HTTPS question

Discussion in 'Getting started' started by Randy, Mar 21, 2016.

  1. Hello,

    I have an MVC site and need to use HTTPS. We are a SAAS website though currently all of our clients receive a traditional invoice -- no credit cards. Currently we house a lot of proprietary client information -- protecting that is the reason for HTTPS. At a later time we expect to have ecommerce as well as more sensitive information such as SSN's.

    After reading about SNI versus IP-based, on balance SNI seems like a better fit for us. For starters we plan to choose the basic DV certificate.

    I would appreciate any feedback from the community on these questions:
    • Anyone disagree with the choice of SNI over IP-based?
    • There is a wide variety in the annual price for DV certificates, in my research from $29 (RapidSSL) to $399 (Norton). Besides the name, what does that extra money get you?
    • The certificate vendors offer warranties in varying amounts. The warranty amount seems to be roughly commensurate with the certificate price. What event would cause them to pay out?
    Thank You!

    Randy
     
  2. Takeshi

    Takeshi Everleap staff

    For most cases, SNI SSL will be fine. For those expecting to have a lot of users that will be using old Windows XP browsers, then you'll need IP-based SSL. And IP-based SSL is needed if you need to pass PCI scans.

    The encryption between the certs is the same. The additional costs go into the level of business verification, features and the warranty. The cheaper certs will verify sites with a simple email exchange so will be done quickly. With more expensive certs, you'll need to submit documentation - like DBA, incorporation docs...etc. to prove you are a business - so its a manual process that can take days. As for features, the EV certs will change the color of the browser URL bar as a visual indication of a secure page - not just the small lock icon. Wildcard certs allow you to secure *.domainname.com - rather than one specific url.

    As for warranties - it is a little confusing. Basically, it is supposed to provide your end users with peace of mind. The vendor offers your end users protection for their purchases up to the warranty amount. It puts the SSL vendor on the hook for validating the SSL cert. In all honesty, I don't know anyone that has used the warranty. You'll need to decide if this is an important factor or not.
     
    mjp and Ray Huang like this.
  3. Thank you very much for this information.
     
  4. mjp

    mjp

    You may want to be prepared for it to take weeks, so plan ahead if you're going that route.
     
  5. mjp likes this.
  6. Randy, three years ago I struggled with the decision to continue the use of IP-based SSL certificates or move them to SNI. After doing some research, we moved all of our clients to SNI. We did not experience any issues--not one--from a user. Recall, lots of sites use SNI today, so the user of an older machine will experience issues with numerous sites, not just yours using SNI. We’re glad we made the switch. And our PCI scans work fine, passing quarterly.
     

Share This Page