SSL Cert for online site

[dbz0e]

Hi guys, Please recommend SSL cert for online selling startup.

Thanks

 

[semaphore]

LetsEncrypt

 

[Thor]

Hi guys, Please recommend SSL cert for online selling startup.

Thanks

If you have experience

Let's encrypt


Otherwise ask your host for a Comodo one.

 

[tcpip]

Letsencrypt is very good, especially if you can setup automated cron for three month renewals.

Depending on the type of site you are running, you can also look at cloudflare which also does CDN caching, they have a free version with SSL (Client(SSL)->Cloudflare-->Host(HTTP) which is not really secure, and a paid version which is fully encrypted end to end

 

[chopsky]

Hi guys, Please recommend SSL cert for online selling startup.

Thanks

For an online store, stick with a proper branded SSL rather than a free Let's Encrypt. LE is better suited to personal/smaller websites.
Check Smartweb in my sig. You can score a PositiveSSL or RapidSSL cert for sub-R200 per year. Worth it.
For a very low fee, you get support and a branded site seal for your website for extra customer trust, and it doesn't need to renew every 3 months.
Alternatively, their web hosting packages (if you're interested) include free Comodo SSL certs.

Cheers!

 

[Mr Scratch]

For an online store, stick with a proper branded SSL rather than a free Let's Encrypt. LE is better suited to personal/smaller websites.
Check Smartweb in my sig. You can score a PositiveSSL or RapidSSL cert for sub-R200 per year. Worth it.
For a very low fee, you get support and a branded site seal for your website for extra customer trust, and it doesn't need to renew every 3 months.
Alternatively, their web hosting packages (if you're interested) include free Comodo SSL certs.

Cheers!

Absolute horse****. You're just trying to grab a sale.

 

[Fulcrum29]

For an online store, stick with a proper branded SSL rather than a free Let's Encrypt. LE is better suited to personal/smaller websites.
Check Smartweb in my sig. You can score a PositiveSSL or RapidSSL cert for sub-R200 per year. Worth it.
For a very low fee, you get support and a branded site seal for your website for extra customer trust, and it doesn't need to renew every 3 months.
Alternatively, their web hosting packages (if you're interested) include free Comodo SSL certs.

Cheers!

It depends how you look at the current ‘internet’ landscape, Let’s Encrypt is gaining ground and is being endorsed where possible by the larger ‘internet’ providers. Though let’s encrypt does not come with any risk coverage, an insurance, it does what it does best to enable HTTPS.

What makes Let’s Encrypt great is the easy accessibility, and you do have ‘unmanaged’ hosting providers which auto renews the cert every 3 months on request. The more tech savvy or website administrators do have access to plugins or scripts to auto renew. Once Let’s Encrypt gains public traction, it will be more supported as a trusted cert. What it is, is a threat to paid SSL, as said it does not provide any risk cover whatsoever. Though Let’s Encrypt does not support wildcard, it is in the pipeline…

However, Let’s Encrypt at this stage is not suitable to be enabled on a medium to enterprise sized website with multiple transactions on a daily basis.

 

[Mr Scratch]

However, Let’s Encrypt at this stage is not suitable to be enabled on a medium to enterprise sized website with multiple transactions on a daily basis.

I disagree with you strongly. Mind elaborating on this statement?

 

[Fulcrum29]

I disagree with you strongly. Mind elaborating on this statement?

What security does Let’s Encrypt provide to you, tell me more about their assurance, application and issuance policies?

Most entry level SSL’s do not have any security insurance, and in my opinion would also not be suitable to be enabled on a medium to enterprise sized websites handling transactions.

Then to elaborate on the current beta limitations, I have already mentioned no wildcard certs, and they have no EV certs or identity validation which is valued by change management.

They also apply rate limits which would make it unsuitable to larger service providers, pending on the deployment scale. Couple this to the short validity periods and you will run into issues, and yes, Let’s Encrypt (or ISRG) is improving on the rate limitations.

