migrating http to https

Imar · April 26th, 2007, 04:51 PM

Doesn't the user get a security warning with a self signed certificate? That way, while encryption is good, users may still be under the impression your site isn't safe.

BTW: I don't think all certificates have to cost 2,500. I think they start around 3 to 400 dollar....

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

dparsons · April 27th, 2007, 06:42 AM

Yes it is possible to find certs for much less then 2500.00. VeriSign offers a 1 year SSL Cert with 40 - 256bit strength for $399.00 (a 3year cert would run 995.00).

In so far as the warning with the Self-Signed cert, I am not sure I don't think I have ever come across a site that has had one, but you are probably correct.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========

rstelma · April 27th, 2007, 12:43 PM

Yes, unfortunately, there is a security warning self certs which I think is fairly new. I remeber creating certs years back that didn't give that security warning. For Extranets and in-house Exchange Servers its not much of a problem cause you can inform the user base. Otherwise, I guess you're roped into buying one for a public site especially if you've got eCommerce running. I didn't know you could get a cert for less than $2,500. I think I went to Verisign's site and didn't read everything correctly but did see that price tag somewhere and got run pretty quick.

dparsons · April 27th, 2007, 12:56 PM

Oh yes its very easy to rack up a huge bill with verisign right from the get go for example their preimum 128bit - 256bit SSL Cert:

http://www.verisign.com/ssl/buy-ssl-...tes/index.html
For 2 years thats going to cost you $2,695 USD

Their pro level cert with 128bit is going to run you $2,480 for 3 years
http://www.verisign.com/ssl/buy-ssl-...tes/index.html

and finally their low level cert of 40bit - 256bit for $995 for 2 years
http://www.verisign.com/ssl/buy-ssl-...tes/index.html

Of course you do get a warranty for at least $100,000USD whereas a self signed cert you don't have that luxuory.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========

rstelma · April 27th, 2007, 01:22 PM

Thanks for looking that up. Very much appreciated. Still, for what I've got now, the self cert seems to be working fine, an isolated server, no credit card info and all data is backed up every 15 minutes and then to tape. I just don't want to send logon info in clear text.

dparsons · April 27th, 2007, 01:27 PM

Absolutely. If I were in your situation where I had an extranet and knew who a vast majority of my users were going to be, generating a Self Cert is almost a non-issue but, as you pointed out, on the ECommerce side of things buying a Cert from a third party is your best bet.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========