Hacker News new | past | comments | ask | show | jobs | submit login

FYI, these do not allow you to specify a wildcard, and SSL protect your subdomains.



Why would a $5 certificate allow wildcards?


You're right that issued wildcard certs are typically quite expensive, starting around $100/yr.

But a wildcard is not difficult for anyone to implement- it is literally just adding an asterisk to the host name in the cert.

Nothing beats the profit margins of the SSL industry.


Heh, compared to prices back in the day (2000~) the current prices are extremely competitive.

I remember breaking a piggy bank to secure a single domain back then, it was around $99+.

Then dropped to $49.99 and now it's $9.99.


The SSL industry is so broken...


Depends on which side you are ;) I agree though, it's totally broken, but not only the industry, the whole SSL system is broken.


A few years ago you might also ask why would anyone give out $5 certificates? It's not any more work on their part - it's a extra parameter sent to their certificate generator.


It's not even an extra parameter, it's just an the wildcard domain prefix .* within the DN to set. Wildcard SSL certs are THE rip-off...


Rip-off? Bah! That's nothing compared to Microsoft's SQL Server! With SSL, you have to add the asterisk for more functionality. It takes a bit more work and they charge you 10x the price.

With SQL Server, you can get the Express Edition for $0 or the Enterprise Edition for $thousands. But to build the Enterprise Edition, they actually compile it from the same source code without some #defines that enable various Express Edition data size limits.

They do less work yet charge you infinity times the price. Now that's a ripoff!


Given that almost all clients support SNI (https://en.wikipedia.org/wiki/Server_Name_Indication) nowadays, there's not really a need anymore for wildcard certificates (if all you want to do is enable a few subdomains).


Unfortunately, Android 2.3 phones are still sold on big quantities, and don't support SNI.

Maybe you can just ignore them, or maybe you can't. Anyway, it's not a no-brainer.


Working at a previous employer a few months ago, their McAfee Web Gateway didn't support SNI either. Sites that depended on it were blocked due to a server name mismatch.


With SNI do you still need one certificate for each subdomain?


Yes. SNI just allows you to have multiple SSL certificates per server IP address.


I have multiples vhosts per IP with nginx and SSL. Does it use SNI and does that mean that some older browsers could have problems accessing it?


Yes to both questions (under the assumption that those vhosts use different SSL certificates).


Thanks!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: