SSL, Generic or Vanity

AdamZ · Mar 16, 2019

We want to get an SSL for our firm's website but not sure whether we need a vanity / private certificate or whether a free generic one from our hosting company will be good enough. Can someone explain the difference? Thoughts?

dmspilot · Mar 16, 2019

You can get a free one for your domain from Let's Encrypt

RJM62 · Mar 16, 2019

The difference is in the insurance and the extent of validation. Any certificate, including a self-signed one, will encrypt. Math is math, and that's all encryption comes down to in the end.

A certificate a notch above, such as the ones provided for free with a cPanel license, will be recognized by browsers as being secure. But math is still math. Also, the free SSL certificate won't prove that your organization is who it claims to be. It validates the domain, not the organization.

A more expensive certificate will verify your organization as well as your domain and will come with some liability protection. Generally, the more you pay, the more protection you'll have. But in terms of encryption, math will still be math.

Given that you're a law firm, I think you probably should get an organization-validated certificate. But practically speaking, math is math.

Rich

flyingron · Mar 17, 2019

There's a coalition of sponsors that fund the "Let's Encrypt" site. Absolutely free to you and as "good" of a certificate as you'll get anywhere.
That's the one I put up the last time and I see no reason to go back.
https://letsencrypt.org/

RJM62 · Mar 17, 2019

flyingron said:
There's a coalition of sponsors that fund the "Let's Encrypt" site. Absolutely free to you and as "good" of a certificate as you'll get anywhere.
That's the one I put up the last time and I see no reason to go back.
https://letsencrypt.org/

Letsencrypt.org certificates are good enough for almost any site, as are the free ones available to anyone with cPanel hosting. They encrypt just as well and are accepted by nearly all Web browsers.

There are a few cases, however, where the OV certificates make sense. I'd put law firms, banks, credit unions, brokerage houses, online backup sites, and other especially sensitive businesses in that group. Savvy users of those businesses will want to make sure the domain actually belongs to the organization they're looking for. Without OV, anyone can make a domain-verified mockup of a site on a similar domain and grab login credentials and other PII.

The SSL cert business has been a racket for a long time. Free SSL certs have thrown a huge monkey wrench into that machine.

Rich

AdamZ · Mar 17, 2019

So then does Lets Encrypt offer free vanity certificates for the domain or are they like the generic free ones that my web host Digital Space offers which I suspect would show as companyname.digitalspace.com? I also see that Digital Space requires that you renew the certificate every 90 days is this standard for any SSL certificate?

flyingron · Mar 17, 2019

First off, you need to use a proper terminology. There's no such thing as a vanity certificate. There are self-signed certificates which while you can kick SSL off with them, are the bottom of the trust ladder and worthless. Then you have the Domain Verified certificates like Let's Encrypt and some others. In order to verify you are the controller of the domain, typically they have you add odd strings to your domain name record that the certificate issuer looks at to verify that you do at least control the DNS of the domain. Then as Rich points out their are OV which have a more human component (typically you provide a credit card or other item that is traceable back to you to show who you are). What your web hoster offers could be any of the three.

My opinion is that 99% of the users (maybe more) wouldn't recognize the difference between the DV or OV if they saw it. All they care about is the browser showing the green lock.

dmspilot · Mar 17, 2019

AdamZ said:
So then does Lets Encrypt offer free vanity certificates for the domain or are they like the generic free ones that my web host Digital Space offers which I suspect would show as companyname.digitalspace.com? I also see that Digital Space requires that you renew the certificate every 90 days is this standard for any SSL certificate?

Never heard of the term "vanity certificate", but I thought I answered that question in Post 3. And yes LE requires you to renew periodically but this can be automated.

mcmanigle · Mar 17, 2019

Yes, the purpose of the math behind a certificate is to 1. allow for encrypted communications, and 2. establish trust of identity.

- As Rich points out, any of them will do a fine job on encryption, unless you go out of your way to screw it up somehow.
- Your ISP one will establish that you are indeed a customer of the ISP.
- One from LetsEncrypt or similar services will establish that you are indeed the owner of the website.
- A more expensive one will verify that you are in fact the real-life entity you claim to be. There are different levels here too: some will just verify that you own a credit card in that name, others will effectively do a corporate background check.