Lastly, Let’s Encrypt is issued to any site which is a security concern, likewise with any other entry-level certs. Google is already on a campaign to secure the internet, by labelling non-SSL sites, and what do you think will happen when Let’s Encrypt is signed to malicious sites on a large scale already in progress? Is this not an emerging trusted SSL issue?

So, why do you strongly disagree?

 

[Thor]

For an online store, stick with a proper branded SSL rather than a free Let's Encrypt. LE is better suited to personal/smaller websites.
Check Smartweb in my sig. You can score a PositiveSSL or RapidSSL cert for sub-R200 per year. Worth it.
For a very low fee, you get support and a branded site seal for your website for extra customer trust, and it doesn't need to renew every 3 months.
Alternatively, their web hosting packages (if you're interested) include free Comodo SSL certs.

Cheers!

Proper BS

 

[chopsky]

Absolute horse****. You're just trying to grab a sale.

Proper BS

Thanks guys, appreciate your reasoning.

Outbursts aside, if you consider the fact that you're getting technicial support (help with setting up/issuing, or for when **** hits the fan) + a site seal (especially useful for an online store) + warranty, R200 or whatever is well worth the asking price for peace of mind.

Free is nice, and Lets Encrypt have done a great thing, but its not without limitations.

 

[Thor]

Thanks guys, appreciate your reasoning.

Outbursts aside, if you consider the fact that

1 you're getting technicial support (help with setting up/issuing, or for when **** hits the fan)

2 + a site seal (especially useful for an online store)

3 + warranty,

4 R200 or whatever is well worth the asking price for peace of mind.

Free is nice, and Lets Encrypt have done a great thing, but its not without limitations.

1, That is what you pay your host for, lets encrypt won't change that.

2, joe public does not know the difference so a normal SSL/HTTPS encrypted logo will do the exact same thing trust wise (Make one up yourself and it'll work just as well. example - https://cdn-business.discourse.org/.../149e86cd7f135095e9c92f4e67a4b6a7b80a60c0.png) - besides the best seal your site can have is the green lock in the URL bar the rest is aesthetics.

3, That is the only reason why a paid for SSL certificate is useful, but reality is have you ever claimed it?

4, It simply is not.

 

[chopsky]

1, That is what you pay your host for, lets encrypt won't change that.

2, joe public does not know the difference so a normal SSL/HTTPS encrypted logo will do the exact same thing trust wise (Make one up yourself and it'll work just as well. example - https://cdn-business.discourse.org/.../149e86cd7f135095e9c92f4e67a4b6a7b80a60c0.png) - besides the best seal your site can have is the green lock in the URL bar the rest is aesthetics.

3, That is the only reason why a paid for SSL certificate is useful, but reality is have you ever claimed it?

4, It simply is not.

Each to their own I guess. If I saw my bank was using a free Let's Encrypt SSL, I'd jump ship immediately. Tells me they don't take my security seriously. That same mind-set can (and should be) applied to an online store.

 

[semaphore]

LetsEncrypt is not in beta anymore:
https://letsencrypt.org/2016/04/12/leaving-beta-new-sponsors.html

 

[Thor]

Each to their own I guess. If I saw my bank was using a free Let's Encrypt SSL, I'd jump ship immediately. Tells me they don't take my security seriously. That same mind-set can (and should be) applied to an online store.

Elaborate from a security perspective how Let's encrypt is inferior? In fact the 90 day expiration makes me MORE likely to use it for production. There's a much shorter window if your key gets compromised, hell, I'd rotate every day if I could.

The only drawback LE has right now is lack for wildcards, when that is implemented, done deal.

If you feel you absolutely must use a pay for certificate then use a Comodo Positive SSL $4.

https://www.cheapsslshop.com/comodo

 

[chopsky]

Elaborate from a security perspective how Let's encrypt is inferior? In fact the 90 day expiration makes me MORE likely to use it for production. There's a much shorter window if your key gets compromised, hell, I'd rotate every day if I could.

The only drawback LE has right now is lack for wildcards, when that is implemented, done deal.

