SSL Cert

[cameo]

Hello,

I'm using a shared SSL for my site and I was wondering if it is necessary to purchase a SSL Certificate? Do I really need one?

Thanks,
cameo

[Muzz]

Yes it is very important to purchase a dedicated SSL.

This will make your site much more secure for customers.

1. You don't want to stuff around with people's important financial information or have it stolen.

2. Users will be prompted that the site they are buying from is not secure via a warning through their browser.

Would you buy then?

[RodG]

Hello,

I'm using a shared SSL for my site and I was wondering if it is necessary to purchase a SSL Certificate? Do I really need one?

Thanks,
cameo

I don't wish to add to any possible confusion, but I disagree with what 'muzz' has written,

A shared SSL is no less secure than one you purchase yourself.

The chances of having peoples' important information stolen is no different between having a shared SSL than your own.

A shared SSL will NOT prompt the users that the site isn't secure.

The *only* disadvantage to using a shared SSL is that the SSL will be issued in the name of your ISP's domain rather than your own domain name, which means one of two things will occur, either your ISP will put a redirection in place so the the secure pages are fed from their domain rather than yours (not common, but I have seen it), OR the your customers web-browser will display a *warning* message that your domain doesn't match that of the certificate. Your customers will then have the option of not proceeding, or adding an exception. If they add an exception the pages will still be encrypted/secured.

If I were you I'd enable the shared SSL, do a test purchase and see if you get any scary warnings - if not, then neither will your customers, if so, then ask yourself if YOU would proceed if confronted with the same message if you were going to purchase from another store. If you wouldn't, then neither will your customers... so buy your own cert.
They are pretty cheap these days.

Oh, finally, if you aren't directly handling credit card details, eg, if you are using PayPal, then you probably don't even *need* SSL enabled anyway.. the confidential information will be encrypted by PayPal itself.

Cheers
Rod (adv dip network security)

[cameo]

Yes it is very important to purchase a dedicated SSL.

This will make your site much more secure for customers.

1. You don't want to stuff around with people's important financial information or have it stolen.

2. Users will be prompted that the site they are buying from is not secure via a warning through their browser.

Would you buy then?

Muzz,

Thanks for your reply! I understand what you're saying about having a secure site and important financial info stolen I sure wouldn't want that to happen on my site.

You asked "Would I buy then" my answer no I wouldn't.

Thanks for your help!
cameo

[cameo]

I don't wish to add to any possible confusion, but I disagree with what 'muzz' has written,

A shared SSL is no less secure than one you purchase yourself.

If I were you I'd enable the shared SSL, do a test purchase and see if you get any scary warnings - if not, then neither will your customers, if so, then ask yourself if YOU would proceed if confronted with the same message if you were going to purchase from another store. If you wouldn't, then neither will your customers... so buy your own cert.
They are pretty cheap these days.

Oh, finally, if you aren't directly handling credit card details, eg, if you are using PayPal, then you probably don't even *need* SSL enabled anyway.. the confidential information will be encrypted by PayPal itself.

Cheers
Rod (adv dip network security)

RodG,

Thanks for your reply I'm hearing and feeling what you're saying and no you're not adding any confusion I appreciate hearing what you have to say.

I was also told that a shared SSL is no less secure than one you purchase yourself, but I thought I would come over to the forum and post the question and see what the experts had to say.

Yes, I'm using PayPal, so I'm not handling any credit card details, but I haven't done a test purchase yet, but I have went as far as getting to the PayPal screen where you have to login and I see the https and the lock in my browser, so I think I'm ok.

I will have to do a full test run next week if you know what I mean it's not payday yet.

Thanks again!
cameo

[Muzz]

One other thing to mention.. if you have a dedicated SSL. You can register this to the business name AND advertise it!

You will be able to have a link on your site to your SSL company showing the business name and that it is all legit.

Some dedicated SSL also come with a security warranty if your site was hacked. And though the odds are remote it could happen.. you could be insured to a certain amount.

In regards to purchasing from your site. Are you prompted via the browser during the purchase procedure or at any time regarding security. Check this out.

The cost isn't much around though you will need dedicated IP.

[RodG]

I was also told that a shared SSL is no less secure than one you purchase yourself, but I thought I would come over to the forum and post the question and see what the experts had to say.

Just to expand on this a little. SSL is/was designed to perform TWO functions.
1. Encryption
2. Authentication

While a shared SSL cert will offer the same level of encryption as a non-shared one, it doesn't offer any type of authentication (which is why the web-browsers' still create a warning message).

Having said that, with the cheap SSL certs available these days, no checks are performed by the CA's (Certification Authorities) to authenticate the person/organization buying the certificates, so this aspect of SSL has become somewhat meaningless or pointless anyway.

I my opinion this is a bit of a shame, but it has only come about due to market demands.
The market has dicated that we'd rather buy a cheap non-authenticated certificate than the more expensive authenticated ones. The authenticated ones being more expensive because, well, someone has to do the background checks to ensure the person/company buying the certificate is indeed who they say they are).

On the other hand, the CA's that DO provide authentication haven't done themselves any favours either by grossly over charging what it costs to perform the checks in the first place.

The end result is that the general public can no longer trust the authenticity of an SSL cert anyway (not that many are even aware of this fact) so in this regard the security offered by SSL has already been compromised, and it's only usefulness these days is for encryption, and even the encryption is generally over-rated because the data is more often than not stored in unencrypted format on the end server anyway, and keyboard loggers on the clients' computer will also be logging unencrypted data. So about the only thing SSL *really* protects against is 'man in the middle' packet sniffers, which are generally only used by 'experts' that are aware of the other weaknessness of SSL anyway, and they'll usually take advantage of these weaknesses first, often with a high rate of success.

see what the experts had to say.

You now know far more about SSL than the average person needs to know, and probably even more than most SysAdmins and online merchants.

Cheers
Rod

ps. Although in my opinion SSL is practically worthless, this ISN'T the public perception. They NEED to see that secure padlock, else they think they are unsafe.

[cameo]

In regards to purchasing from your site. Are you prompted via the browser during the purchase procedure or at any time regarding security. Check this out.

Hi Muzz,

Thanks again for the above info that's nice to know when making my decision.

When I get to the PayPal page where you need to login I see the padlock and the https in the browser and so far no security warning has appeared. Is this what you're talking about?

Thanks,
cameo

[cameo]

You now know far more about SSL than the average person needs to know, and probably even more than most SysAdmins and online merchants.

Cheers
Rod

ps. Although in my opinion SSL is practically worthless, this ISN'T the public perception. They NEED to see that secure padlock, else they think they are unsafe.

Hi RodG,

Thanks for the explanation and all of the info above it's very informative and stuff I needed to know. I'm glad you expanded on the subject thanks!

Yes, I do know more about SSL than the average person now I can act like a bigshot when someone ask me about SSL.

Thanks!
cameo