> I remember to get that Thawte SSL, I had to create a letter with official Kenyon
> Hill LLC letterhead (what? ... I just used some Word template), then get it notarized
> at the bank, etc. It seemed like a load of BS to me. I wonder if they still make
> people do that.
That is usually an "Extended Validation" (EV) cert. You still have to do that if you want that level of "trust." You have to have this to get the "green bar" crap in browsers.
Or, actually, I guess, for you, it may have even just been a "Organization Validation" (OV) cert.
Basically, it goes:
Domain Validation (DV) -- encrypts that data between browser and server, but doesn't mean that it is "trusted".
Organization Validation (OV) -- the organization is verified in some way -- through government records and/or letterhead and such.
Extended Validation (EV) -- the Certificate Authority does specific "vetting" of the organization.
In my opinion, DV is fine for what most of us need. If we trust the domain (i.e. you feel comfortable with gametz.com knowing your data), then that's plenty.
If you're shopping online at some weird camera shop, then they better have an OV cert, at least.
The problem is -- you can't tell DV from OV in most browsers. And only some browsers even show the EV "green bar" stuff.
I think EV is just a way for companies like Symantec to sell more expensive certs like the "good old days."
You can get a DV cert for under $10 now. You can get an OV cert for under $40. EVs start at like $100 or so and go up.
> It seems all backward to me. Secure should be the default/free/built-in way to do
> everything. Having this layer of paid providers just discourages security and hurts
> everyone.They don't really do much as far as I can tell.
Agreed. I think this is the thinking behind Let's Encrypt -- to just get everyone using a cert to at least do end-to-end encryption.
> Even if I had SSL cert from a very well-known authority, I'm not 100% sure it would
> work everywhere. Probably, right? But, I'm not sure.
If you had one that is in the root CA already, then I think it would work. Most buy from a Comodo reseller to get the best deal on those these days.
> It's also worth noting that I have a number of domains, so that can multiply the
> costs. Like, I have to do m.gametz.com gametz.com and www.gametz.com then images.kenyonhill.com
> and I have other sites I could/should do too...
Yes, that does hike it up. I think for a one-domain wildcard, you're looking at around $100/year -- with just a DV cert. And that wouldn't cover KenyonHill.