What would be the best practices to support the following case.
We have a SaaS that needs to supports custom domains under SSL for unlimited companies.
I've read that there are MD certificates that we can buy to support this case but wanted to understand if we can have an unlimited number of domains.
What type of certificates, from your experience, would be most appropriate for this scenario?
Thank you.
Related
I have an online shop and I've just installed a new SSL certificate and it was free. It does seem too good to be true. I'm a very cynical type of person.
I don't know about different types of SSL, but I just need to be able to accept payment data (I'm using a PayPal add-in on Opencart).
I got my certificate from letsencrypt and they don't explain much on there website.
But if you go to my website Gwenllian-retail you will see the certificate. Can I handle financial transactions with that?
If not what type of SSL do I need?
One does not need much money or complicated software to create valid SSL certificates. I could create my own with ease, if I wanted. In fact, I have done. There is no reason to think that LetsEncrypt certificates are somehow of a wrong kind.
The question is whether people will trust those certificates, and that comes back to whether they trust the Certificate Authority (CA) that signed them. If I sign my own certificate and present that to someone as proof of my identity then that other party has no more reason to trust that the data within accurately identify me than if I just told them directly.
LetsEncrypt serves as the CA for SSL certificates it provides. I have never relied on them for a certificate, but according to hosting company DreamHost, LetsEncrypt certificates are trusted by all major browsers. (LetsEncrypt makes the same claim about itself, too.)
Again, all this trust business is mostly about authentication: whether the entity that presents the certificate (your web site) is really the entity that it says it is. It is not about the nature or quality of the encryption with which the session is secured. That comes down to the capabilities of the two endpoints, and is largely independent of the certificate.
Let's Encrypt is a well known service backed up by many big players. So yes, it's OK to use it in on your site. BUT ! SSL certificate is not everything, it's only one of many shields to protect you application.
I'm looking to buy SSL certificate for PWA.
The domain is bought from godday, where I checked a couple of options:
https://in.godaddy.com/web-security/ssl-certificate?isc=sshl6in01
https://www.comodo.co.in/ssl-certificates
They have got multiple types of certificates.
Which one is best suited for PWA?
In my case, the app takes the user name and number and saves them in the DB, and it also shows some data from DB to the user.
Service workers, as part of PWAs, do not need special SSL certificates to work. They simply need a working secure connection (HTTPs).
There are many hosting platforms offering already a SSL certificate out of the box. Of course it depends on your requirements and constrains about hosting providers. However if you are free in the choice of the hosting solution, I would suggest to start with a simple solution. This as general advice, also in line with what Paul suggested in his comment.
Firebase hosting is an example (here more details on how to use a custom domain):
I am developing a site for a school which will allows students to make an application using PIN and Serial No. I chooses Godaddy to Host the site on Ultimate plan, so is it necessary for me to include Standard SSL for the hosting plans since am using PINS or Standard SSL is meant for secure transanctions that includes using Credit cards?
Do you need SSL?
I assume that said applications will contain personal data, so your web application should use SSL to prevent third parties (such as other people on the same insecure wireless network as the student) from accessing that data. Depending on your jurisdiction, you may also be required by law to enable SSL.
Do you need GoDaddy Standard SSL?
From a quick look, it appears that the product you are referring to is a domain-validated certificate (i.e. they only verify that you own the domain, not that you are who you say you are). You can get those significantly cheaper elsewhere, and if you launch after mid-November, you can get a free one with automatic renewal from the Let's Encrypt project.
You should also check if you can get a certificate from your school. If your application will be hosted under a domain that is already being used for the school, they may have an existing certificate that you can use. Some schools (e.g. most German universities) also have their own certificate authorities which can issue SSL certificates for arbitrary websites.
If you get your certificate from GoDaddy as well, you pay more for the convenience of not having to learn as much.
I would like to set up a login area for my clients at my web site that is on a shared hosting server.
I do not currently have a dedicated IP or SSL certificate.
Is there an alternative way to safely and securely handle logins and other sensitive information I may want to collect without the expense of a dedicated IP and SSL certificate?
From a practical standpoint, the answer is that you need to use SSL/TLS. It is the industry standard and is well-known and (implemented properly) provides good security. While it is theoretically possible to write your own encryption and security protocols, it will almost certainly have flaws and holes that can be easily exploited.
To the best of what I know, anything without TSL/SSL would imply "cleartext" communication between your client and your server application - that would mean anyone can monitor the traffic to get sensitive information or impersonate an attack.
Is there an alternative way to safely and securely handle logins and other sensitive information I may want to collect without the expense of a dedicated IP and SSL certificate?
No.
I'm writing a billing module for a startup i'm working on. It's my first time buying an SSL cert. I only need a cert for a single domain. Is the standard SSL cert from godaddy ($29.99/yr) all that I need?
I plan to get an authorize.net compatible merchant account and didn't know if they would require the deluxe or premium certs. I'm side strapping this business so I'm trying to do it on the cheap. Thanks
Different certificates sold through the lucrative business of Certificate Authorities carry different price tags, for a few reasons. The most noticeable to clients visiting your web site is how much information the CA decided to "assure", based on how much you paid.
If you could convince your clients that a self-signed certificate has indeed not been compromised, and guarantees no eavesdropping-on-the-internet, then you could get away with $0 certificate cost.
However, users want more than that.
The GoDaddy standard certificate offers domain validation. GoDaddy is recognized by browsers, and will tell your clients that yes, we issued this certificate to https://billing.yourhost.domain, and if you see a website called https://webstore.yourhost.domain using the same certificate, there will be an error in the validation.
Depending on your needs to give client assurance, you may require/desire a certificate for which GoDaddy or another provider will validate a point-of-contact with a business so that when I visit https://billing.washingtonwidgets.com, I can see that this Web site is registered to "Washington Widgets, Ltd.", as opposed to someone who can buy a DNS name for $5 and open up https://paymeinstead.therealwashingtonwidgets.com. This is more "assurance" against spoofers. A spoofer may be able to get a domain validated certificate for a web site which carries a similar name to yours. This extra "assurance" costs more, and several large companies will back the assurance with a warranty, too.
A new type of SSL called EV SSL is marketed to represent one of the highest levels of assurity, and browser vendors are participating in presenting notification to users in a clear manner when a site uses an EV SSL certificate.
An aside from SSL: Now, do you need your own site to be secure? Or can you write a billing module and send a ticket off to a third party ticket billing site such as PayPal, authorize.net, etc. The term you want to look for is payment gateway. Often times these services will charge a small commission, instead of a yearly premium for a similar, but different kind of assurance. They usually offer API's that you can link through your application to create an end-to-end billing experience.
You need to buy a cert from a trusted root authority for your specific domain. I would talk to your hosting provider, as they will need to install the cert etc and may have a mechanism in place for you to go and buy one.
If you're really trying to do it on the cheap, I would def recommend paypal or any other similar service over rolling your own.
Edit: Also, this isn't programming related, maybe something along the lines of "What would a low cost, easy to implement, billing solution be?"