SSL Certificates

[Destramic]

hey guys im wanting to buy a SSL Certificate for my server, so i can allow a secure connection on sensitive information.

 

now i've been looking at https://www.ssls.com...l-certificates/

 

and it looks a lot more complicated than i'd imagined. ie. what certificate do i choose?...i know i want it for multi domains so that i can do it for register, login, logout etc.

 

But with so many options its not so clear on which one to choose...i just want a certificate

 

some advise on one to choose would be very helpful.  Also any information regarding using it in my php and mysql (tutorial).

 

thanks guys

[CroNiX]

Define "multi domains".  If you mean www.domain1.com and www.otherdomain.net, then you can't. SSL certs are only good for a single domain.

 

If you mean www.domain1.com and subdomain.domain1.com (same domain, different subdomains), then you can with a "wildcard" certificate but they're also more expensive, but they'll work for all subdomains of your main domain.

 

Before giving blanket advice on what kind of certificate for you to get, it's really kind of important to know what it will be used for. Is this just to log into the site? eCommerce? Explain what you need the encryption for.

[Destramic]

sorry i meant sub-domains...but yeah i think a wildcard is what im gonna need by the looks...and it will be for e-commerce aswell as login. 

 

users registers, logs in, buys sells products, money transfers via somewhere like paypal. 

 

thank you

[Jacques1]

No, no, no. There are a lot of misunderstandings on both sides, and you're about to waste a lot of money.

 

First of all, why would you want separate domains for the registration, the log-in form and the log-out function? This makes no sense. Maybe you don't know what a domain actually is. Let's say the full URL is this:

https://www.yoursite.com/register.php

The domain is “www.yoursite.com”. Your PHP scripts do not belong to the domain, so you can and should serve them all from the same domain. Subdomains are something like “static.yoursite.com”. They're useful in some special cases, but unless you know exactly why you need them, you don't.

 

So a simple certificate for a single domain (which is much, much cheaper) should be sufficient for you. Note that the “www” subdomain is usually included, which means the certificate automatically covers both “yoursite.com” and “www.yoursite.com”.

 

Even if you do in fact need multiple subdomains, there's still no reason for buying an expensive wildcard certificate. There are so-called “multi-domain certificates” which cover a couple of arbitrary domains (not just subdomains as CroNiX said!).

 

Long story short: Do you even need multiple domains, or was this just a misunderstanding?

[Destramic]

buying a multi domain was a big misunderstanding...just a single domain will be sufficient.

 

ok well i looked into each certificate a bit more, and obvious the more you pay the better it is.  now as my site is a working progress and may not possibly work i think a cheap cheap one would be ok for now...and then maybe purchase a comodo-ev-sgc-ssl in time?

 

but regarding the ev green adress bar...some certificates come with and some don't...isnt the green bar like a reinsurance to the user that the site is actually secure?

 

thanks for your help guys...much appreciated

[kicken]

StartSSL offers basic certificates for free. You could use those for a single domain and get one later through one of the better known companies if you feel it necessary.

 

The green address bar is something people are trained to look for. It doesn't necessarily mean the site is somehow more secure than one without the green bar. It just means the company/person that owns the site has been put through a more strict verification process so the certificate issuer has better information about who they really are.

[Jacques1]

*lol*

 

Verifying the identity of the site owner is the whole point of a certificate authority, and it's absolutely crucial for the security of TLS/SSL. If an attacker is able to obtain or forge a certificate for your site, they can act as a man-in-the-middle and read the entire traffic between you and your clients.

 

Standard certificates offer little protection against that. The verification procedure is automated and only consists of sending a (plaintext) e-mail with a random token to some admin mailbox. If an attacker has access to that mailbox or is able to intercept the incoming mails, then you're screwed.

 

Extended Validation is very different. The validation is done by actual people who will call you and ask you all kinds of questions to make sure the certificate request is legitimate. EV certificates also don't use insecure algorithms like MD5 (standard certificates did).

 

So, no, EV is not just “a fancy green bar and some random information”. It's how validation should be done. But of course this is very expensive, so you have to ask yourself if you're willing (and able) to pay hundreds and thousands of dollars throughout the lifetime of the site. For the beginning, I recommend you start with something cheap.

 

Note that StartCom (the company behind StartSSL) does charge $24.90 for certificate revocation. A lot of people were suprised when they had to revoke their certificates after the Heartbleed Bug and found out that their “free” certificate suddenly costs a lot more than a standard certificate. So it's not really free.

[kicken]

Perhaps I should clarify then that by "more secure" I mean that it uses stronger encryption or has better infrastructure security (sql injections, secured servers, etc). EV just means you better know who exactly you're dealing with.

 

As a consumer, this is a good thing for sure. As a business it would be a good thing as well if you can afford it. Just because you pay extra for a EV certificate does not mean your site is somehow more secure than some site with a non-ev certificate. More trustworthy, perhaps. Not more secure.

