homepage Welcome to WebmasterWorld Guest from 50.17.86.12
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Using a Shared SSL
Is this a good idea?
joe1182

10+ Year Member



 
Msg#: 3824 posted 9:52 pm on May 15, 2005 (gmt 0)

My web hoster offers a free shared SSL Certificate and I am using it for testing my e-commerce site. It seems to be working fine but, the SSL is not owned by my domain. Is this a good idea to use a shared SSL Certificate? Should I just pay for a real one?

 

Big_Balou

10+ Year Member



 
Msg#: 3824 posted 1:03 am on May 16, 2005 (gmt 0)

I would recommend going ahead and purchasing your own cert. At the same time I have to admit that when I first started I used my host's shared cert with no problems.

If you search you can find some relatively good prices.

Edited-Sticky me and I'll give you a starting point.....Looks like Corey Bryant gave you the same url I was thinking about in your other post on the subject - end Edited

joe1182

10+ Year Member



 
Msg#: 3824 posted 2:25 pm on May 16, 2005 (gmt 0)

anyone else have any input?

lgn1

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3824 posted 3:24 pm on May 16, 2005 (gmt 0)

Shell out for your own certificate. You don't need to worry about certificate branding these days either so don't pay the big bucks for Verisign or Thawte, but don't go for the $29.95 special either. Find something in the middle price range that gives support, a bit of branding and the highest percentage of browser compatibility.

Corey Bryant

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3824 posted 5:47 pm on May 16, 2005 (gmt 0)

There used to be a great white paper on the net about the dangers of using a shared SSL. If the shared SSL is compromised - it could potentially cause a lot of problems for all the customers using it.

Your own SSL is usually better.

-Corey

john_k

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3824 posted 6:38 pm on May 16, 2005 (gmt 0)

From a functional stand-point, the primary issue is that you lose cookies because the shared SSL will be under a different domain. This is not too hard to get around by putting one or more identifiers on the query string.

From a security stand-point, the danger of the SSL cert getting compromised is no different than the danger of the shared server getting compromised. Go with a reputable host and the shared environment is secure with in practical limits. Obviously a dedicated server would be better (provided you also have the resources to configure it to be and remain better!)

From an image stand-point, some people wonder why the URL is different. For those that look for it, it might also convey a small shop or "second-tier" image. People can invent all kinds of reasons not to proceed with the check-out process. A shared SSL is an indication that you are operating in a shared host environment. That may be enough to cause some people to not register or to abandon their cart.

Corey Bryant

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3824 posted 1:38 pm on May 17, 2005 (gmt 0)

A shared SSL uses a server-wide URL instead of a customer specific domain. This is exactly the difference - its the ramifications of this that are not widely understood - single "point of failure" for all domains piggy backing off of a server-wide URL -

What happens if someone gets access to the servers SSL private keys - how many domains are now compromised? How many potential credit cards are now exposed?

This is the benefit of a private SSL vs a shared SSL - and hence why a shared SSL is an increased security risk.

Additionally , SSL Private Keys are usually stored in an area which is accessible to the application. By utilizing a shared SSL certificate, the location of this encrypted file just cannot be as secure as a private SSL (ie - needs to be accessible in some manner by multiple applications) - the less "protected" this file is, the greater the chance of it being copied, altered or deleted - which ultimately increases your risk of SSL compromise.

Safenet-Inc has some great resources on SSL.

-Corey

joe1182

10+ Year Member



 
Msg#: 3824 posted 5:04 pm on May 17, 2005 (gmt 0)

Thanks everyone. This was very helpful.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved