SSL, Generic or Vanity

Discussion in 'Technical Corner' started by AdamZ, Mar 16, 2019 at 6:12 PM.

  1. AdamZ

    AdamZ Administrator Management Council Member

    Joined:
    Feb 24, 2005
    Messages:
    15,482
    Location:
    Montgomery County PA
    Display Name:

    Display name:
    Adam Zucker
    We want to get an SSL for our firm's website but not sure whether we need a vanity / private certificate or whether a free generic one from our hosting company will be good enough. Can someone explain the difference? Thoughts?
     
  2. dmspilot

    dmspilot En-Route

    Joined:
    Oct 20, 2006
    Messages:
    3,081
    Display Name:

    Display name:
    dmspilot
    You can get a free one for your domain from Let's Encrypt
     
  3. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,251
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    The difference is in the insurance and the extent of validation. Any certificate, including a self-signed one, will encrypt. Math is math, and that's all encryption comes down to in the end.

    A certificate a notch above, such as the ones provided for free with a cPanel license, will be recognized by browsers as being secure. But math is still math. Also, the free SSL certificate won't prove that your organization is who it claims to be. It validates the domain, not the organization.

    A more expensive certificate will verify your organization as well as your domain and will come with some liability protection. Generally, the more you pay, the more protection you'll have. But in terms of encryption, math will still be math.

    Given that you're a law firm, I think you probably should get an organization-validated certificate. But practically speaking, math is math.

    Rich
     
    Last edited: Mar 16, 2019 at 9:46 PM
  4. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    15,936
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    There's a coalition of sponsors that fund the "Let's Encrypt" site. Absolutely free to you and as "good" of a certificate as you'll get anywhere.
    That's the one I put up the last time and I see no reason to go back.
    https://letsencrypt.org/
     
  5. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,251
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    Letsencrypt.org certificates are good enough for almost any site, as are the free ones available to anyone with cPanel hosting. They encrypt just as well and are accepted by nearly all Web browsers.

    There are a few cases, however, where the OV certificates make sense. I'd put law firms, banks, credit unions, brokerage houses, online backup sites, and other especially sensitive businesses in that group. Savvy users of those businesses will want to make sure the domain actually belongs to the organization they're looking for. Without OV, anyone can make a domain-verified mockup of a site on a similar domain and grab login credentials and other PII.

    The SSL cert business has been a racket for a long time. Free SSL certs have thrown a huge monkey wrench into that machine.

    Rich
     
  6. AdamZ

    AdamZ Administrator Management Council Member

    Joined:
    Feb 24, 2005
    Messages:
    15,482
    Location:
    Montgomery County PA
    Display Name:

    Display name:
    Adam Zucker
    So then does Lets Encrypt offer free vanity certificates for the domain or are they like the generic free ones that my web host Digital Space offers which I suspect would show as companyname.digitalspace.com? I also see that Digital Space requires that you renew the certificate every 90 days is this standard for any SSL certificate?
     
  7. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    15,936
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    First off, you need to use a proper terminology. There's no such thing as a vanity certificate. There are self-signed certificates which while you can kick SSL off with them, are the bottom of the trust ladder and worthless. Then you have the Domain Verified certificates like Let's Encrypt and some others. In order to verify you are the controller of the domain, typically they have you add odd strings to your domain name record that the certificate issuer looks at to verify that you do at least control the DNS of the domain. Then as Rich points out their are OV which have a more human component (typically you provide a credit card or other item that is traceable back to you to show who you are). What your web hoster offers could be any of the three.

    My opinion is that 99% of the users (maybe more) wouldn't recognize the difference between the DV or OV if they saw it. All they care about is the browser showing the green lock.
     
  8. dmspilot

    dmspilot En-Route

    Joined:
    Oct 20, 2006
    Messages:
    3,081
    Display Name:

    Display name:
    dmspilot
    Never heard of the term "vanity certificate", but I thought I answered that question in Post 3. And yes LE requires you to renew periodically but this can be automated.
     
  9. mcmanigle

    mcmanigle Pre-takeoff checklist

    Joined:
    Mar 4, 2013
    Messages:
    333
    Display Name:

    Display name:
    John McManigle
    Yes, the purpose of the math behind a certificate is to 1. allow for encrypted communications, and 2. establish trust of identity.

    - As Rich points out, any of them will do a fine job on encryption, unless you go out of your way to screw it up somehow.
    - Your ISP one will establish that you are indeed a customer of the ISP.
    - One from LetsEncrypt or similar services will establish that you are indeed the owner of the website.
    - A more expensive one will verify that you are in fact the real-life entity you claim to be. There are different levels here too: some will just verify that you own a credit card in that name, others will effectively do a corporate background check.

    For a law firm or financial business of any kind, I'd expect the latter. You can see how they appear differently on your browser right now. You should see some kind of lock icon for pilotsofamerica, because it's using a LetsEncrypt certificate. But if you go to www.bankofamerica.com or similar, your browser should show you some slightly more fancy verification icon that shows that it indeed belongs not just to "the webmaster of www.bankofamerica.com" but rather "Bank of America Corporation [US]".
     
  10. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    15,936
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    Note that POA has a let's encrypt certificate too.
     
  11. EdFred

    EdFred Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 25, 2005
    Messages:
    21,659
    Location:
    Michigan
    Display Name:

    Display name:
    Ed Frederick
    Any suggestions for a wildcard domain SSL certificate? I have my main domain and two subdomains that I want to get certified but no clue who to go with or how much I should or should not be paying.
     
  12. JScarry

    JScarry Pre-takeoff checklist

    Joined:
    Jun 15, 2008
    Messages:
    121
    Display Name:

    Display name:
    JScarry
    Not sure about wildcards, but Let’s Encrypt will let you have as many sub-domains as you want and will let you use the same certificate for multiple domains that point to the same content. It’s a simple command where you just string together all the domains that you want to use the same certificate. You can change it at any time as well.

    e.g.

    sudo ./certbot-auto certonly --cert-name mydomain.com -d www.mydomain.com,myreallylongdomainname.com,subdomain.myreallylongdomainname.com
     
  13. EdFred

    EdFred Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 25, 2005
    Messages:
    21,659
    Location:
    Michigan
    Display Name:

    Display name:
    Ed Frederick
    I think I also need/want the validation (CC info) which letsencrypt doesn't seem to provide. I also don't want to mess with having to renew it every 90 days.
     
  14. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,251
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    I haven't needed one in a while, but the last time I did, this was one of the better deals: https://www.ssls.com/ssl-certificates/comodo-premiumssl-wildcard . There may be better deals now.

    I don't think your business needs the EV certificate, personally. It certainly can't hurt, especially if you deal with government agencies or large corporations; but I wouldn't classify your business as one that actually needs an OV or EV certificate.

    Rich
     
  15. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,251
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    The certificate wouldn't convert your domain to a subdomain. Or at least it shouldn't. But either a free certificate or a purchased certificate should validate your domain, not the hosting company's. The only difference in cost should be for the certificate itself. It takes minutes to install an SSL cert no matter what type it is. It just requires pasting some text and making an entry in the server configuration files or in the .htaccess file (in Apache) to redirect http requests to https.

    The difference between the DV and OV (or EV, which is even more thoroughly vetted) certificate can be seen in the SSL information for this site, in the attached picture.

    ssl.jpg

    For 99 percent of sites, I don't think it makes a difference whether organizational ownership is verified. I do think law firms are in the one percent of exceptions that really should have OV. (I think EV is probably overkill for a law firm.)

    Rich

    EDIT: If you maintain your own site, the .htaccess entry would be something along the lines of

    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    and should appear above other redirects, except those from parked domains. The protocol for the target pages for any ErrorDocument declarations or other redirects should also be changed from http to https.
     
    Last edited: Mar 18, 2019 at 8:50 AM
  16. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    15,936
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    I've used Thwate in the past.