SSL - A Couple Of Specific Questions

Thanks for your informative and comprehensive response, Eric.

 

Hi Group

I'm looking to implement SSL and have been doing lots of reading in the forums and knowledge base, but I've got some conceptual black holes to clear up before I jump in. Hopefully some knowledgable readers here will be able to enlighten me.

1) If I apply SSL to my account, does that mean that ALL pages on the site/account/domain have the potential to be secure?
2)Assumingthe above is true (all pages are affected), would ALL pages on the domain be accessable with both a http:// AND a https:// prefix?- if accessed with httpS they'dbe encrypted and with httpthey wouldn't?
3) The certificate providers that everyone seems to mention are Verisign & geo something. Does 1 have a particular benefit over the other?

Thanksto anyone who will help clarify any of these points for me.

PeteB

 

No expertise here, just my limited experience and a question.


I just implemented SSL and thanks to DiscountASP it was pretty easy.


When shopping around for certs they cost hundreds of dollars everywhere I looked, but it was $20/year at godaddy.


I was mainly interested in securing the information in transit so all I needed was an SSL implementation and I didn't care where it came from.


My question is this: How or whodoes the extra verification help? Are there any users (besides the very most technical people) that even check a website's certificate? I've found that most users aren't even aware of whether or not they are using SSL. They don't notice the https or the lock icon. If there's something on the page that says it's secure, they'll decide whether or not to trust them based on the look of the page. I can't believe that anyone in the general public would ever actually check a certificate.


If anyone can point out something I'm missing or something I don't understand, please educate me.


Thanks.

 

Hi


From a purely consumer perspective, I ALWAYS look for the https and lock before I put any info of value into a web browser. If that doesn't appear very early in the transaction I don't proceed.


From my reading on the subject it seems that one of the major differences between expensive and inexpensive certificates is the level of encryption provided; i.e., 40 bit is low and inexpensive, and 128 is high and more expensive. As a consumer I probably wouldn't generally stop to check which level of encryption (40 or 128 bit) a web-vendor was supporting before making a purchase unless other warning bells like a dodgey looking site or dubious claims were also present; although if the web-vendor had these attributes I'd probably be hesitant before proceeding with a transaction regardless of their level of encryption.


Again as a consumer, I generally wouldn't be swayed about making a purchase or not simply because a site had a particular certificate insignia on it. I imagine that a very high percentage of the e-commerce buying publicWOULD NOTbe aware or be swayed from using a site because of the particular certificates employed.


Perhaps the thing to do is contact godaddy and see who is using their certificates and then visit their sites to see if they look like web-vendors you'd trust. I'd be really interested to see how they stackup as I may well be in a similar position to you in a month or two.


Like most types of insurance, I guess the rule should be to get the best quality (highest encryption and consumer confidence) that can be afforded.


Good luck!

 

Generally noone checks certificates, and unless you're a bank, nobody checks the encryption level either.

Thats usually why people go with the cheapest certs out there.


Joel Thoms
DiscountASP.NET
http://www.DiscountASP.NET