What's the difference between a simple certificate and something higher-grade? What does the simple certificate lack that a higher grade certificate provides?

Extended verification certificates (EV; "actually verified") cause the browser bar to turn green. That will make people more likely to trust you.

studies has shown that people dont know what the green bar actually means: http://en.wikipedia.org/wiki/Extended_Validation_Certificate...

imho a extremely overrated (and overpriced) features, which imposes no extra security what so ever.

Carl,

You are pointing to a study that was published in 2006. This means the actual data is at least 7 years old.

Can you find a more current example?

Exactly! In fact the change to green out of the ordinary lack of it might make them think something is WRONG, not better.

These are users who also keep their browser sessions going forever and therefore session cookies never expire - thereby making what was supposed to make something more secure, exactly the opposite.

The free one also wont work with wildcard certs, and will only accept one hostname in the subjectAltName field. My domain is "grepular.com", the certificate needs to contain "secure.grepular.com" for historical reasons. This means, when I use startssl, I can't include "www.grepular.com" in the cert. Unless I pay for a cert.

Thanks for clarifying!

Will a free StartSSL certificate trigger an 'untrusted source' warning from the browser?

Also, will a free certificate be adequate for encrypting authentication data in a web API?

StartSSL is completely fine for those goals. Pretty much the only effect of an EV certificate is the green bar. (Which is easily worth $150/yr if you're doing millions in e-commerce, of course!)

By the way, I went ahead and got a free StartSSL certificate. So far it seems to work fine. Thanks again for your feedback.

Excellent - thank you!

should be ok for a web API, but for an e-commerce site, you'll likely want a recognized CA.

Re: StartSSL see http://www.belshe.com/2012/02/04/rethinking-ssl-for-mobile-a...

That's disingenuous. You should be bundling your CA cert with your cert anyway, which would avoid that problem.

Neither the linked article nor any of the parent comments talk about certificate chaining, which seems to be what you're referring to.

Also, please check the definition of 'disingenuous', it's massively overused on Hacker News (often in a completely incorrect context).

jorangreef said "RE StartSSL..." then pointed to an article about the problems of SSL w.r.t mobile apps. Since this is in reply to a very positive post about StartSSL, the obvious inference is that his linked article provides some evidence on why one wouldn't want to use StartSSL. But that's pure FUD because the only mention of StartSSL in the whole article is that they close their connections so two more TCP connections are required to authenticate the cert... but anyone worth their salt would be bundling in the CA cert anyway, obviating the need for those connections.

I don't know what your beef is with 'disingenuous,' but that's exactly what I meant.

OCSP isn't an optional step involved only if you don't present your CA's intermediary certificate, it's in addition to it. The whole point of it is "I have this guy with these legit looking credentials you issued, do you still stand by them?".

You can't work around that with chaining, it can only be disabled from client code, or by having the CA issue a cert that doesn't include an OCSP address (doubt any do this now, given the number of legit certs issued to attackers in the past 2 years).

Some of those numbers don't look correct at all. For example I can't find any host name that takes longer than ~500ms to do DNS resolution over 3G. (That's almost worst case scenario, where everything except the TLD is uncached.)

Mike Belshe the author of that post is one of the developers of Chrome as far as I know.

We use StartSSL-free on https://secure.fanboy.co.nz .. no issues with it :)