In my country, the cost of a SSL certificate is around 60% of my hosting costs, per year. I run a low-traffic blog with comments disabled, so users do not "interact" with the site in any way - except consume the content. I don't see any benefit from this.
StartSSL is pretty harmful as evidenced by the events after Heartbleed. The certificates are free but they charge you to revoke them, and after we found out about Heartbleed and realized a lot of those free certs were compromised a lot of people refused to pay up for their free keys and continue using the compromised ones. What's more is that StartSSL refused to do the right thing and revoke them, leading a lot of folks to even go as far as petitioning to remove StartSSL from Firefox's Certificate Authorities because any given site using their free certs could be compromised. [0]
No, but if your SSL certificate has been exposed by Heartbleed, it would be sensible to revoke that certificate to prevent potential spoofing attacks, wouldn't it?
StartSSL charge you for revoking that exposed certificate, so your choices are you pay for the revocation, or wait until the certificate expires.
In there defence this their treatment of revocation requests is made quite plain in their policies, and any heartbleed exposure was not their fault (their signing certs were not affected IIRC).
Now if there had been a problem with their signing certificates then I would have expected them to revoke anything affected for free and offer replacements similarly at no cost.
OK, they could have done that anyway (or perhaps offered a discount on the revoke charge) as an good will gesture, but they didn't, so what.
Leaving aside the question of whether their response was reasonable (I see the arguments either way), it turned out that using their service to secure your website was not free.
> it turned out that using their service to secure your website was not free
All they claim is to provide free certificates for non-commercial use, and that they do provide. If people read something else into that it isn't because they were deliberately led to.
Though many people picking up a cert without really knowing the infrastructure won't know about revocation infrastructure and such so might have mislead themselves by having not read the Ts&Csm.
actually, what i think is.. they're as near 'free' as it gets, probably. at least there's no up front cost using them. then its a lottery as to when u need to pay them to revoke... it could still end up cheaper than paying yearly fees for other certs, i imagine.. total cost of ownership or something..
You're right, so I fixed my post. What I meant was that my particular cert wasn't compromised. Either way, the StartSSL/Heartbleed fiasco is a real thing and I've added a link to the original discussion I was citing.
I see the benefits but I have to agree. This is a very real barrier to entry, and not just financially. Making SSL a global standard is just one more thing new web developers have to appreciate.
Free certificates tend to result in ugly warning messages in browsers …
Cheap certificates are available, however, they are still not for free. And hosting more than one domain with SSL is a problem too with most hosting providers if you do not want to book additional hostings.
> Free certificates tend to result in ugly warning messages in browsers
StartSSL is free, and as long as you correctly bundle the intermediate cert (something you have to do with many, many other CA's anyway) your SSL will look no different than a $100+/year one from an A-list provider.
