Welcome to WebmasterWorld Guest from 54.159.165.175

Forum Moderators: buckworks

Using a Shared SSL

Is this a good idea?

   
9:52 pm on May 15, 2005 (gmt 0)

10+ Year Member



My web hoster offers a free shared SSL Certificate and I am using it for testing my e-commerce site. It seems to be working fine but, the SSL is not owned by my domain. Is this a good idea to use a shared SSL Certificate? Should I just pay for a real one?
1:03 am on May 16, 2005 (gmt 0)

10+ Year Member



I would recommend going ahead and purchasing your own cert. At the same time I have to admit that when I first started I used my host's shared cert with no problems.

If you search you can find some relatively good prices.

Edited-Sticky me and I'll give you a starting point.....Looks like Corey Bryant gave you the same url I was thinking about in your other post on the subject - end Edited

2:25 pm on May 16, 2005 (gmt 0)

10+ Year Member



anyone else have any input?
3:24 pm on May 16, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Shell out for your own certificate. You don't need to worry about certificate branding these days either so don't pay the big bucks for Verisign or Thawte, but don't go for the $29.95 special either. Find something in the middle price range that gives support, a bit of branding and the highest percentage of browser compatibility.
5:47 pm on May 16, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There used to be a great white paper on the net about the dangers of using a shared SSL. If the shared SSL is compromised - it could potentially cause a lot of problems for all the customers using it.

Your own SSL is usually better.

-Corey

6:38 pm on May 16, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



From a functional stand-point, the primary issue is that you lose cookies because the shared SSL will be under a different domain. This is not too hard to get around by putting one or more identifiers on the query string.

From a security stand-point, the danger of the SSL cert getting compromised is no different than the danger of the shared server getting compromised. Go with a reputable host and the shared environment is secure with in practical limits. Obviously a dedicated server would be better (provided you also have the resources to configure it to be and remain better!)

From an image stand-point, some people wonder why the URL is different. For those that look for it, it might also convey a small shop or "second-tier" image. People can invent all kinds of reasons not to proceed with the check-out process. A shared SSL is an indication that you are operating in a shared host environment. That may be enough to cause some people to not register or to abandon their cart.

1:38 pm on May 17, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



A shared SSL uses a server-wide URL instead of a customer specific domain. This is exactly the difference - its the ramifications of this that are not widely understood - single "point of failure" for all domains piggy backing off of a server-wide URL -

What happens if someone gets access to the servers SSL private keys - how many domains are now compromised? How many potential credit cards are now exposed?

This is the benefit of a private SSL vs a shared SSL - and hence why a shared SSL is an increased security risk.

Additionally , SSL Private Keys are usually stored in an area which is accessible to the application. By utilizing a shared SSL certificate, the location of this encrypted file just cannot be as secure as a private SSL (ie - needs to be accessible in some manner by multiple applications) - the less "protected" this file is, the greater the chance of it being copied, altered or deleted - which ultimately increases your risk of SSL compromise.

Safenet-Inc has some great resources on SSL.

-Corey

5:04 pm on May 17, 2005 (gmt 0)

10+ Year Member



Thanks everyone. This was very helpful.
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month