Floris is right.

To be honest, its only $40/year for 2GB which comes down to a measly $1.66/GB/month. Don’t think there are any other providers that offer such a low rate for unlimited repositories, unlimited users. That’s actually very, very cheap.

If you could point out a hoster that could match this, I’ll look into reevaluating the pricing plans.

Right.. I’m not going to go into a xp-dev.com vs service-xyz war, but if bitbucket/service-xyz is perfect for you, please do use it :) In fact, of all the hosted version control providers out there, bitbucket and github really do look awesome.

I’m not entirely sure whether xp-dev.com will have SSL for free packages in the future, but for the moment, SSL is a paid feature.

OpenSVN’s SSL certs are self signed, xp-dev.com is not (well, it was self signed until a few days before the upgrade when I purchased some good ol' SSL sugar :) ).

Getting proper good SSL certificates is really important especially for data transmitted over an open network like the internet.

Wait a sec. The whole point of getting a proper trusted CA signed certificate is that you don’t have to check every self signed certificate manually to ensure that the public key fingerprint is correct.

Moreover, it is virtually impossible for anyone to turn around and actually say that publishing public key fingerprints on the originating website and comparing them manually with the actual certificate is a trusted method of ensuring a self signed certificate actually belongs to a domain. By virtue of the great internet we have, having a self signed certificate is open to a whole line of security compromises (man in the middle, etc).

At the point where you do add the self signed certificate into your list of certificates, there’s almost no way you can say with 100% certainty (or even a much lower degree of confidence) that the certificate can actually be trusted, and that the site offering the certificate is the originating site (is Bob really Bob ? is Sally really Sally? ).

And that’s why we have CAs. Thats why we have a proper PKI on internet. The whole thing behind x509 certificates is a pyramid of trust.

So, yes, you can add a self signed certificate into your certificate store, and trust it when you look at it the first time, but its not better than having any encryption at all. The net effect is exactly the same thing.

Lets take it from a different angle – code is really important to us developers. Its our lifeblood and it’s our artwork. We are really proud of it and we really love to show it off. Some of us do make some money out of it, and some don’t.

Isn’t it odd that we wouldn’t buy anything online from a site that has a self-signed certificate, but we’re perfectly happy to store our code on a online space that has one ? That doesn’t make sense, considering the fact that credit card companies do usually have some form of protection for the holder against online fraud, whereas virtually each and every software vendor/SaaS provider’s terms of use is this software/service comes with no guarantee. Which means that you’re not covered with any protection. I find that very odd, and somewhat hypocritical.

So yeah, you can carry on using a self-signed certificate and trust it, but please, I am begging you, do not say that it’s better than having no SSL certificate at all. If you do actually think that, please do pick up a book on cryptography and learn what PKIs are and how they work in the real world.

There’s a real, practical reason for getting certificates signed by a trusted CA. If you do want to trust the internet with your code and data, then you should really only trust those with proper certificates. And I’m not just trying to sell xp-dev.com here – please do consult your security friends on the whole issue as well.

When I was thinking about the pricing plans, I thought that $40/year would be what a hobbyist coder (someone who’s not really directly monetizing his code, but loves to experiment here and there for fun) would pay to ensure his artwork is stored securely. Consultants, free lancers, and others who can directly monetize their code would pay much more. Remember – look at the big picture – we’re having all this discussion over $40/year, that’s $3.33 a month and you get awesome live backups and more space on top of it.

Now, on to CACert – I remember having a discussion with them back in the day when they first came about. I did think it was a fantastic venture and thought that the idea of having a free trusted CA was pretty neat. A couple of years later, I did dabble with cryptography and that’s when I realised that the CACert model is really weak. And given it’s been around for 6 years, even Firefox 3 (which is one of the most popular community driven browsers out there) does not have it installed yet. That may change in the future, and I’ll revisit the issue at that point. For now, CACert is just not good enough compared to a proper trusted CA. And who knows, by the time CACert actually ends up getting it’s credentials bumped up, things here might have moved on (new pricing plans, etc) and make this whole discussion irrelevant anyway. :)

@rlbond86 my reply was actually evaluating self-signed certs vs trusted CAs. Coming back to the original discussion, I see where you’re coming from and I do think thats reasonable.

Let met have a think about it.

@sprat – MITM attacks are not that impossible to do. A simple DNS cache poisoning would do the trick. It might be a little difficult for someone not very technical to implement, but it’s actually do-able for someone with the technical know-how and the intention to carry out the attack. Do remember that all security measures are not bullet proof. The only thing that anyone who wants a secure system can do is to ensure that the investment that an attacker needs to break it far outweighs the return on their investment.

I have been thinking about the Free users quite a bit, and will try to follow up with a blog post in the next few weeks. But there’s one thing that I need to know:

How much are you willing to pay for just SSL access ?

I.e. how much is SSL worth to you ?

@paulo – my question was about value. Some look at value in terms of cost and money, others don’t. The replies from @rlbond86 and @meneguzzi is quite clear – they do attach a monetary value to SSL with their reasoning behind it.

@daverayment ads are all there – are you using an ad blocker ?