Shared Ssl Certificates

Forum Moderators: buckworks

Message Too Old, No Replies

Shared Ssl Certificates

What does browser show?

scottmonaco

5:22 am on Mar 26, 2003 (gmt 0)

Hi, I am preparing to use ECommerce and wonder if using Shared SSL certificates makes any sense? If the browers shows a warning (if thats true?) that the domain name is not the same. Does not that negate the use as it would scare off potential clients? . If that is the case, then they are really only two solutions, a third party secure server like agora pay or paypal, or your own SSL. Correct?

jamesa

7:11 am on Mar 26, 2003 (gmt 0)

IMHO it's worth the $200 for your own digital cert - much more professional image.

But there's no technical issues with a shared certificate. Client won't get any warnings if all of the images, etc on the page are being served securely (just watch the urls of your images and external css files, etc). The downside to a shared cert is that the URL will be that of the company you're sharing the cert with, and of course if the client views the cert they'll see some other company's info instead of yours.

It's really hard to say if customers would be put off by the change in URL, but I have several client that elected to do it this way and we haven't noticed any problems.

scottmonaco

12:20 pm on Mar 26, 2003 (gmt 0)

Thanks!, the clients that you have using shared SSL, do they accept CC via their own Merchant accounts? I have beenr eading up on Payment gateways etc... lot to learn here (boy what fun :) )

jamesa

7:50 pm on Mar 26, 2003 (gmt 0)

yes, they're all using their own merchant accounts (with AuthorizeNet).

samonaco

9:07 pm on Mar 26, 2003 (gmt 0)

Thanks a bunch!, Do they need (or want) a Internet Merchant account as well as their current Merchant account they use in their brick and mortar store?

jamesa

9:13 pm on Mar 26, 2003 (gmt 0)

Well, if your brick-and-mortar merchant account does internet transactions as well then use that but that's usually not the case. So most likely you'd need to set up an internet merchant account as well. The funds from the internet merchant account are deposited directly to the bank account of your choice.

samonaco

10:12 pm on Mar 26, 2003 (gmt 0)

Thanks, I guess that means he would have two mechant accounts. Do you like the affilaite programs? were they helpful at authorize.net?

USMerch

12:18 am on Apr 7, 2003 (gmt 0)

Actually there are a few issues you can run into with Shared SSL certificates, not the least of which is session or cookie problems where other stores using the same e-commerce application(s) with the same provider use the same SharedSSL. Good providers have usually worked through them, but it can be a very serious problem with the many bargain basement resellers of resellers.

Typically, the arrangement for simple services will have a separate directory for your secure forms which will be aliased to a directory of the provider's SSL'd server (http://widgets.com and [securewidget.com...]
it is ugly but works for basic forms, and most users are surprisingly oblivious to most 'domain shifts'
The typical certificate here is the simple www.singledomain.blah certificate intended for individual organizations being misused to allow multiple 'secure' users without any real identification of seller, this is an ethically questionable practice, which saves money for the provider. The browser will show a lock, and there will be no obvious warnings unless you call images/content outside your 'secure directory', the report will show the certificate was intended for "www.securewidget.com".

The 'best practices' version of SharedSSL would have your entire site aliased to a third level domain of the SSL'd server
(http://widgets.com and [widgets.securewidget.com)...]
which is a lot less ugly, allows for all types of dynamic content changes and manual additions, without an additional 'secure directory' to deal with etc. and less objectionable to those that do notice 'domain shift'. As long as the provider has properly dealt with issues of cookies and sessions with the applications, this is a very good way to work.
The typical certificate here is a '*.' certificate which is intended for multiple use. The cost of this type of certificate is much higher (usually $350-450 instead of $50-$150).
The browser will show a lock, and there will be no obvious warnings, unless you 'hard-link' things on your site or off your site ( scr="http://widgets.com/images/widgetlogo.jpg" instead of scr="/images/widgetlogo.jpg" ) the report will show the certificate was intended for "*.securewidget.com", your site would be the provider verified "*" in the "*.", but would not be listed.

I hope this info helps...

samonaco

2:09 pm on Apr 7, 2003 (gmt 0)

Wow, thanks for the info!. Hopefully after I do one, I understand all of that :)

davemarks

12:38 pm on May 14, 2003 (gmt 0)

Can you recommend a somewhere to purchase a trusted certificate from?

I'm looking at the �50 end ;)

At the moment we're using a seld signed certificate, but ofcourse this prompts the user that the certificate is not from a trusted party

Thanks

jamesa

10:39 am on May 13, 2003 (gmt 0)

Thawte or Verisign.

Others exist. But since the others are newer not all browsers are aware of them. So some users would still get the "untrusted" warning unless they update their browsers accordingy. Check browser compatibility before buying a cert.

davemarks

11:25 am on May 13, 2003 (gmt 0)

Thanks,

I eventually got one from Comodo Group www.InstantSLL.com
They claim 99% browser compatibility and the only problems I found were with 4.x or older browsers, which is more than adequate for me :)

For �50 I got the SSL certificate and a Free TrustLogo www.trustlogo.com and it was all very prompt. Even with my client faxing across proof of business documents etc, it was all done in less than 6 hours :)

Would definatley recommend for anybody whos not pushing enough business to afford a verisign or thwaite one. And even so I can't see much benefit in the extra expense... The �50 one I got has $10,000 assured...