Hacker News new | past | comments | ask | show | jobs | submit login

I'm using StartSSL just because I hadn't any excuses to answer the question "why not?" and they were the best looking (free, reasonably usable, trusted enough) option on the market.

They offer unlimited free certificates, so, naturally, I've issued one per service (they even encourage that with "web server"/"xmpp server" certificate distinction). I.e., a separate one for mail server, a separate one for HTTP server, a separate one for XMPP server and so on. Naturally, I expected that it's more likely for one service to break (i.e., say, for nginx to have some buffer overflow that'd allow extracting the keys) than all of them, like it was the case with Heartbleed.

That means, revocation would cost me not $25, but $600. Can't afford that.

Luckily, the most sensitive information I protect are my own emails, 99% of which are spam and service notifications.




Using NameCheap above instead would cost you $200/year, instead of $0/year + $600 for a black swan event. "Replace ALL your SSL certificate" events seem to happen less often than once every three years.


Wildcard certs cost $60/year, protect everything on one certificate with free reissues and revocation, and cheap rekeying (which was an option for heartbleed recovery). I would rather pay the "SSL racket" (as StartSSL would put it) to get real service and help than use a free cert from them. StartSSL is permanently removed from all my truststores following heartbleed




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: