SSL Cert for online site

[Thor]

Yes, as I mentioned above, encryption is the primary purpose of the SSL. But like it or not, they have also become synonymous with trust. You and I both understand the purpose of an SSL, but we can't ignore the association they have with trust for the average Joe.

There's a reason many large online retailers will opt for a Thawte or Symantec SSL over a Comodo SSL, and it's not because they believe the one offers stronger encryption than the other, or because they just like paying more. They know the actual encryption is equal. But just like with everything else, certain CAs are better known than others, and it's all about making users feel 100% secure. Those store owners are thinking "If I spend just a little bit more on an SSL, I can slap a highly recognizable Thawte seal on my checkout and my company name in the address bar, and maybe, just maybe, that little bit of extra visible reassurance just might be enough to push a few more customers to convert." Like it or not, it's the truth.



Actually, the best visual cue you can give your users is a green address bar with your company name in it. It's a far far stronger visual cue than just a padlock. But I get that not everyone can or wants to shell out for an EV cert.

Makes 100% sense what your saying, BUT then you are not selling SSL certificates for the security in mind you are telling your clients to buy a paid for SSL for the perception.


Nothing wrong with that, I just wanted to make it clear that no paid for SSL has anything over LE, however from a perception point of view yes the "Brand" of the paid for SSL will be more recognized to your users than a LE padlock would.

 

[chopsky]

As someone who runs an online retail store, I can tell you that I've done whatever I possibly can to ensure that my conversion rate is maximized, from optimizing the checkout process to the max, to making customers feel as absolutely comfortable with the process as possible. Some people are happier saving a few Rands. That's cool. Each to their own. I'm not one of them.

 

[Thor]

As someone who runs an online retail store, I can tell you that I've done whatever I possibly can to ensure that my conversion rate is maximized, from optimizing the checkout process to the max, to making customers feel as absolutely comfortable with the process as possible. Some people are happier saving a few Rands. That's cool. Each to their own. I'm not one of them.

I'm not disputing that it's a different topic all together

You where pushing perception of trust as your motive here and I was pushing security in this LE vs Paid debate.

So we both agree that security LE vs Paid is the same.

And we both agree perception of trust Paid will trump LE.

I think that is what the confusion was between us.

 

[chopsky]

Makes 100% sense what your saying, BUT then you are not selling SSL certificates for the security in mind you are telling your clients to buy a paid for SSL for the perception.


Nothing wrong with that, I just wanted to make it clear that no paid for SSL has anything over LE, however from a perception point of view yes the "Brand" of the paid for SSL will be more recognized to your users than a LE padlock would.

Yeh, I run a number of online stores. I've come to learn that it's all about perception. People are simply not educated when it comes to online security. They value the extra reassurance, whatever form it takes. A few more Rands for a few more conversions - no big deal.

 

[chopsky]

I'm not disputing that it's a different topic all together

You where pushing perception of trust as your motive here and I was pushing security in this LE vs Paid debate.

So we both agree that security LE vs Paid is the same.

And we both agree perception of trust Paid will trump LE.

I think that is what the confusion was between us.

Oh absolutely, I wouldn't dispute that the encryption/security of either is superior. Would never make the assertion that a paid SSL is superior in that way.
On a branded DV SSL vs LE SSL match-up, you're basically paying a small fee for the site seal/added trust & the warranty (although highly unlikely you'll need to use it, but not completely unheard of).
Or if you have a bit more moolah (and a registered company), you're buying an EV cert for even more reassurance.
Of course paid Wildcard & Multi-Domain SSLs are a different story.

 

[DorothyHerman]

You have two options either go for single domain ssl certificate or ev ssl certificate for your online selling business.

I would like to suggest that as this is your new venture therefore don't waste too much money at this time and go for single domain SSL certificate. In future, when your business will expand then at that time you should switch to EV SSL certificate.

This blog post will help you to get trusted SSL providers and in-fact discount deals too.

 

[shadow_man]

If you have experience

Let's encrypt


Otherwise ask your host for a Comodo one.

CAN PEOPLE STOP RECOMMENDING LETS ENCRYPT FOR ONLINE SHOPS.

It doesn't come with any insurance (which paid certs do) and is thus totally useless for any platform that is accepting payment online.

As jy dom is moet jy ***.

RANT OVER.

 

[IndigoIdentity]

CAN PEOPLE STOP RECOMMENDING LETS ENCRYPT FOR ONLINE SHOPS.

