You forgot one step: "If you are proud of your work, then buy a certificate and sign your work"

Anyone have opinions on good SSL certificate providers or do you agree with the authors recommendation of http://startssl.com ?

They do what they say they do at a decent price. However, their web interface sucks. Absolutely and completely sucks.

This is one of those times I miss the upvote counter on HN. I think it's important for the makers of StartSSL to see just how many people agree with you that their interface completely sucks. Without the counter, it just seems like one person's opinion while I bet many people agree.

HN is not there for the marketing purposes of companies.

HN and all other web sites are there for whatever purposes their users wish to use it for, within the constraints of whatever actions are implemented on a site.

This is one of the things that infuriates me about StackOverflow and its army of article closing moderators. A real community will change its practices and perceptions over time according to the needs of the community. If you have a subset of people who decide what a site is for, forever and ever without change, then it's not a community, it's a cast. Or it's a system of castes.

So if the community (through an influx of new users) decides that the purpose of HN is to spread cat pictures and memes, you'll be cool with that?

No, I'd probably leave. Unless the cats were really interesting.

Welcome to how so many social sites died.

It wouldn't be HN anymore at that point.

This is true. Their prices are good but their web interface is horrible. I felt like I was driving something built in 1999.

That said, their customer service has been very good and very prompt.

Decent price?

It is at least 55 dolars too high.

It could be a bit cheaper, but I'd hope SSL certificate vendors would be putting some work into identity verification. You know, making sure the person with an @gmail.com e-mail is the right person to send the gmail.com SSL certificate to. That could mean manually checking scanned copies of legal documents, making some phone calls, maybe even faxing or sending some things by post. Look at all these requirements Mozilla have to include your CA certificate! http://www.mozilla.org/projects/security/certs/policy/Inclus...

$60 sounds a little high to me, but if you think you could do it for substantially less, why not set yourself up in competition with them?

Because I was commenting on the price for a dev certificate. There are already free ssl certificates for https that doesn't cost anything, or only 10 usd/year.

In that case, it is harder to provide. As far as I know, most SSL certificates just validate the domain name, while code signing certificates validate the developer/company identity.

I've been buying Comodo authenticode certs for years through KSoftware - http://codesigning.ksoftware.net/. The prices are much lower than buying directly through Comodo and the service is excellent.

If you're on Windows, one thing to keep in mind is to use IE or Firefox when buying the cert. After the purchase is approved, you need to navigate to the site in the same browser that you purchased it, and only IE and FF are supported.

http://www.digicert.com/ are good.

I totally agree that maybe people shouldn't be HAVE to buy certificates for their binaries. In that case you should be making moves towards eliminating that process, ignoring the fact that it's necessary in the current market and then being upset when you're missing 50% of your profits is a whole other story entirely.

Maybe I'm too proud of my work to give in to certificate blackmail??

That's nice, but you can't eat dignity. :P

But you can hold yourself to higher standards.

My family taught me to always do the right thing, which, most of the time, is neither the most convenient nor the most profitable.

It should be trivial to provide a free binary signing service that required some steps to prove the person (or website) is the person asking the binary to be signed (much like Google asks me to upload a file or setup a DNS record) and match the file signature to the URL of the download. Let's not forget every one who would rely on it already paid for a license of Windows.

Of course, this would probably kill download sites, but the internet would be better off without them anyway.

It's possible that the reason Authenticode doesn't work like this is legal rather than technical: it was deployed at a time when Microsoft was already subject to considerable regulatory scrutiny for a wide variety of alleged anticompetitive practices, so, independent of motivation and technical merits, scary warnings about third-party code not "certified" by Microsoft may have been legally ill-advised.

That's exactly my point. This is clearly an issue of business and not "pride", so the whole "pride" argument to shame someone into a business decision is really questionable.

Well, clearly it would be an issue of "pride" if you'd be too proud to cave in to "certificate blackmail" as you call it.

I read that as a response to the parent - "If you are proud of your work, sign it" - pointing out that "pride" could reasonably cut either way, so it's a spurious argument in the first place.

Hope you're proud enough to see 50% dropoff rates like this guy then.

True. Part of the problem was simply not knowing that signing was a thing that needed to be done.

It's obvious in hindsight, but since I hadn't released many Windows applications in the past, I didn't realize what I didn't know.

I've been a vocal supporter of the "don't worry about Internet Explorer" crowd. However, in this case if you have a Windows app that you want people to use, your target market is indeed Internet Explorer users.

Often it's what you don't know that you don't know that bites you in the ass. As long as you know that you don't know it you're on the right track.