Zachariah Mully wrote:
>
> Hello all-
> Finally received the quote from Verisign for 128-bit SSL certs for our
> website, and I was blown away, $1595/yr!
I'll sell you one for $1500 or for $1 if you like. They're both the same ;-\
<rant>
This is a rip-off because they got their certificates into Netscape/IE back when
it counted and no-one else bothered to do the same thing. It's the same monopoly
that they had on domain names and they've just got greedy.
When I needed to get a certificate, I looked up all the companies listed in my
Netscape browser. Most didn't exist anymore or weren't offering certificates.
The only two left were verisign and Thawte. Thawte was in South Africa and were
half
the price of Verisign. I wasn't sure how well a South African certificate would
stand up in a US court. Thawte then bungled by setting the expiration of their
certificates to be short enough that everyone with the current browsers of the
time
would not recognise Thawte certificates anymore. End of Thawte.
Eventually Verisign bought out Thawte. No more competition.
The webpage to get a certificate was an abomination a few years back. I can't
imagine
the dimwit who wrote it.
No-one has stepped in to be an alternate RootCA, and I can't imagine
why. I would expect EFF could do it, anyone could do it. You do need
a bit of money and have to setup secure machine(s), have some way of
keeping track of keys and making sure that the webbrowsers have them
pre-installed. It appears to be more than anyone else wants to do, even
with the price going through the roof at $1500 a pop.
The browser people could help here by making newly approved RootCA certificates
downloadable from the website for each browser, but it would appear that
all are colluding with Verisign.
As far as the website operation is concerned a self signed certificate
is just as good as one from Verisign. The only problem is when the user
gets the ominous message warning them that the signing authority of
this certificate is not recognised.
You could engage in a bit of user education here and tell them that Verisign's
signature is no better than yours.
Otherwise you're over a barrel that doesn't need to be there and no-one
has stepped forward to fix the situation.
</rant>
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|