> Achmed's business plan is to sell a sufficiently large number of certificates as quickly as possible in order to become too big to fail (see "regulatory capture"), at which point most of the rest of this application will become irrelevant.
I can't say whether they're the "best" or not, but I've used NameCheap for everything and have been extremely happy with them. Plenty of options, very good cost.
The only time I didn't use them was a weird edge case recently where I needed a multi-domain certificate, and NameCheap did not support those, so I purchased direct from GeoTrust.
I had a similar issue where Firefox didn't like Namecheap's certs, but I started including the chain certificate as well and it worked great. Maybe something like that had the same affect in that case?
There is no real bad or insecure option. Just make sure the CA is supported by all the platforms / browser you need and that the price is fair. Additionally you may check that their revocation servers have a good internet connection since browsers check these.
It is even totally unimportant if your provider is "insecure". If any of the commonly trusted CAs is hacked it affects the security of your service as well as if it's the CA you use.
Therefore I would go with StartSSL (https://www.startssl.com/). They are trusted on all important plattforms, are free for one subdomain per domain and very cheap otherwise. You only pay the verification of your identity, unlimited domains, wildcard etc. then. I haven't seen any cheaper one. You might get some competitive prices if you combine the use of single subdomain ones through SNI, but I wouldn't prefer that over a inexpensive wildcard one.
What is the worst that can happen? If the revocation servers go down, the browser just shows a small warning symbol, but everything still works. If your CA gets hacked and untrusted in common browser, you have to buy a cert somewhere else ... this is the risk of every CA and a new cert is just minutes away ...
There is no way to determine who is more secure against hacks etc. If they are trusted where you need them, they are all equal.
As others, I can't say they're the "best" but when I did a straw poll on Twitter a few years ago, I was recommended RapidSSL. I've used them on my own sites and for clients since then without any fuss (5 minutes and one automated call). They seem to be very one size fits all though, quick and easy, but nothing fancy like EV. (If anyone can help there actually, any recs for good but non-expensive EV providers?)
DigiCert.com is the CA that will give you the trust and assurance with the high verification standards that you would get with the Verisigns (Symantec) of the world but with the start-up like cool customer service and affordable price that customers today deserve.
The cheapest SSL options there ($20 and under) offer NO verification of the applicant of the certificate. Thus, you could be a scammer for all they care, as long as you control your site (even a phishing site) they've give you the "domain validated" certificate.
Stick with either EV (green bar, extra assurance) or a high-assurance only shop like DigiCert, Symantec, Entrust, or GlobalSign. It'll also show your users you care about trust and identity assurance online.
> The cheapest SSL options there ($20 and under) offer NO verification of the applicant of the certificate.
Your logic is wrong here. It is totally unimportant which CA you use, as long as any commonly trusted CA just checks the domain ownership using a mail address. A man-in-the-middle could simply replace your cert with that one and the user gets no warning.
> Stick with either EV
Green/blue bars are a remarkable feature the user sees and might give trust. Those one are already available for $200 for 2 years. But I'm not sure if a user would realize that a MITM attack has removed the color. He wouldn't get a warning as long as any valid cert is still used. See my response above.
> or a high-assurance only
If you need assurance, then yes. But a normal user doesn't care of that. And you should then also check the exact terms and conditions as well as other assurance services.
It doesn't matter in any way. Especially it has no influence on security. A cert that works works. You might be interested in additional features like EV for the green/blue address bar or a assurance. But that's not the point.
In general, Verisign (http://www.verisign.com/) will be the most expensive and presumably the most widely supported, but there's no need to pay up for it when DigiCert will work just as well.
I get mine from Gandi.net, along with the domain. If you just need a single CN, it's free for the first year. Verification is automated and usually done within the hour.
the same rapidssl certificate is $9.45 from namecheap.
after having been a reseller for geotrust for years, lately, i ended up buying all my certificates from namecheap. the namecheap end user prices are even lower than my rapidssl reseller prices...
http://swisssign.com/en might not be the cheapest option, but definitely has some extra cachet. They are really conservative and most of the approval process is manual, but support staff is friendly.
What's a company that you wouldn't ever buy an SSL certificate from again? They all seems about the same to me and I don't think I have ever heard of a bad one.
Not in case of security, but you get likely more trust from your visitors. Also might include some assurance thing you can use or advertise with. But I wouldn't say it has any bad influence if it's missing, as long as you aren't a payment provider or something like that.
