My web hoster offers a free shared SSL Certificate and I am using it for testing my e-commerce site. It seems to be working fine but, the SSL is not owned by my domain. Is this a good idea to use a shared SSL Certificate? Should I just pay for a real one?
Shell out for your own certificate. You don't need to worry about certificate branding these days either so don't pay the big bucks for Verisign or Thawte, but don't go for the $29.95 special either. Find something in the middle price range that gives support, a bit of branding and the highest percentage of browser compatibility.
From a functional stand-point, the primary issue is that you lose cookies because the shared SSL will be under a different domain. This is not too hard to get around by putting one or more identifiers on the query string.
From a security stand-point, the danger of the SSL cert getting compromised is no different than the danger of the shared server getting compromised. Go with a reputable host and the shared environment is secure with in practical limits. Obviously a dedicated server would be better (provided you also have the resources to configure it to be and remain better!)
From an image stand-point, some people wonder why the URL is different. For those that look for it, it might also convey a small shop or "second-tier" image. People can invent all kinds of reasons not to proceed with the check-out process. A shared SSL is an indication that you are operating in a shared host environment. That may be enough to cause some people to not register or to abandon their cart.
A shared SSL uses a server-wide URL instead of a customer specific domain. This is exactly the difference - its the ramifications of this that are not widely understood - single "point of failure" for all domains piggy backing off of a server-wide URL -
What happens if someone gets access to the servers SSL private keys - how many domains are now compromised? How many potential credit cards are now exposed?
This is the benefit of a private SSL vs a shared SSL - and hence why a shared SSL is an increased security risk.
Additionally , SSL Private Keys are usually stored in an area which is accessible to the application. By utilizing a shared SSL certificate, the location of this encrypted file just cannot be as secure as a private SSL (ie - needs to be accessible in some manner by multiple applications) - the less "protected" this file is, the greater the chance of it being copied, altered or deleted - which ultimately increases your risk of SSL compromise.