If you feel you absolutely must use a pay for certificate then use a Comodo Positive SSL $4.

https://www.cheapsslshop.com/comodo

LE's biggest drawback, as Fulcrum29 pointed out, is that any idiot can get one. There's zero validation involved. It's going to become commonplace on the internet, especially amongst fraudulent websites. That poses a problem in the future. Sure, the secure encryption is there, but that's not all that counts when it comes to online security & trust. It might not affect an educated online user such as yourself, but not everyone is on that level, especially in trying to determine what businesses to trust and not trust.

 

[Thor]

LE's biggest drawback, as Fulcrum29 pointed out, is that any idiot can get one. There's zero validation involved. It's going to become commonplace on the internet, especially amongst fraudulent websites. That poses a problem in the future. Sure, the secure encryption is there, but that's not all that counts when it comes to online security & trust. It might not affect an educated online user such as yourself, but not everyone is on that level, especially in trying to determine what businesses to trust and not trust.

Anyone can get a paid for SSL as well.

 

[chopsky]

I think the biggest mistake you're making, is that you're looking at it from a purely security/encryption perspective, rather than a trust perspective. SSL certificates aren't just about encryption, although that's their primary purpose. They're also largely about trust. You're an educated user, so you can work out which online stores to trust and which not to. The average person is not informed. Until now, SSL certs have been the best way for the average person to determine whether their money is safe being spent on an online store. With LE, that trust is largely going to fall away. There's no validation and absolutely every sod is going to have one. Logically, people are going to have to find new ways to determine they can trust the store, and that will happen with OV/EV certs and branded, authenticated, clickable site seals (sticking a LE logo on your website counts for nil).

 

[Thor]

I think the biggest mistake you're making, is that you're looking at it from a purely security/encryption perspective, rather than a trust perspective. SSL certificates aren't just about encryption, although that's their primary purpose. They're also largely about trust. You're an educated user, so you can work out which online stores to trust and which not to. The average person is not informed. Until now, SSL certs have been the best way for the average person to determine whether their money is safe being spent on an online store. With LE, that trust is largely going to fall away. There's no validation and absolutely every sod is going to have one. Logically, people are going to have to find new ways to determine they can trust the store, and that will happen with OV/EV certs and branded, authenticated, clickable site seals (sticking a LE logo on your website counts for nil).

No sir, trust is not the responsibility of a SSL certificate it's a side effect. The SSL certificate has one job and that is to ensure your details are protected in transit by encrypting sensitive information, you can have the most expensive SSL certificate on earth and the web owner can stil use your details with malicious intent.

Like I said the best visual cue you can give your users is the Green Lock that will have the effect of trust however trust is build by reputation and many other outside factors. You cannot decide you trust a side based on a $700 SSL certificate.

 

[chopsky]

No sir, trust is not the responsibility of a SSL certificate it's a side effect. The SSL certificate has one job and that is to ensure your details are protected in transit by encrypting sensitive information, you can have the most expensive SSL certificate on earth and the web owner can stil use your details with malicious intent.

Yes, as I mentioned above, encryption is the primary purpose of the SSL. But like it or not, they have also become synonymous with trust. You and I both understand the purpose of an SSL, but we can't ignore the association they have with trust for the average Joe.

There's a reason many large online retailers will opt for a Thawte or Symantec SSL over a Comodo SSL, and it's not because they believe the one offers stronger encryption than the other, or because they just like paying more. They know the actual encryption is equal. But just like with everything else, certain CAs are better known than others, and it's all about making users feel 100% secure. Those store owners are thinking "If I spend just a little bit more on an SSL, I can slap a highly recognizable Thawte seal on my checkout and my company name in the address bar, and maybe, just maybe, that little bit of extra visible reassurance just might be enough to push a few more customers to convert." Like it or not, it's the truth.

Like I said the best visual cue you can give your users is the Green Lock that will have the effect of trust however trust is build by reputation and many other outside factors. You cannot decide you trust a side based on a $700 SSL certificate.

Actually, the best visual cue you can give your users is a green address bar with your company name in it. It's a far far stronger visual cue than just a padlock. But I get that not everyone can or wants to shell out for an EV cert.