SSL

Any help topics that don't fit in the current categories can go here.
Post Reply
User avatar
FrederickGeek8
Posts: 148
Joined: Wed Nov 30, 2011 10:31 pm

SSL

Post by FrederickGeek8 »

I'm thinking of purchasing a CA approved SSL certificate from Namecheap. I've used SSL certificates before, but they've all been self-signed so they throw security errors.

My question, does it matter what SSL certficate I purcahse? According to Namecheap there are different ones I can purchase. I would like to get the cheapest certificate (~$8/y), but because of the wide ranges of prices, I am wondering if the other certificates will make a difference.

All I really want is a SSL certficate that allows for good security but also does not throw the "The site's security certificate is not trusted" error.
User avatar
Helx
Posts: 350
Joined: Thu May 17, 2012 6:45 am
Location: Auckland, New Zealand

Re: SSL

Post by Helx »

There's 4 different types of SSL certs that you should consider.
The following assumes you're on Google Chrome or FireFox:
  • Standard SSL
  • EV SSL
  • Wildcard standard SSL
  • Wildcard EV SSL
The difference between standard and EV is basically the icon that displays in the omnibox (URL bar).
This is a standard SSL cert. in-action:
Image

And an EV:
Image

They both encrypt data to-and-from the server, but the EV certificate is much more widely accepted and trusted.
EV certificates are priced out of most developers reach for good reason, only bother with EV certificates if you were planning on directly working with credit cards or really personal data (bank accounts, addresses, products).

Wildcard SSL certificates are for dev's with lots of subdomains (eg. a web host).
Most SSL certificates only sign for domain.com and www.domain.com, though a wildcard will do *.domain.com (obviously).
There are generally more expensive, no matter if it's standard or EV.

If you're just going for encrypted data transfers, stick with the much cheaper standard certificates.

----------------

About your situation in particular, you would have chosen a standard SSL cert. Great!
I would probably say that Namecheap is simply re-selling certificates from somewhere such as AlphaSSL - I know that's what my host does. This wouldn't be or cause any problems in most cases as AlphaSSL is widely accepted by most browsers (even the PS3/XBOX browsers!).

In this case, the cheaper the better!
Just keep in mind that SSL has a significant impact on page load time, avoid forcing it on all pages. I would recommend just using SSL on user authentication or submitting forms.

Remember not to miss payments on your certificates - if they cancel they might not be retrievable (just like when buying domains).
User avatar
FrederickGeek8
Posts: 148
Joined: Wed Nov 30, 2011 10:31 pm

Re: SSL

Post by FrederickGeek8 »

Thanks that really helps a lot. In terms of speed, do you know how much it would slow down?
User avatar
Helx
Posts: 350
Joined: Thu May 17, 2012 6:45 am
Location: Auckland, New Zealand

Re: SSL

Post by Helx »

It's hard to say.
It really depends on the processing power of your server as that is what makes it slow, encrypting and decrypting the entire page and its contents.

Here is the pingdom results page of my site, helx.pl.
(The purple part of the bar is the SSL handshake)

SSL
Image

Remember that the typical internet surfer will only wait 3 seconds before leaving a page. So if you do plan on forcing SSL on all pages, use an external script library such as cdnjs.
User avatar
FrederickGeek8
Posts: 148
Joined: Wed Nov 30, 2011 10:31 pm

Re: SSL

Post by FrederickGeek8 »

Ok sounds good. I have the budget to afford a better server so that I could run SSL on all pages but I guess I'll just stick to login/registration.

Also thanks for cdnjs. I had no idea about that site and it looks really awesome :D
User avatar
FrederickGeek8
Posts: 148
Joined: Wed Nov 30, 2011 10:31 pm

Re: SSL

Post by FrederickGeek8 »

How can I get it so that HTTPS is only required on the login page but defaults to HTTP everywhere else?

I have a snippet of code on the login page that makes it redirect to https but if you navigate away from the page, https stays with you. Is there any easy way to have the option to use https everywhere, but to use http everywhere but the login page? I could replace all the links with the full http url, but that mean for people that want to use https everywhere, they have to change the URL everytime...

Any help?

Also, is there any speed reduction by placing full url's for navigation rather than just file names?
User avatar
Helx
Posts: 350
Joined: Thu May 17, 2012 6:45 am
Location: Auckland, New Zealand

Re: SSL

Post by Helx »

You can forget the PHP snippet, you can do it through pure htaccess.

Make (or open) your .htaccess file. Make sure it's in the root.
Place the following lines of text into it:
RewriteEngine On
# Redirect pages that ARE on https that shouldn't
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !^/your-login-url/?.*$
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect pages NOT on HTTPS that should
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/your-login-url/?.*$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
This is the most effective way, yet it will still be slightly costly in page load time (yet be enough to knock them off the HTTPS line the rest of the visit).
FrederickGeek8 wrote:Also, is there any speed reduction by placing full url's for navigation rather than just file names?
Shall we make a new topic so you can explain more? I don't get this request.
The first question should've been a new topic too :P
Post Reply