For a law firm or financial business of any kind, I'd expect the latter. You can see how they appear differently on your browser right now. You should see some kind of lock icon for pilotsofamerica, because it's using a LetsEncrypt certificate. But if you go to www.bankofamerica.com or similar, your browser should show you some slightly more fancy verification icon that shows that it indeed belongs not just to "the webmaster of www.bankofamerica.com" but rather "Bank of America Corporation [US]".

flyingron · Mar 17, 2019

Note that POA has a let's encrypt certificate too.

EdFred · Mar 17, 2019

Any suggestions for a wildcard domain SSL certificate? I have my main domain and two subdomains that I want to get certified but no clue who to go with or how much I should or should not be paying.

JScarry · Mar 17, 2019

EdFred said:
Any suggestions for a wildcard domain SSL certificate? I have my main domain and two subdomains that I want to get certified but no clue who to go with or how much I should or should not be paying.

Not sure about wildcards, but Let’s Encrypt will let you have as many sub-domains as you want and will let you use the same certificate for multiple domains that point to the same content. It’s a simple command where you just string together all the domains that you want to use the same certificate. You can change it at any time as well.

e.g.

sudo ./certbot-auto certonly --cert-name mydomain.com -d www.mydomain.com,myreallylongdomainname.com,subdomain.myreallylongdomainname.com

EdFred · Mar 17, 2019

I think I also need/want the validation (CC info) which letsencrypt doesn't seem to provide. I also don't want to mess with having to renew it every 90 days.

RJM62 · Mar 18, 2019

EdFred said:
I think I also need/want the validation (CC info) which letsencrypt doesn't seem to provide. I also don't want to mess with having to renew it every 90 days.

I haven't needed one in a while, but the last time I did, this was one of the better deals: https://www.ssls.com/ssl-certificates/comodo-premiumssl-wildcard . There may be better deals now.

I don't think your business needs the EV certificate, personally. It certainly can't hurt, especially if you deal with government agencies or large corporations; but I wouldn't classify your business as one that actually needs an OV or EV certificate.

Rich

RJM62 · Mar 18, 2019

AdamZ said:
So then does Lets Encrypt offer free vanity certificates for the domain or are they like the generic free ones that my web host Digital Space offers which I suspect would show as companyname.digitalspace.com? I also see that Digital Space requires that you renew the certificate every 90 days is this standard for any SSL certificate?

The certificate wouldn't convert your domain to a subdomain. Or at least it shouldn't. But either a free certificate or a purchased certificate should validate your domain, not the hosting company's. The only difference in cost should be for the certificate itself. It takes minutes to install an SSL cert no matter what type it is. It just requires pasting some text and making an entry in the server configuration files or in the .htaccess file (in Apache) to redirect http requests to https.

The difference between the DV and OV (or EV, which is even more thoroughly vetted) certificate can be seen in the SSL information for this site, in the attached picture.

For 99 percent of sites, I don't think it makes a difference whether organizational ownership is verified. I do think law firms are in the one percent of exceptions that really should have OV. (I think EV is probably overkill for a law firm.)

Rich

EDIT: If you maintain your own site, the .htaccess entry would be something along the lines of

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

and should appear above other redirects, except those from parked domains. The protocol for the target pages for any ErrorDocument declarations or other redirects should also be changed from http to https.

flyingron · Mar 18, 2019

I've used Thwate in the past.

SSL, Generic or Vanity

AdamZ

Touchdown! Greaser!

dmspilot

Final Approach

RJM62

Touchdown! Greaser!

flyingron

Administrator

RJM62

Touchdown! Greaser!

AdamZ

Touchdown! Greaser!

flyingron

Administrator

dmspilot

Final Approach

mcmanigle

Line Up and Wait

flyingron

Administrator

EdFred

Taxi to Parking

JScarry

Pre-takeoff checklist

EdFred

Taxi to Parking

RJM62

Touchdown! Greaser!

RJM62

Touchdown! Greaser!

flyingron

Administrator