SSL certificates - whats the deal?

Conrad11 · 11 Aug 2011 at 12:27

I have never really looked into this before. I know what its for and how it works but have never implemented it in a website.

What should I be paying for an SSL certificate? Are there things I should be looking out for?

Are there any decent guides for setup and use?

daz · 11 Aug 2011 at 16:54

What do you need the SSL certificate for? If you just need a basic certificate then £20-£50 is pretty much the going rate.

If you need a higher end certificate, for instance an EV then they can get very expensive.

Once thing to bear in mind is that technologically speaking, there's really no difference from a cheap certificate to an expensive certificate, the only difference is in establishing trust.

Conrad11 · 11 Aug 2011 at 17:01

daz said:
Once thing to bear in mind is that technologically speaking, there's really no difference from a cheap certificate to an expensive certificate, the only difference is in establishing trust.

It's not a trust thing, its simply to prevent data stealing/sniffing between client (browser) and server (website).

I take it you can't get one for free?

Sometimes when you go to a website which has an SSL my browser asks me to add an exception - I want to avoid this, how would I go about it, particular provider?

Do I have to get the certificate with my domain provider?

daz · 11 Aug 2011 at 17:40

Conrad11 said:
I take it you can't get one for free?

A self signed SSL is free...

Sometimes when you go to a website which has an SSL my browser asks me to add an exception - I want to avoid this, how would I go about it, particular provider?

But then it's not trusted in any browsers

Your domain/hosting provider should be able to sort you out with one. If you're not selling anything, then just the basic/cheapest domain validated SSL will be fine.

Conrad11 · 11 Aug 2011 at 18:25

daz said:
Your domain/hosting provider should be able to sort you out with one. If you're not selling anything, then just the basic/cheapest domain validated SSL will be fine.

But I don't NEED to get it with my domain provider right? They are independent of each other. Do I need special hosting or anything like that?

daz · 11 Aug 2011 at 18:41

Conrad11 said:
But I don't NEED to get it with my domain provider right? They are independent of each other. Do I need special hosting or anything like that?

If you don't get it from your hosting provider, you'll need them to allocate you a dedicated IP, for which there might be a charge. You might want to check as well that they allow SSL certificates from other sources (most do, but some can be funny...).

Xenoxide · 17 Aug 2011 at 00:03

You can get SSL certs for free - http://www.startssl.com/?app=0.

I've used them before and they do what they say on the tin.

Izi · 17 Aug 2011 at 11:00

Xenoxide said:
You can get SSL certs for free - http://www.startssl.com/?app=0.

I've used them before and they do what they say on the tin.

had issues with this on some older browsers.

Rapid SSL is £15 and is the best/cheapest one I could find.

Xenoxide · 17 Aug 2011 at 19:20

Izi said:
had issues with this on some older browsers.

Rapid SSL is £15 and is the best/cheapest one I could find.

Did you install their intermediate certificate on your server? I found that older versions of Firefox complained when I didn't do that.

Izi · 17 Aug 2011 at 20:38

Xenoxide said:
Did you install their intermediate certificate on your server? I found that older versions of Firefox complained when I didn't do that.

Can't remember now (helpful I know), it was the client who was having issues not me when I tested in different browsers.

robotSocks · 19 Aug 2011 at 20:51

Conrad11 said:
It's not a trust thing

FAIL.

Conrad11 · 20 Aug 2011 at 01:04

robotCocks said:
FAIL.

Why? It doesn't matter that the client has to add a certificate security exception to their browser (or whatever they have it to). The website client NEEDs to use the service and will want to use it regardless of what they have to do.

The SSL certificate is simply to encrypt the connection to protect from packet sniffers.

tntcoder · 20 Aug 2011 at 01:11

Conrad11 said:
Why? It doesn't matter that the client has to add a certificate security exception to their browser (or whatever they have it to). The website client NEEDs to use the service and will want to use it regardless of what they have to do.

The SSL certificate is simply to encrypt the connection to protect from packet sniffers.

Do you realize that makes the authentication benefits of SSL near useless? If your client will blindly add a random certificate to their root store that is not a good thing, sure it will be encrypted as you say but that's not all that great if you can't verify who is at the end of the channel.

Conrad11 · 20 Aug 2011 at 01:30

Sorry, the point is, I can actually give the client the certificate to add before hand on a usb stick or something. Neither the client or the server is worried about authenticity, instead only data confidentiality.

tntcoder · 20 Aug 2011 at 10:51

Conrad11 said:
Sorry, the point is, I can actually give the client the certificate to add before hand on a usb stick or something. Neither the client or the server is worried about authenticity, instead only data confidentiality.

Ok, if that's the case just go with self signed ones. You can create your own with OpenSSL on Linux or inside IIS on Windows. Give that to the clients using offline installation media and you're good to go