StartCom certificate authority that hands out free SSL certificates, is no longer recognized by major browsers. I’ve got their certificate back in May 2016, and it worked fine, but in October 2016 StartCom became involved in some sort of scandal, and their new certificates are not trusted by Mozilla, Chrome and Apple.
The next best option I found is $5/year “PositiveSSL” certificate from Comodo, obtained via https://www.ssls.com. If you know how to create a CSR, it takes about 10 minutes to get a certificate, and it appears to work fine.
To be frank, the whole deal about SSL certificates is quite annoying. If you want an HTTPS web site, you need to get a domain name and a certificate. Domain names registrars are quite well regulated and the prices are uniform and stable: a regular domain costs $11-$15 a year, and it’s been on that level for a long time. On the other hand, the world of SSL certificates feels like Wild West and a big headache. In theory, Certificate Authorities are supposed to be the epitome of honesty and trust, but the reality is quite different.
The sin of StartCom was that it was bought by WoSign, that engaged in some questionable practices, like back-dating issued certificates to avoid SHA1 decommission deadline. Additionally, both StartCom and WoSign kept denying the fact of purchase, which finally led for their removal from the list of CAs by Mozilla and others.
Astonishingly, StartCom continues to sell SSL certificates, some for as high $200/year. Their web site does not mention the scandal, or the fact that their certificates won’t work on Chrome, Firefox or Safari. There is a half-assed message at the bottom of the web page declaring that “StartCom™ / StartSSL™ is supported by (Edge) (IE) (Android) (Microsoft Windows)“, but it is intentionally ambiguous. In fact, I initially interpreted it as “Edge/IE/Windows and Android are our sponsors” (whatever that might mean).
Regardless of StartCom story, it does not take much to obtain a fraudulent certificate: all you need is access to one of several e-mails associated with the domain: either email@example.com, or the one registered in whois. Of course, lack of checks makes obtaining a certificate quick and cheap, but it also dilutes trust in the system.
The price of the low-grade certificates varies greatly. The ssls.com web site, that sells certificates for $5/year is affiliated with namecheap.com. Namecheap.com sells exactly the same certificates for $9/year. The certificates are issued by neither ssls.com nor namecheap.com; they are issued by Comodo security authority. The cheapest certificate I could find on Comodo web site costs $77/year.
Such volatility, lack of transparency and great variation in prices is rarely a tell-tale sign of an honest business. And remember, once you switch your web site to HTTPS, there is no going back: you can redirect transparently from HTTP to HTTPS, but redirect in the opposite direction won’t happen unless you have a valid SSL certificate. If your certificate is broken, the users will see “your connection is not secure” page, before the redirect to HTTP would get a chance to kick in. If your web site is HTTPS, you will have to renew your certificate, or lose your customers/audience. If certificate prices went up, too bad, you will have to pay up or suffer the consequences.