Move SSL certificate away from GoDaddy

NameCheap.com is running a promo right now where they're donating $1 to EFF for every domain transferred away. This is to a large extent just opportunistic marketing at GoDaddy's expense, of course, but OTOH it's evidence of a company that "gets" the right side of SOPA.

They offer SSL certs at http://www.namecheap.com/ssl-certificates/comodo.aspx, looks like they're a partner of http://www.comodo.com/.

+1 for not doing business with GoDaddy, though. As if the sexist ads and hunting of endangered species weren't enough reason, this latest move definitely takes the cake. :)

Heh, actually. Speaking of EFF, if you go to https://69.50.232.52/, you'll see that they're using http://www.startssl.com/ so that might be worth checking out too. :)

http://www.theregister.co.uk/2011/03/30/comodo_gate_latest/

don't tink we want a comodo ssl cert either.

Asked about this on teh twitterz. https://twitter.com/#!/webchick/status/151810818076450816

thawte.com

I rarely deal with SSL CAs directly so don't have a strong opinion. However, I do want to go on record as considering this move an absolutely appropriate use of DA funds. jredding++.

I don't know if Pair Networks offers SSL certs for sites not hosted with them. However, I've used Pair as a web host for over a decade and they're very well-behaved, including offering free mirroring for a number of open source projects, including Debian, Gentoo, and PHP itself. I'd be comfortable directing business to them: http://www.pair.com/services/e-commerce/pairssl/

Thawte provided free certificates to kernel.org and at one point provided free certificates to approved open source projects. It seems worth contacting them. Our friends at OSUOSL might know more about this.

I have been a big fan of rapidssl.com for some time. They aren't overpriced, are pretty easy to work with, and have pretty good browser coverage.

Why not get rid of Godaddy's link at http://drupal.org/hosting?

Drupal just DOES NOT WORK THERE on their shared host! A fresh install can take 30+ seconds to load, when not getting a 500 error. This link there just misleads newcomers to use something with drupal that will simply not work.

@Mac_Weber - good point. I've redirected it to the folks involved with managing that page.

Here's an article from bloomberg about Thawte offering free certs to open source: http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aS5Plr02f8Is (Note: the article is a couple years old.)

According to the news entry on the homepage of kernel.org, their cert was donated by Thawte in March of 2010, so likely Thawte is still willing to support the open source community. Here's the quote from Thawte associated with the news entry on Kernel.org:

Thawte is proud of its open source lineage. Providing free certificates to community
projects is just a small way of not only supporting the community but returning the favor.
Please spread the word.

Not to get too far off topic, but on the note of hosts that just don't work well for Drupal, 1and1 should probably be removed as well, or at least have an asterisk. My experience with them was awful. Their shared hosting defaulted to php 4, and required some .htaccess changes to make use of php 5. I think it was an older version of 5 as well, and their servers don't have mod_deflate enabled either, so in order to serve gzipped stylesheets and such I had to run everything through a separate php pre-processing script. That made things painfully slow. To top all of that off, when I initiated a domain transfer away from them (without cancelling my hosting) they deleted my email account automatically, so I lost months of correspondence and they had nothing in place to allow me to recover any of it. Obviously Drupal does best in an environment other than shared hosting, it might be worth while to make a note to that effect more prominent on that hosting page.

It sounds like we're probably going with NameCheap, but in the interest of completeness (in case others stumble across this post and are curious), here's what people said in a totally non-scientific polling of whichever of 6,927 Drupal-interested people (+however many this was RTed to) people were online at mid-day on a random Tuesday: :P

StartSSL: 3
namecheap -3
hover.com - 3, they've offered to hook us up w/ SSL: https://twitter.com/#!/hover/status/151819252830183424
digicert - 2
thawte.com - 1 (also represented in this thread)
webfaction.com - 1
gandi.net - 1
CACert - 1

A couple of "more details" kind of posts:
Acheron further states: "I'm very happy w/ 100+ certs at @StartSSL for my university employer. Get org+ verified to support a truly open CA. still needs better enterprise-class tools tho: eg. support for multiple certmasters and viewing all certs by expiry."

njwringley says: "@sggrc recommends @digicert for decent SSL certs. Affordable with some neat features for free." Steve Gibson (sggrc) is a well-known security researcher.

Not to get too far off topic,

oops.

but on the note of hosts that just don't work well for Drupal

Please use the contact page.

Namecheap is a wonderful company to work with, and I bet they'd hook us up with an SSL certificate if we ask nicely.

@greggles, you gave the link to contact Drupal Association. Are you sure it the correct contact to use regarding the hosts issue? Maybe we should open an issue topic here, not?

@Mac_weber - in the sidebar of http://drupal.org/hosting you will see a link to the drupal.org advertising policy for hosts which is run by the Drupal Association. I am certain that the right way to handle it is via the Association. In fact, godaddy is removed from that page now due to concerns about their ability to host a typical Drupal site and concerns about the configuration of their server.

This is a costly form of symbolism, our switch will have no economic impact on GoDaddy until 2015 (when we will not renew). However, $400 to make the switch and demonstrate that SOPA is an absolutely devastating piece of legislation is a justified expenditure. We stand for a free and open Internet and we must make it clear that we will only support companies that use their resources to protect the Internet and continue to make it a place for unbridled innovation and freedom.

Agreed completely. The impact of this $400 would also be much greater if it were accompanied by some kind of post (e.g. on the Planet or the front page of drupal.org) explaining the move and the reasons behind it... That hasn't been mentioned here yet, but is the idea to do something like that after the switch is complete?

I noticed that Wordpress came out semi-officially against SOPA a few days ago: http://wordpress.org/news/2012/01/help-stop-sopa-pipa/

It's also probably important not to focus too much on GoDaddy alone. Yes, they are evil, but they did at least stop supporting SOPA eventually, whereas there are plenty of other companies (some with strong Drupal ties) that are still supporting it. If the idea really is, as you wrote, "we must make it clear that we will only support companies that use their resources to protect the Internet" it might require a little more thought. Perhaps it's the case that drupal.org doesn't directly 'support' any of the others, though.

Yeah, I think the difference is that while there are companies on the SOPA supporters list who use Drupal and benefit from code on Drupal.org, that's just part of being an open source project. We don't place any restrictions on who can and can't use our software, and I think that's just as it should be. (Also, there's just something lovely and beautiful with the world when Sony ends up paying for features that help benefit EFF.org. :D)

However, with Drupal.org's SSL certificate, the Drupal community, effectively, is paying for this because it comes from the Drupal Association's funds, which are funded by DrupalCons, donations, etc. Here I think it's more important for us to make a stand, symbolic or otherwise.

Why not just decide now that we won't renew the certificate with GoDaddy, and instead will switch when the certificate is closer to expiring? SOPA is evil, but there's lots of stuff that could be done with $400.

I'm pretty sure the new SSL cert isn't going to cost nearly that much. It might even be free; not sure what deal got worked out. It's more that we wouldn't be leveraging the full use of that $400 that the community already paid for, by cutting our relationship with GoDaddy early.

I'm taking and closing this issue.

Ironic spam is ironic.

Reverting spam. Closing comments in an attempt to prevent future spam.