Comment by 8_hours_ago

11 years ago

> If it's public static content, what is SSL protecting?

In this case, SSL protects against MITM attacks. If a customer goes to the unencrypted "example.com" site and gets a bunch of ads for porn, it will give the customer a negative impression of the company. All it would take is a few pitchfork-wielding high-profile twitter accounts to cause a PR nightmare. Even if the cause is a hacked coffee shop wireless access point, it may be hard to restore public opinion.

That scenario is a long-shot, but in my opinion, the potential negative consequences outweigh the time and energy required to set up SSL (especially since a basic SSL certificate is free).

4 comments

8_hours_ago

Reply
organsnyder  11 years ago

> especially since a basic SSL certificate is free

From where? StartSSL only gives out free certs to individuals. For my company, they've actually required me to get organizational validation in the past, which wasn't cheap ($200, IIRC—$100 for the organizational validation, plus $100 for stage 2 personal validation, which also required me to upload images of my driver's license and passport).

  • 8_hours_ago  11 years ago

    That's interesting, it doesn't mention that on their website. I have only received a certificate from them as an individual, so I haven't encountered that limitation.

    Even so, I'd argue that $200 is a fairly cheap way to protect the integrity of your company.

  • locusm  11 years ago

    Domain validated certs for websites are free, got one a couple of weeks ago for a site.

    • organsnyder  11 years ago

      If it was for an organization, you only got the cert because they didn't catch it. For some reason, my account got flagged as high-risk, and every cert I request needs manual review. During one of those reviews, they rejected my cert request and told me that since it was for an organization, I needed organizational validation. This was for a standard certificate—not extended validation. I think they must've either visited the company website or checked whois.

      Their FAQ alludes to this, but doesn't really make it explicit:

      > The certificate is for my company, what shall I do?

      > In the Class 1 settings (free), the only possible relationship between StartCom and the subscriber is > with individuals, i.e. natural persons. StartCom has no relationship with the organization a subscriber > may represents and acknowledges only the subscriber. All responsibilities according to the StartCom > CA Policy are that of the subscriber personally, even in case he/she decides to obtain certification as > an employee or representative of an organization. > Organizations should perform Class 2 validation and an organization name may only appear in a digital > certificate at Class 2 level and higher.

      http://www.startssl.com/?app=25#2