrust CEO is alone sufficient to undo millions of dollars worth of marketing efforts. Should be a case study."

Marshall (Geotrust CEO) despite all this, you think you can come to these forums lie thru your teeth expect us to be stupid and say hey, what a great guy and we believe your lies and come and become your resellers:angry:

Look what you made me do, I came down to your level:angry: and I hate that.

I have answered your questions and yet you keep asking the same question. I explained what I meant, but you keep repeating your opinion. We read your opinion once and you don't have to repeat it. OK!!!

So now Marshall (Geotrust CEO), I am asking again please leave us to discuss the "future of SSL, its perception by users and how the changes in the SSL validation will effect this perception".

If for whatever reason you don't want this discussion to take place and trying to spoil the discussion then tell us why?

One Pissed Off Hosty

Anyone reading this (Especially Frank who has kindly volunteered to run an online poll regarding what SSL means to an end user please see my new thread (hopefully minus Marshall (Geotrust CEO) ), I am starting a new thread
:angry:

We have now moved to a new thread called:

Future of SSL, its perception by users and how this will change?

See you guys there;)

Hosty

Originally posted by hosty


Marshall we know you are the CEO of Geotrust ...........

I think it's about time you cured the habit of falsely accusing anyone who does not agree with you, don't you?

Originally posted by chrisb
Geotrust != Equifax. They may be the same company, but the certificates are not the same as they were when they were Equifax. When they were Equifax, their certificates used a Thawte root certificate for great compatibility. They no longer use a Thawte root and not nearly as compatible as they were when they were Equifax. So, if you have Geotrust, please don't say you have an Equifax certificate. It's just not true.

Partially correct! The Geotrust QuickSSL is not the old Equifax eBusinessID cert that was used Thawte as its root, but The GeoTrust True BusinessID is that same cert and does use the Thawte root. Having said that, the True BusinessID cert is $229 a year.

Originally posted by hosty
We have now moved to a new thread called:

Future of SSL, its perception by users and how this will change?

See you guys there;)

Hosty
I believe data mining is not allowed on WHT, please do not break the forum rules.