So while I was putzing around with my SSL sites and getting some grief with mod_gnutls, I realized that my life really would be much easier with a valid wildcard SSL cert.
So naturally I went to StartSSL and went through the process for a Class 2 Validation. I had meant to do it for a long time and have been using their free Class 1 certificates for ages.
The process was easy and once I logged in, I uploaded some documentation and waited for the administrative work to complete. I used PayPal and shortly afterwards I received a phone call from Startcom. It was Eddy Nigg personally calling me to ask me the control questions.
I couldn’t help myself and I laughed out loud. I have been long admiring what he and his company have been doing with affordable SSL certs. I regard what other CAs charge as quite a successful scam and StartSSL’s efforts have been well on par with the other “Big names”.
So now I’m successfully validated, using a wildcard SSL cert for my entire domain, and I am officially a satisfied customer. I can’t recommend them enough.
Hi!
Thanks for your review on StartSSL. It seems more and more developers are switching to this company. I will follow your recommendation and tomorrow will start the validation process!
Regards
Hi Inigo,
I think you will be pleasantly surprised at how simple the process is. If you have any issues, just use StartSSL’s page and I’m sure they’ll help you out.
Hi Jan. I just got my Class 2 Validation approved! A truly amazing service. Thanks for the recommendation! Now applying for EV. Regards
I can see that you can admire their pricing strategy. Please be very careful, though, the information they require is very sensitive and they have a strongly flawed policy about this. It makes you wonder: do they have a second cash stream that they ‘forget to mention’?
My 2 cents:
For validation they require a scanned passport and drivers license. Information like this is very sensitive as it can easily be used for identity theft, for instance to acquire a loan in your name.
As a principle, I watermark these documents with the name of the company I supplied them to. They are still perfectly legible but this way, they can no longer be used for identity theft.
Startcom is unwilling to process these watermarked documents because they ‘could be forged’ (not because they were unreadable or anything like that). Imagine that. Any digital image I send ‘could be forged’, of course. Adding or not adding a watermark changes little on that account.
And where is the business case on their end? Why do they need (or even want) documents that can be used for Identity Theft? And why won’t they process documents that are clearly suited for their purpose of identification?
The only reasons I can think of is that they are either very naive in their security thinking or worse, that they have plans for your documents where the watermark would get in the way. Makes me wonder…
Also please take note that they have been hacked in the past (and admitted to that) so why trust them with you identity in this way?
http://www.theregister.co.uk/2011/06/21/startssl_security_breach/
Bas
Each of those are good and pertinent questions and statements, and there are also valid and legitimate replies.
However, as I am currently traveling on a commuter train and can’t really get into a comprehensive reply.
The price is definitely a consideration for me, but I think I’ll invite StartSSL to possibly explain why their process is the way it is as well why maintaining those process standards is important.
I understand and agree with the reasoning and rationale for it and hope a good reply will be forthcoming.
Okay, I have time now.
Please be aware that I’m not a representative of StartSSL. I’m just another customer who happens to be a fan.
This is only my 2 cents too and you shouldn’t do business with anyone that you don’t want to. There are other CAs available and you do have many choices.
See, that’s a problem. You are intentionally altering the image from the original and that just invalidates it. It’s as if you are saying “I watermarked it, but trust me, that’s the only modification I made.”
Trust works both ways and if any certificate authority accepted that then frankly they would not be very good. It’s critical that they are able to validate who you are or they can’t issue you an extended certificate.
If the information was all that was required then you could just send them all the data on your drivers license in ASCII format.
That would not be useful and doesn’t provide any guarantee that you’re not enacting identity theft yourself.
Not at all, it actually means that they know what they are doing. If they just accepted certificate requests from anyone at face value then that would hurt their business.
As to attributing to them suspicious motives, that’s not the case. Identity theft comes from your information and not an image, watermarked or otherwise.
Yes. So has my bank. My bank has been hacked, they’ve lost customer data, and they’ve dealt with it. It happens.
How can I be nonchalant about that? Because I understand that while a security breach is a very bad thing what is more important is how the company responds once they’ve discovered the breach. I’m confident that they’ve dealt with the situation.
Jan, did you pay the additional fee to have the Class 2 Organization Validation? When I look at your cert, it’s in your website’s name, not your personal name.
I like the features of StartSSL but from what I gather, the Class 2 certs will be in the individual’s name and not the website’s name unless you they are for registered businesses, you are able to provide tax/registration info so StartCom can validate the business and you pay for Organizational Validation. I own several domains but none of them are registered businesses so that means my personal name will be displayed in the cert and not the websites’ names???
I want to give StartSSL a try but I do not want my personal name on the certs for anyone on the internet to see. The certs should be in the name of the website. I currently use GeoTrust Quick SSL Premium on all of my websites but since adding a couple more sub-domains, I can no longer afford to buy GeoTrust certs for all. The GeoTrust certs are in my websites’ names so my personal name does not show up anywhere.
Please clue me in
To be honest, in all the excitement I forgot! I did pay the fee and the part that I’m concerned about is this in my SSL cert.
O=Jan Dembowski/CN=*.dembowski.netThat’s what I expected to see. You can check a web server’s SSL certificate with openssl s_client or (if you’re not CLI savy
) with the SSL Certificate Tester web page.
Head over to the StartSSL FAQ, they might have something that explains it better than I can.
I understand your concern, but part of any issued SSL certificate contains information to certify that there is a real person behind that certificate. That’s part of the standard, both encryption and authentication. In this case, the person the certificate was issued to.
If you’re concerned about it and really just want encryption, you can use a self-signed SSL certificate. That will cause error messages in your browser but if you accept and install the certificate then that should get rid of those messages.
Is dembowski.net registered as a business with tax records? Is that what you provided to StartCom as Organizational Verification? Is that why I see this: http://i.imgur.com/0Te8s.jpg Instead of this: http://i.imgur.com/pDkRU.jpg
This is where I’m confused since I’m not a business owner. Lets say I set up a social networking site or whatever and I want to have a cert in it’s name but it’s not a registered business. According to the StartSSL site, I cannot get a cert in that domain’s name. This is not a problem with other cert providers but they are way more expensive.
If a domain is not set up to bring in revenue, I would not want to go to the trouble of registering it as a business which would most certainly make filing taxes more difficult. If I’m not mistaken, I would have to verify each domain (if it were a registered business) in order to get a StartSSl cert in each of their names.
Nope! Although my consulting company has a similar name, my domain is not registered as part of any business and is not on any tax records.
I verified using my personal details and documentation. I have no issue with my name being on the SSL certificate, so it’s not a problem for me.
That makes sense. Registering a business is a pain and why incur the expense if you don’t have to?
But I think rather than the two of us guessing, you may want to just contact StartSSL directly. They have an email as well as a New York number, this can probably get sorted out quickly.
I contacted them already but there explanation was not clear at all. I guess English is not their first language. I’m not concerned that my name is tied to the cert or that anyone with the knowhow can find my name. What I’m trying to determine is if my name will be displayed (as in the second image) or will the domain name be displayed (as in the first image) since I do not have a registered business to verify.