[Jacques1]

The security of TLS/SSL depends on identities. All the encryption is worthless if the data goes to some man in the middle rather than the target server. In that case, you might as well send them the plaintext right away.

 

TLS/SSL only works if you can rely on the certificate, because that's what binds a public key to a specific identity. In the case of standard certificates, we don't really have a good reason for relying on the information. All we know is that somebody has submitted a signing request and was able to confirm the token from the automated confirmation mail. Was it the site owner? Hopefully. In the case of EV, however, we can be pretty sure that the certificate is indeed the right one, because the CA has actually checked this.

 

So EV does increase the security of the site. It prevents man-in-the-middle attacks. Of course it doesn't help you with SQL injection problems or server misconfigurations, and it doesn't cure AIDS either. But I don't think anybody made that claim. We're talking strictly about network traffic security.

 

Again, I'm not saying that every small company can and should afford EV. But the security benefits are unquestionable. The green bar is indeed a strong security indicator, not just decoration.

[Destramic]

So EV does increase the security of the site. It prevents man-in-the-middle attacks. Of course it doesn't help you with SQL injection problems or server misconfigurations, and it doesn't cure AIDS either. But I don't think anybody made that claim. We're talking strictly about network traffic security.

 

Again, I'm not saying that every small company can and should afford EV. But the security benefits are unquestionable. The green bar is indeed a strong security indicator, not just decoration.

 

thank you for the great information guys...i've just decided to go with a cheap one for now and possible with time, users and more money i think i'll be worth investing in a EV certificate.

 

 

sorry for the delay in reply

[NotionCommotion]

Does anyone have any comments regarding StartSSL's verified offering?  It is $60/year and includes wildcard.

 

 

StartSSL™ VerifiedStartSSL™ Verified (Class 2 / 3) digital certificates are ideal for authentication, B2B and B2C transactions, protection of electronic mail and signing of object code and macros. More than that, StartSSL™ Verified provides a level of flexibility and support options not found anywhere else. StartSSL™ Verified supports:

• Web server certificates (SSL/TLS)
• Wild cards (*.domain.com)
• Multiple domains (DNS Alt Names)
• 128/256-bit encryption
• Object Code Signing
• Client and mail certificates (S/MIME)
• US $ 10,000 insurance guaranteed
• Certificates 2 or 3 Years valid

[Jacques1]

Note that StartCom uses extensive personal verification (passport, photo ID, driver's licence) and will store this data for at least 7 years. At the same time, you just get a standard certificate which isn't better than any other certificate. You also have to pay an extra fee of $ 25 if the certificate needs to be revoked.

 

Either way, make sure you get a SHA-256 certificate. SHA-1 has (theoretical) weaknesses and is currently being phased out.

[NotionCommotion]

Note that StartCom uses extensive personal verification (passport, photo ID, driver's licence) and will store this data for at least 7 years. At the same time, you just get a standard certificate which isn't better than any other certificate. You also have to pay an extra fee of $ 25 if the certificate needs to be revoked.

 

Either way, make sure you get a SHA-256 certificate. SHA-1 has (theoretical) weaknesses and is currently being phased out.

 

Saying???  It is extensive verified?  But a standard certificate?  What other type is available?  Just no green bar but the same quality?

 

My personal needs are multiple subdomains with "reasonable" security.

[Jacques1]

All non-EV certificates are equally (in)secure. Since any CA in the trust store can issue certificates for any website, it doesn't help you one bit to pay extra money or go through special validation. An attacker can just pick the weakest CA of all and try to get a “fake” certificate from them. It will still be accepted by browsers.

 

So the security of the entire standard certificate system is equal to the security of the weakest CA (there are a few exceptions, but this is the overall situation). Whether you pay $500 or nothing at all, whether you go through an DNA test to prove your identity or just reply to an automated mail – it doesn't really matter.

 

What matters is things like customer service and how the CA handles exceptional situations. If you need to get the certificate revoked, will they do it quickly and for free? Or do you have to pay an extra fee like with StartCom? And of course some of us generally prefer serious companies over, say, GoDaddy.

 

As I already said, there are a few exceptions. If you're dealing with very experienced users, you can benefit from a good CA:

• There are tools like Certificate Patrol which warn the user when the certificate changes. So if you always get your certificate from a particular CA, an attacker can't just use a different CA. Your users will notice.
• It's also possible to manually clean up the trust store and throw out the shady CAs.

But the general public neither understands nor cares about the various CAs. It only understands the difference between EV (green bar) and non-EV (no green bar).

[NotionCommotion]

I now see the $60 SmartCom certificate was just verified and not extended verified, and their EV goes for $200/year (time limited special offer?) and has additional requirements to obtain.  I assume their EV cert offers wildcard, but am not certain.

 

Assuming there are not excessive hidden fees, pricing seems reasonable even with the potential $25 revocation fee.

 

I've used their free certificates before, but cannot vouch for their customer service and how they handle exceptional situations.

 

Unless I find their customer service sucked, I will likely go with their non-extended verified offering first, and upgrade when appropriate.