I've used StartSSL in the past. I will never do so again.
Yes, the certs are free, and yes, they work in all common browsers. But the process of obtaining them is a horror of Lovecraftian proportions. I'll happily pay a few dollars to Namecheap to be able to avoid the nightmare that is StartSSL's UI.
Not my experience at all. It's easy and straightforward (really takes less than 10 mins). I have a bunch of startSSL certs in use. Before I started using startSSL certs I used Thawte certs.
Dealing with Thawte was HORRIBLE, these guys are extremely pushy (their sales reps repeatedly called me at home to 'convince' me I really should renew my certificates with them and wouldn't take no for an answer). Contrast that with startSSL where I had some questions and Eddy Nigg personally replied within minutes.
In summary, I highly recommend giving startSSL a shot.
This hasn't been my experience. Their web site is ugly and lame but once you're logged in it's about a 3-step process to apply for the cert. Both times I was emailed within 10 minutes that my cert was ready, and it works fine.
I second this experience, and "Lovecraftian" is indeed an excellent way to describe it. It's not just that the process was difficult, it's that my confidence dwindled through every strange and baffling step.
Be aware though that GeoTrust and Thawte certs don't work[1] on android devices. There are claims that it can be fixed by adding a cross-root cert[2] but for me that didn't work out.
More generally: If you need to support mobile devices then read your CA's compatibility list closely (if you can find it...) and test, test, test. You'd think this shouldn't be an issue anymore in 2012, but it sadly still is.
And that's the "good"/trusted CA. I'm not sure when they made the switch, but I only got this cert issued a couple of months ago.
FWIW, we also support Docomo phones, and that is a huge pain in the ass. The only CA that works there is:
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
If you don't need to support really old mobile devices, the best certs going are, IMHO, Digicert. They get chained all the way back to Entrust:
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
And the company has some of the best customer service going anywhere.
I have a Comodo certificate purchased through cheapssl.com.
There is one problem: some older android 2.3 phones don't recognize it as valid and refuse to download any non-html data files.
Can you extrapolate on what you mean by feasibility, I use positive SSL on a few domains it works fine with no issues and isn't that hard to setup (basically you just need to be able to receive email on your domain).
I find their service excellent. The website doesn't have the latest hip look, but the service is solid, and they are very responsive and helpful in case you run into an issue. For a free service, that's impressive.
The only complication is the fact that they use client side SSL certificates for authentication. I don't know of any other site which does this. Although I like that they're dog fooding, it probably would have been better if they'd stuck with a traditional username/password/cookie scheme for logging in, from a business/usability perspective.
It confused me a lot because I used to have an old username/password account with them and when I tried to sign in and got a very generic SSL error from Firefox.
That said, once I registered with a new account, the client certificate worked great.
We tried them but had to change to a different vendor because the Blackberries didn't recognize their certificates and they had no plans to rectify that. We don't have much BB traffic, but didn't want to exclude BB users just because we wanted to be cheap.
I disagree also. Their process is fine with me and very quick. I haven't had to contact them in a while, but when I did, got fast, intelligent response. StartCom/StartSSL is a breath of fresh air.
Yes, the certs are free, and yes, they work in all common browsers. But the process of obtaining them is a horror of Lovecraftian proportions. I'll happily pay a few dollars to Namecheap to be able to avoid the nightmare that is StartSSL's UI.