Where to get an SSL certificate for personal website?
I would like to use https to login to my personal webpage (which is on shared hosting). So I went over to google and started searching for sollutions. Eventualy I found out that I need an SSL certificate to accomplish that (I thought it's all something that automaticaly enabled for each website, don't ask me why).
Then I went over to my hosting provider website and found out about the prices of these certificates... But I don't need something like that for my blog... I also found out that certificates can be self-signed, or obtained for free from certain certificate authorities.
What I'm wondering is - how should I approach this?
Since I'm the only one that's logging in there - should I generate my own certificate? Or get a free one from some CA? If yes - which CA? cacert maybe? Will it all stay transparent this way, or will I start getting warnings about custom and unverified certificate? Can I trust a solution like this?
Does it even make sense to try and do something like this if I'm using shared hosting? I mean, from what I've read - this certificate would have to be installed on the server, and not just put somewhere in my hosting folder (as I thought it would work).. and the hosting provider won't do this for free I guess because it's kinda not in their interest (in any case I asked them, and am waiting for reply)...
Should I just drop it, or is there anything I can do on my own?
I like using StartCom for a free certificate. Until mid-2016, it was recognized in most major browsers and is better than using a self-signed certificate (No error prompts for users).
EDIT 2016: Major browser vendors like Mozilla, Apple, and Google have announced they (and their browsers) no longer trust StartCom as a certificate authority, due to recently uncovered sketchy behavior by the certificate authority (see links in vendors names for their announcements of this and reason why).
Edit 2017: Let's Encrypt is now a great option for personal use and seems to be accepted even more widely than StartSSL was. Downsides to Let's Encrypt are the relatively short validity of the certificate (3 months) but that is not overly burdensome if you are able to take advantage of the automatic renewal they offer through some of their tooling.
+1 -- the only browser I have come across that did not support the certs from StartCom is the one on Android, though that appears to be fixed these days as well.
I also like (and use) StartCom. The Sony Playstation3 web browser is the only browser I've come across that doesn't trust it.
Java SE 6.0 doesn't trust StartCom certs too, I haven't checked 7.0 but I don't think anything changed.
While I like the idea of free SSL certificates, we do need to keep in mind the limitations of these very-cheap validation protocols. They only validate control of the site at the time that the certificate is generated; they do not check with other CAs for previously issued certificates. A MITM attacker can act as your website while generating a new certificate they have a key for because the validator obviously won't use HTTPS to confirm ownership. If the attacker can sit in front of the CA, email and DNS verification can also be subverted.