| Author |
Message |
Psiga
Posts: 3990
|
 Posted: Sun Nov 05, 2006 8:14 pm Post subject: Question for the Web Developer minded among us: |
|
Can anyone here tell me of the most cost-effective way to implement SSL on a website?
I'm setting up a business-related site, with need for a secure form. It'll be low traffic, so I'm considering a 1and1 or godaddy package at the lowest rates available ($3 to $4 a month) -- neither of which include gratis SSL certs.
I've been trying to JFGI for the past couple hours, but I'm not finding a slick solution. Mainstream SSL cert goes for $70'something a year, though godaddy offers its own proprietary SSL version for $20 a year if I use their hosting packages. That's as good as it's gotten so far.
Any pointers? |
|
| Back to top |
|
 |
IIOIOOIOO
Posts: 91
|
| Posted: Sun Nov 05, 2006 8:53 pm Post subject: |
|
If you want anybody to take the SSL protection seriously then you have to buy a verisign or thawte certificate. Remember, SSL Certs do TWO things:
1) Provide keys for encryption of traffic.
2) Prove that at every point in the transaction you are dealing with who you think you are.
3rd party certs can do that (in theory) but most browsers are only set to default-accept certificates from a couple of well-vetted certificate authorities. If you're not worried about that and feel your customers will happily click the buttons to accept your certificate from JoeBloeSoft then you might as well just download the software to generate YOUR OWN certificate for free. Heck, if you have Windows Server you can generate one right now with just a few clicks. That will satisfy #1 with ease.
Another alternative is to buy your hosting from a company that offers "shopping-cart" type tools for free with the hosting. Then it's them who is footing the bill for the SSL certs and that part of the software while you pay some small fraction of that cost to the host.
Love,
IIOIOOIOO |
|
| Back to top |
|
|
internisus
Posts: 961
|
| Posted: Sun Nov 05, 2006 9:23 pm Post subject: |
|
| Good luck Psiga! =( |
|
| Back to top |
|
|
Psiga
Posts: 3990
|
| Posted: Sun Nov 05, 2006 9:55 pm Post subject: |
|
IIOIOOIOO wrote:
If you want anybody to take the SSL protection seriously then you have to buy a verisign or thawte certificate.
Yes, the big names are big names for a reason. I'd prefer to get an authentic thing at the lowest consumer price. No need for a shopping cart system, though, so a bundle deal is probably out of the question.
I'm thinking that the opensource/freeware SSL certificates might work in the short-run, since most of the people visiting will not be very net savvy, and there won't be any monetary transactions through it anyway. Encrypting contact information for added sense of privacy and security, is all.
Presuming things go as I've been told they will, I can upgrade to a first-rate certificate in a few months.
All the same: If anyone knows how to get cut-rate brand name SSL certs, I'd like to know. |
|
| Back to top |
|
|
Nana Komatsu
Posts: 697
|
| Posted: Mon Nov 06, 2006 12:29 am Post subject: |
|
I know virtually nothing about SSL. Sorry.
But! Don't use Godaddy hosting, I've heard nothing but bad things. |
|
| Back to top |
|
|
Psiga
Posts: 3990
|
| Posted: Mon Nov 06, 2006 1:43 am Post subject: |
|
Nana Komatsu wrote:
Don't use Godaddy hosting, I've heard nothing but bad things.
Check.
And yeah, both 1and1 and godaddy alike are known for being very, very, very low cost for a reason. I once used 1and1 for a short time about a year ago, with no problems that I can recall -- it's one of those "Works great when it works, god help you if it doesn't" things. Supposedly they outsourced their help lines recently, though...
Oh! I just thought to search for Dreamhost coupons, and found this: http://www.modder.org/dreamhost-promo-code/
That would make the lovely Dreamhost more affordable than even 1and1, with four times the stats. |
|
| Back to top |
|
|
IIOIOOIOO
Posts: 91
|
| Posted: Mon Nov 06, 2006 5:58 am Post subject: |
|
Psiga wrote:
IIOIOOIOO wrote:
If you want anybody to take the SSL protection seriously then you have to buy a verisign or thawte certificate.
Yes, the big names are big names for a reason. I'd prefer to get an authentic thing at the lowest consumer price. No need for a shopping cart system, though, so a bundle deal is probably out of the question.
I'm thinking that the opensource/freeware SSL certificates might work in the short-run, since most of the people visiting will not be very net savvy, and there won't be any monetary transactions through it anyway. Encrypting contact information for added sense of privacy and security, is all.
Presuming things go as I've been told they will, I can upgrade to a first-rate certificate in a few months.
All the same: If anyone knows how to get cut-rate brand name SSL certs, I'd like to know.
Just so we're clear: Most browsers, when faced with a 3rd-party cert, pop up a dialogue that looks something like "This page is a lie-virus. Would you like to trust everything from them forever? If so, then we need you to check here, check here, check here, then click submit... sucker."
If you're actually not trying to encrypt any real business transactions then the 3rd party will RUIN more sense of security than it will create. Might as well just get a .ru domain name because registration is cheaper! |
|
| Back to top |
|
|
internisus
Posts: 961
|
| Posted: Mon Nov 06, 2006 6:17 am Post subject: |
|
| That sound bad, d00d. Be careful! |
|
| Back to top |
|
|
Takashi
Posts: 820
|
| Posted: Mon Nov 06, 2006 6:39 am Post subject: |
|
IIOIOOIOO wrote:
Just so we're clear: Most browsers, when faced with a 3rd-party cert, pop up a dialogue that looks something like "This page is a lie-virus. Would you like to trust everything from them forever? If so, then we need you to check here, check here, check here, then click submit... sucker."
If you're actually not trying to encrypt any real business transactions then the 3rd party will RUIN more sense of security than it will create. Might as well just get a .ru domain name because registration is cheaper!
At the same time, those unsigned certificates and warnings are so common (even in oficial sites), people click tru them the same way they read a EULA. Also, most modern browsers will default to "trust site for this session" and don't bother you any more after they shown the signature and made you click once. At any rate, third party non-verisign certificates are a waste of money if you can do them yourself. |
|
| Back to top |
|
|
Psiga
Posts: 3990
|
| Posted: Mon Nov 06, 2006 1:13 pm Post subject: |
|
Perceptually, it bothers me just as much or more when I go to a place with a real SSL cert but the thing is outdated, misnamed, or has mixed content. The site caughs up a real error message even though nothing's supposed to be wrong.
As for as accepting a new certificate authority, Firefox's dialogue is low key, and IE's only makes you think a little bit. Still not as good as not having to think at all, but again it's a short-term solution. The site will offer three methods of contact to choose from, between email, phone, or form. If they get cold feet about the form (despite having no risk of losing money, since money isn't involved), there will still be two other methods.
Unless I can find a super lovely deal on Verisign certs, this is probably the way I'll start off. |
|
| Back to top |
|
|
|