Facebook app's SSL, and why are trusted SSL cert's not free?

[Guest]

[J2897]

I remember reading a thread on here a long time ago whereby Melih was pretty much laughing about SSL cert's signed by CA's, and then he explained how EV cert's were different. He was basically saying that any criminal can display a yellow padlock.

Question:
So my question is, why aren't trusted (by browsers) SSL cert's free?

The reason I ask is because I'm currently building a "Security Awareness" Facebook application in PHP which will show Facebook users exactly what data they may be putting at risk when they're about to install a Facebook application. So I need SSL for security, but I don't want to pay for security: I'm not asking for a freebie. I'm asking for general advise.

• I plan to host my Facebook applications on my local VMware ESXi server.
• The "Security Awareness" Facebook application data won't be stored in a database.
• Facebook are forcing app' developers to use SSL by 1st October this year.
• Self-signed cert's may not be sufficient.

I was going to post this on the Facebook forums. But I thought, "Maybe I should ask the experts?" 

If I have to pay for security, my Facebook application development attempt ends 1st October this year.

[J2897]

Very scary/interesting blog post: [ Link ]

Unfortunately: [ Link ]

It seems that, if you want security, you have to pay the rich; even if you're not a criminal.

[Sal Amander]

It seems that, if you want security, you have to pay the rich; even if you're not a criminal.

Someone has to pay the employees.  They don't work for free now.

[AyeAyeCaptain]

Someone has to pay the employees.  They don't work for free now.

Exactly, people who work for Comodo have family to feed, Comodo give enough away as it is for free and in turn doing so dedicate a lot of resources/money to the cause. You can't expect them to also offer the revenue side of the business for nothing surely?

Don't take offense OP, surely even you can understand this? 

[J2897]

any criminal can display a yellow padlock

As long as they pay the SSL bribe of course.

You should also be aware that I wasn't referring to EV certs. And nor was it me who mentioned Comodo staff. I meant all CAs who sign DVs autonomously.

Luckily, Facebook allows self-signed certs. So you can host your Facebook app's locally. Just tell your users to be aware that their browser may warn them that the site's not "trusted".

[J2897]

Watch from 2:05. The video has more dislikes than likes, yet everything he says about DVs is right (in my opinion)...
http://www.youtube.com/watch?v=MAi7xdCBgeE

[Melih]

Watch from 2:05. The video has more dislikes than likes, yet everything he says about DVs is right (in my opinion)...
http://www.youtube.com/watch?v=MAi7xdCBgeE

all the dislikes are most likely from our DV competitors

[J2897]

all the dislikes are most likely from our DV competitors

You could punish them by giving out DVs for free. 

This could also solve the DV problem. The general consensus would likely become that the "yellow padlock" just means that the connection is secure; and nothing more...

I think it would then be easier for IT people to explain the difference between DVs and EVs.

[Tags:]