« The WRONG Way to Sell a $600 Phone Appropriate Uses of SSL in Web Applications »
Choosing the Right SSL Certificate
Posted June 16, 2006 – 10:52 am by Yakov Shafranovich in WebsiteWe are currently working on adding SSL support to my company’s flagship product. After I was unable to find an article clearing explaining how to choose an approriate certificate, I am writing down my own thoughts here.
PURPOSE OF SSL
Every developer should be aware that SSL encryption serves two distinct purposes which do not necessarily have anything to do with one another:
1. Encrypting the data so evesdroppers cannot see it (given that data travels across multiple servers, it is a prudent thing).
2. Authenticating that website secured by SSL is in fact owned by the company in question.
CHOICE OF CERTIFICATE
These two separate goals are accomplished differently. In order to encrypt data, it is sufficient to provide any SSL certificate in your web application. However, most browsers will display some form of a prompt to the user if the SSL certificate is not issued by a known certificate authority (tying directly into goal #2). For internal applications and those whose users are savvy enough to install certificates, you can easily use a self signed certificate which is free, but for most public facing web application, that is not enough.
In order to accomplish the second goal, browsers come with a set of certificate of certificate authorities that they trust, and by extension they trust anything issues by those authorities. But even here there are two choices as well as to what type of SSL certificate to use:
1. If you are simply looking for encryption of data, then the best choice would be a low or medium assurance certificate. These SSL certificate only certify that the domain in question is real and has been verified via email to the WHOIS contact. They range from $20 at GoDaddy to $189 to some high end registrars. They are also the quickest to get - you can usually get one issues in five minutes.
2. For most web apps however a high assurance certificate is necessary. These certificates are only issued after the owner’s information has been verified by checking government records, addresses and phone numbers. The advantage of these is that the company name, city, state and country is part of the certificate. Users can match the company name by clicking on the SSL icon in most browsers, thus accomplishing goal #2 and avoiding phishing. These certificates usually cost several hundred dollars.
WILDCARD CERTIFICATES AND COMPANY CAs
For management and convienance, there are also two more types of certificates. One is a wildcard certificate which can be used for any subdomain on a given website (which is useful if you have many servers). It is only a bit more expensive.
The last choice is really something only very large companies use - Company wide Certificate authorities. In this case, a company usually obtains a certificate that can be used to issue their own certificates - in essense becoming a certificate authority of its own. A variation on this, is a special account with a regular certificate authority that can issue company-wide certificates on demand. These are usually not a good choice for startups, and can run into thousands of dollars yearly.
BOTTOM LINE
For most startups and small companies, it is only necessary to get SSL certificates for public facing applications. For test and developments servers, as well as internal applications, self signed certificates can probably work just fine.
Even for public facing applications, in many cases a low assurance certificate is sufficient since you are simply trying to encrypt data. Eventually as your application becomes bigger, you can switch to a higher assurance certificate.
Of course, if your company has a phishing threat, a high assurance certificate is a must, and in some case some form of a specialized anti-phishing service might be needed.
Digg This Share This PostTags: certificate, security, ssl
Permalink | Trackback URL | This post has 474 Views
