Hello, I have an MVC site and need to use HTTPS. We are a SAAS website though currently all of our clients receive a traditional invoice -- no credit cards. Currently we house a lot of proprietary client information -- protecting that is the reason for HTTPS. At a later time we expect to have ecommerce as well as more sensitive information such as SSN's. After reading about SNI versus IP-based, on balance SNI seems like a better fit for us. For starters we plan to choose the basic DV certificate. I would appreciate any feedback from the community on these questions: Anyone disagree with the choice of SNI over IP-based? There is a wide variety in the annual price for DV certificates, in my research from $29 (RapidSSL) to $399 (Norton). Besides the name, what does that extra money get you? The certificate vendors offer warranties in varying amounts. The warranty amount seems to be roughly commensurate with the certificate price. What event would cause them to pay out? Thank You! Randy
For most cases, SNI SSL will be fine. For those expecting to have a lot of users that will be using old Windows XP browsers, then you'll need IP-based SSL. And IP-based SSL is needed if you need to pass PCI scans. The encryption between the certs is the same. The additional costs go into the level of business verification, features and the warranty. The cheaper certs will verify sites with a simple email exchange so will be done quickly. With more expensive certs, you'll need to submit documentation - like DBA, incorporation docs...etc. to prove you are a business - so its a manual process that can take days. As for features, the EV certs will change the color of the browser URL bar as a visual indication of a secure page - not just the small lock icon. Wildcard certs allow you to secure *.domainname.com - rather than one specific url. As for warranties - it is a little confusing. Basically, it is supposed to provide your end users with peace of mind. The vendor offers your end users protection for their purchases up to the warranty amount. It puts the SSL vendor on the hook for validating the SSL cert. In all honesty, I don't know anyone that has used the warranty. You'll need to decide if this is an important factor or not.
Thanks for your reply, mjp. We purchased the basic RapidSSL cert and this looks like it will meet our needs for now. It was inexpensive and gets us going with https. For others interested I found a succinct guide to the needed code changes for MVC here: http://tech.trailmax.info/2014/02/implemnting-https-everywhere-in-asp-net-mvc-application/ So far it all seems to be working...
Randy, three years ago I struggled with the decision to continue the use of IP-based SSL certificates or move them to SNI. After doing some research, we moved all of our clients to SNI. We did not experience any issues--not one--from a user. Recall, lots of sites use SNI today, so the user of an older machine will experience issues with numerous sites, not just yours using SNI. We’re glad we made the switch. And our PCI scans work fine, passing quarterly.
