I’ve been wondering what the downsides are with StartCom’s free SSL certificates.
At the moment those seem to be:
- You can only renew them for 1 year – could be tedious if you
have lots of them. Windows XP users need to have installed at least Service Pack 2Apparently non-updated Windows XP works now! Just in time for its EOL.
to have the CA.- Blackberry and other RIM devices have no support. @startssl
says: “Correct RIM has no support so far (we understand that they
are working on it though).” - Reports of no support in an iPod Touch running iOS 3.x.
Useful SSL checkers:
A couple of points regarding the issue of XP support:
– The CA update is for the Windows natively supported CA’s. I may be wrong but I think that when it comes to browsing, this equates to IE. I believe (though I’m willing to be proven wrong) that Firefox, Chrome, etc all use their own inbuilt CA list, not the OS provided one.
– Users missing this CA update will also be missing more recent updates for other providers, such as Verisign. If you’re missing the current Verisign CA’s you’re probably fairly used to ignoring SSL errors anyway *grin*
I can’t comment on the Blackberry issue as mine has so many other issues I can’t use it for SSL at the minute full stop (ahem), they seem fine on iPhone though.
Thanks Lee. What version of iOS is the iPhone? (if that applies; don’t know anything about Apple products)
Mine is the current version, well as current as you can get on the ancient model I have (3G). Looking back at Apple docs I can see StartCom listed in the 2.x iOS release (July 2008).
It could be in 1.x too for all I know… I just can’t find the list of supported CAs for that release to check.
That SSL Labs analyser is handy. I recently put up webmail access, mainly for my Dad to connect in when he wasn’t at home, and used a pretty standard Apache 2 setup on the Ubuntu LTS (actually not the latest as I’ve still not upgrade my Bitfolk VPS!). After looking at the checker I was a bit disappointed to find myself on a C rating. However with quick look at ssl.conf and two lines added to the site configuration file I’m up on A grade.
I’ve been using StartCom for a while now, thankfully only with a few certificates to manage, and I seem to remember choosing them because they were the best option for having built in support in browsers (I’ve not tried devices, so only desktop). What I can’t remember is which clients didn’t have support, but I used certificates back to Windows 98 clients with Firefox and Thunderbird initially with Apache and Dovecot at the server end.
My main issue is them not supporting nested sub domains, so I use CA Cert for those, which are intranet sites so more controlled (I find it less hassle than a self signed cert).
Being a complete newbie to SSL certificates, I am a little confused. I have signed up from the startcom site – but then am at a loss as to how to actually get the free SSL certificate (Express Lane is not an option). There is no support to ask. I apologise for going off at a tangent to the main discussion, but would appreciate a little guidance.
Just found this blog entry while searching the StartSSL compatibility for RIM/Blackberry devices.
What you are saying about Windows XP is not true, I installed an old Windows XP without any Service Packs or even Updates in a VM especially to test StartSSL compatibility and my website using a free StartSSL cert worked without any issue in Internet Explorer 6.0.
You may want to correct this.
@Dingos,
Thanks, I’ve updated it.