It doesn't come with any insurance (which paid certs do) and is thus totally useless for any platform that is accepting payment online.

As jy dom is moet jy ***.

RANT OVER.

And what might I ask is the benefit of insurance if you are making use of an external payment processor like Payfast which would implement their own SSL on the processor its self?

Also, bearing in mind that almost all payment processors for small stores are external, what might the benefit of paid SSL be for a smaller online store?

I think the only benefit here would be peace of mind for the non-technical customers as they would not understand the technicalities that are involved but in terms of customer security I would worry more about how you secure access points into the server or database than which SSL is used.

 

[shadow_man]

And what might I ask is the benefit of insurance if you are making use of an external payment processor like Payfast which would implement their own SSL on the processor its self?

Also, bearing in mind that almost all payment processors for small stores are external, what might the benefit of paid SSL be for a smaller online store?

I think the only benefit here would be peace of mind for the non-technical customers as they would not understand the technicalities that are involved but in terms of customer security I would worry more about how you secure access points into the server or database than which SSL is used.

Fair point - if an external vendor is doing the payments then that's one less issue (provided nothing happens on the client side AND you do EVERYTHING on the payment vendors site - this isn't always the case though)

I personally wouldn't take the risk.

Any legal issue pops up and you're screwed. It's not worth it to take the risk when the yearly fee is so small.

Penny wise, pound foolish.

 

[IndigoIdentity]

Fair point - if an external vendor is doing the payments then that's one less issue (provided nothing happens on the client side AND you do EVERYTHING on the payment vendors site - this isn't always the case though)

I personally wouldn't take the risk.

Any legal issue pops up and you're screwed. It's not worth it to take the risk when the yearly fee is so small.

Penny wise, pound foolish.

Fair enough but what risk are you actually taking exactly? You mention legal issues that may pop up, well what possible legal issues would exist that cover this? I am asking out of interest sake here.

I truly understand the value in a companies image and how it comes across to it's customers and how this can help them to grow but do not agree with the rhetoric as some of the most successful people in the world are extremely calculate when it comes to how they will spend money.

There's so many other things for someone who is asking a question like this to worry about first before they can even make a sale, getting paid SSL (you'd need one that covers two domains, www and non www) is just another expense to worry about and in my opinion it's not entirely necessary as you can grow without it to the point where you could splash out and get a nice E.V. cert for your domain.

It depends on the circumstances really but I think in this case going with LE would be fine given you're not doing processing of payments on site.

 

[Thor]

CAN PEOPLE STOP RECOMMENDING LETS ENCRYPT FOR ONLINE SHOPS.

It doesn't come with any insurance (which paid certs do) and is thus totally useless for any platform that is accepting payment online.

As jy dom is moet jy ***.

RANT OVER.

Insurance for what exactly?

Your not handling their payments that's on a third-party not you. It would be pretty reckless if you roll your own.

LE it is.

 

[Thor]

Ahh I see others beat me to it

 

[SBSP]

CAN PEOPLE STOP RECOMMENDING LETS ENCRYPT FOR ONLINE SHOPS.

It doesn't come with any insurance (which paid certs do) and is thus totally useless for any platform that is accepting payment online.

As jy dom is moet jy ***.

RANT OVER.

Leave e'm let them learn, Free services sooner or later will come back to bite.

 

[Thor]

Leave e'm let them learn, Free services sooner or later will come back to bite.

How, how will LE come back and bite, please elaborate.

 

[chopsky]

Insurance for what exactly?

Your not handling their payments that's on a third-party not you. It would be pretty reckless if you roll your own.

LE it is.

I think he means a warranty, not insurance. Many e-commerce sites accept credit card payments directly on their own website without having to redirect to an external payment gateway's payment page. If you use your gateway's own payment page to accept CC information, then you're using their SSL, and so you'd make use of their warranty in the very unlikely event that it breaks. If you accept their payment information on your own site at checkout, then the need for having an SSL (with warranty) falls on you.

 

[Fulcrum29]

How, how will LE come back and bite, please elaborate.

The only real challenge that ISRG may run into is to have their trusted SSL become untrusted by search engines.

 

[SBSP]

How, how will LE come back and bite, please elaborate.

Elaborate this elaborate that.

 

[Thor]

Elaborate this elaborate that.

Okey troll detected moving on.

 

[Thor]

The only real challenge that ISRG may run into is to have their trusted SSL become untrusted by search engines.

ISRG?

 

[Fulcrum29]

ISRG?

https://letsencrypt.org/

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).