I don't know if what your threat model is here, but if you believe the NSA can suborn any CA trusted by your user's browser, then the question of which CA you use is moot. (Modulo something like certificate pinning, which helps if your advertising company that runs an enormous popular mail service also happens to also develop a popular browser.)

Assuming that an adversary can get one suborned CA to sign a certificate for your domain, the adversary can use that certificate to MITM first connections to your site without causing any sort of warning message within the browser. They can then both sniff and alter messages going in either direction, including e.g. stealing credentials, cookies, and what have you.

It should be noted that certificate pinning is only effective if you can trust the origin of the certificate at the time it is pinned. Imho google is only pushing for something like this because of the Iran incident[0] where a hacker (possibly the Iranian government) coerced a Dutch CA into providing a compromised certificate for gmail. It won't do much for stopping the US government who is already in a position to coerce CAs before pinning is implemented.

0: http://www.computerworld.com/s/article/9219731/Hackers_spied....

With the current implementation of SSL, there really is no point in picking one CA over another for security purposes (unless you don't trust a CA with billing, etc. data). In the typical use case of a web browser, any trusted (root) CA can sign certificates for any Common Name/domain - so any government or private entity that can influence a commonly trusted CA can get a valid certificate for any site - irregardless of which CA you chose to trust.

Furthermore, if done properly, your CA will never handle any of your (private) key material, so the CA itself has no special privilege with respect to the communications you sign with the private key, so there is also no reason to pick one here.

The only cryptographic thing they can do right or wrong is to allow easy and hassle free revocation of your certificate in case of a key compromise.. The main factors I would consider in picking a CA are pricing, customer service, acceptance and whether they are recognized as 'extended validation'.

As I see it - until there's broad support for Certificate Pinning, your users browsers are going to trust all 700-ish CA Root certs that Chrome/Firefox/Safari/IE(/and others) ship with, so your choice of CA doesn't stop Mallory from creating a plausible SSL cert for your domain with her choice of compromised CAs, and have your users believe she's you no matter which CA you carefully chose.

Having said that - if you're being diligent, make sure you generate your own public/private keypair and only send the CSR to the CA to sign your public key.

I noticed recently that StartSSL, although they'll happily accept a CSR, also offer to generate your key pair and give you the private (and public) key. While I understand their desire to make acquiring an SSL cert as easy as possible even for non-technical people (especially since they'll give you a cert for free, so minimising support is clearly critical to their business), the idea of having my private key come from something other than a machine I trust that's completely under my control seems very wrong.

It sounds a bit as if you were worried your CA could hand out your key to the NSA. That's not how SSL works. CAs only certify the validity of your public key. Your private key never leaves your machine. If you are looking for a vendor that supports your cause, take a look at Namecheap: https://www.namecheap.com/ssl-certificates

Yes, Namecheap has been socially responsible and somewhat of a rebel. They're one of the few big name companies that joined the Stop Watching Us [1] initiative. None of the PRISM companies have, as far as I know.

https://stopwatching.us/

You can't trust any. Centralized certificate authorities are a weakness. We need to get distributed trust system like a Bitcoin of CA.

RFC 6698:

>The DNS-Based Authentication of Named Entities (DANE)

> Transport Layer Security (TLS) Protocol: TLSA

https://tools.ietf.org/html/rfc6698

DANE. The proposal where the DNS becomes the new CA, so the United States Government can be the root of all CAs.

Good plan.

Honest Achmed's Used Cars and Certificates: https://bugzilla.mozilla.org/show_bug.cgi?id=647959

If you're paranoid, learn the OpenSSL command line, make a self-signed CA cert, and have your clients trust your cert and distrust all other CA's.

Of course, this only applies if you have control of your clients, and those clients are only going to be accessing your server.

If you want the general public to be able to access your site through a normally configured web browser, this setup is quite unworkable; but the other commenters in this thread have some advice.

As others have said, browsers trust a cert from any CA. I'd suggest you also sign your cert with PGP via monkeysphere. Then people who have and use the firefox extension will know if any funny business happens. (Granted this will be a tiny percentage of your users - but it's also the most paranoid ones).

My approach may be silly. But 2 guys who know way more about SSL than me, Ivan Ristic (SSLLabs, Qualys) and Moxie Marlinspike appear to use StartCom and Gandi.

But also see cowchases message - I'd probably use NameCheap myself if after a wild card certificate, but for the free certificates at StartCom have served me well.

> trustworthy

For all practical intents and purposes, they are all the same.

> technically competent

Likewise here.

There is no point - the browser SSL model is as b strong add the weakest link and the CA certs are sold on the open market.