Re: [PLUG] https Certificates Question

While you're shopping, also consider whether a wildcard certificate would be in order. For example, if you own python.org, a wildcard certificate would cover docs.python.org, developers.python.org, pip.python.org, etc. It can save you a lot of money down the road if you plan to have a lot of subdomains. This was especially helpful to us in a University setting; we now get a wildcard cert for 3 years rather than single year certs. It saved us a ton of money by only having to update our certs every three years instead of every year, not to mention being able to use the same cert across the organization, and avoiding the purchasing process as well for each sub-domain. That was a huge time sink for us.

As for XP/IE6, W3Schools only sees 0.1%, but take that with a grain of salt considering the web site's audience:

http://www.w3schools.com/browsers/browsers_explorer.asp

We regularly examine our own logs so we cater to our users, and we see 2-3% usage depending on the month. Most of these computers seem to be in University labs, where the user has no control over upgrading browsers.

Regards,

-Tim

On Wed, Jul 10, 2013 at 8:36 AM, Jonathan Simpson <jonathan@jdsnetwork.com> wrote:

If you're worried about IE users, make sure you test in IE6/xp if possible as well. It may not be as up to date as far as having certs included, and there are sadly still a lot of users running it.

On 7/10/2013 8:34 AM, Mail List wrote:

On Wed, 10 Jul 2013 07:40:45 -0400, David Coulson <david@davidcoulson.net>
wrote:

On 7/10/13 7:35 AM, Mail List wrote:

I need to set up one of my apache web servers as a secure server with
https protocol.

I'm wondering about the costs and potential pitfalls in doing so.

What is the business case for SSL? Not to say you do it no matter the
cost, but in general if you need SSL there is justification to pay for
the cert.

I'm writing a web application that will have personal data. The user will
log in with a password, and then enter data of a personal nature into forms
on the web page.

My user base will be very unsophisticated, so any type of scary
"certificate may not be valid" popup message would be unacceptable. I
don't care about the groovy logo, since that won't drive any sales revenue.

Basically, I need to safeguard customer's data, and make the safeguarding
transparent to them.

So I guess I'll start with a one of the free certificates (startssl.com or
comodo.com) and see how they work. If I don't get any scary maessages when
using IE, I'm probably good to go.

Thanks to all for the comments and help!

A quick web search has found that commercial certificates from the "big
guys" are around $250/year. However, I see that CAcert offers
certificates
for free.

CAcert isn't a universally trusted certificate authority, as they have
not gone through the same certification/auditing process as the large
commercial vendors. In general, I would never run anything production
using their certificates.

Can anyone point me to a good primer/reference for this, or let me know
how you fared establishing a secure web server?

I just buy certificates from Verisign (now Symantec). Maybe $500/yr for
a 'normal' cert, but never had any issues.

there is a smaller vendor - startssl.org - who offer free certificates,
but not sure how widely they are supported. Comodo keep trying to sell
me stuff, and they are pretty cheap - Think they got compromised a while
ago, so we've avoided them.

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug