First off, if you already run an SSL-enabled server, update your SSL certificates immediately. You can use this tool to see if your site is vulnerable to HeartBleed, a serious issue in OpenSSL.
If you want to enable SSL for your web site or to spend less for your SSL certificates, read on.
There are three types of validation for SSL certificates.
1. Domain validation
You show you own the domain by responding to an email sent to your domain.
Issue time: minutes
2. Organization validation
You show you own the business through paperwork as well as performing the domain validation.
Issue time: a few days
3. Extended validation
You have to verify your organization’s legal name, physical address, phone number, your right to use the domain name and a bunch of other things.
Issue time: up to a week
The cheap SSL certificates are domain validated and support a single domain. You can use the links below to see prices for the more expensive wildcard SSL certificates, but I won’t be discussing them here. And if you’re just starting out, a cheap SSL certificate for a single domain will be fine.
SSL certificates aren’t all equal. They also serve a few purposes. The most basic feature is encrypting web traffic, but you should also consider browser recognition and the reputation of the issuing Certificate Authority (CA) (e.g. Thawte, GeoTrust, Verisign, etc.) Major CAs have good browser recognition (99%+) so the last factor to consider is their reputation. Comodo/PositiveSSL have had security breaches, which tarnishes their reputation.
Most of the sites below resell these cheap SSL certificates from different CAs. Oddly, you can get them much cheaper from the reseller than you can by going to the source. Take a look at SSL Shopper’s CA review page to get an overview of a CA’s reputation.
The prices below are all for 1 year. They’re often cheaper when you pay for multiple years.
GoGetSSL has the lowest price, but I haven’t used their service. The reviews I’ve read were favorable.
SSLs is the next cheapest, but again, I haven’t used them. Reviews I read were also positive.
Namecheap (RapidSSL) is the one I use and recommend. They’re not the only one to do this, but putting the www prefix (i.e. www.example.com) in the certificate’s common name makes the certificate work for both www.example.com and example.com. Ordering was quick and painless and their live support was knowledgeable and helpful.
Digicert is by no means the cheapest, but I’ve seen nothing but positive reviews raving about their customer support and how they have the highest acceptance rating. It seems like a good option if you’re going for the ultimate in SSL certificates and customer service.
StartSSL is free, but they have some restrictions. The first one is it’s not permitted to use it for commercial purposes. That’s often a deal breaker right there. Second, they charge $25 to reissue free certificates. To fully protect yourself from Heartbleed you needed to reissue your certificates.
Testing your installation
Lastly, once you’ve bought and installed your certificate, test it to make sure nothing is awry.
Here are four sites to test it, in order of thoroughness.
My $11/year Namecheap RapidSSL certificate got an A- on SSL Labs (for not supporting Forward Secrecy), 100% on Wormly and passed tests 3 and 4 with flying colors.
1. SSL Labs – The most thorough test I’ve found, but it takes a minute or two to run. Returns a letter grade.
2. Wormly – Also thorough. Takes a minute or two and rates the site with a percentage.
3. DigiCert – Runs quickly, just not as thorough.
4. BlueSSL – Also fast and easy.
The New York times has an entertaining test to see if you can spot the liar. I got 8/10 correct and found it easier to guess after only watching the first few seconds of the video. I wanted to watch one video again, but I couldn’t. I’m guessing that’s intentional, so make sure to pay attention.
The article related to the test is about airline security’s misplaced faith in body language. After having just flown last week, I felt like the process wasn’t as bad. Maybe the TSA has come to terms with their role as security theater.
If you’re one of the 30% of desktop users still running Windows XP, the countdown is nearly over. On April 8, 2014 (seven days from now) Microsoft, in their infinite wisdom, will no longer support Windows XP.
This means no more security updates from Microsoft and device manufacturers (i.e. cameras, phones, etc) may decide to stop creating drivers that work on Windows XP. In short, it’s the beginning of the end of XP.
My parents happen to be one of the 30% and I’ll tell you what I told my Mom when she asked about the warning dialog. You have three options:
1. Stick with XP and cross your fingers
It’s not likely that your computer will spontaneously combust on April 9th, but you are taking a risk. But that may be acceptable to you. If you follow good security practices while browsing and you don’t visit too many strange sites or download unknown attachments, you may be just fine.
2. Upgrade to Windows 7.
Amazon has Windows 7 for about $100. As long as your computer meets the requirements, installing Windows 7 is a great solution. I wouldn’t recommend upgrading to Windows 8. I have used it. It was difficult to use and I would be glad to never use it again.
3. Buy a new computer
If you don’t want to pay $100 for Windows 7, you could buy a new or used low end desktop for $200-$300 that comes with Windows 7. Depending on the age of your computer, this might be the best option. I’m surprised desktop vendors aren’t using this as an opportunity to offer discounts for people using XP.
An even more alarming statistic is the estimated 95% of ATMs running Windows XP. You may want to get some cash now, just in case hackers have a juicy exploit they’re waiting to unleash.
About three months ago someone suggested I create a video of how to set up Foobar2000.
Here it is:
If you have other things you’d like to see, sound off in the comments.
Every time I switch to a new cell phone I’ve had to disable 2-factor authentication on all my accounts in order to set them up on the new device. I just switched again and decided to make it easier. I had previously saved the secret keys for the various accounts in a secure location for just such a reason. You’ll need those keys for this solution to work.
The solution is a QR code generator.
Visit the page on your desktop and type the name, user and secret key, then point your mobile device at your monitor to scan the code into Google Authenticator (or whatever app you’re using to generate the six-digit codes).