SSL CERTIFICATES

[yourdj]

Apparently google has officially announced that they will take in to consideration sites that have SSL certificates so it would be wise to get one.

I have spent a few hours looking into this and I am none the wiser as there are so many options. Now I only have a simple site, apart from the form I don't deal with any payments or other ways to get persaonly data, so I only want a basic option, but one that is looked on favourably by google.

A bit like a good host not all companies are the same so I am keen to get a reasonable company to run this through.

My hosting company do a 256 bit one, but I am thinking they are just reselling a bog standard £7 commode type cert are they not?

Standard SSL
£41.66
/yr
+20% VAT
Protect a single domain with domain validation.
256-bit (2048 bit-key)Encryption Level
Browser Padlock
$100,000 Warranty
Mobile Device Support
99.9% Browsers Supported
Unlimited Re-Issues
Site Seal

___

There are wordpress plug in options, not looked at that yet.

__

Comodo, comes very well recommended and offer tons of products some at amazing prices.
https://comodosslstore.com/ssl-types/ov

Would a multi site one be a good option, or just one per site?
Shall I get a 2-3 year option as its a lot cheaper??

Any help on this would be handy. I need to look at how to implement it on the website.

I would probably want the second one i guess??

Domain-Validated (DV) Certificate. Ranging in cost from free to cheap, such as Geotrust's QuickSSL Premium option or RapidSSL's offering, this kind of certificate is fine for internal projects but not acceptable for the open web. Use extreme caution on websites using this kind of certificate. In fact, you're probably best off clicking away from them as fast as you can.

Organization-Validated (OV) Certificate. Because businesses and organizations already have some level of authentication with a governing body, they can be easily verified by the certificate authority as legitimate. Generally, the organization listed on the request will be contacted and asked to provide some proof that it is valid. This is the bare minimum level of certificate that should be considered for a commercial website.

Extended Validation (EV) Certificates are the third and most trusted level of SSL certificate. The published guidelines for EV certificates are both strict and thorough. It's not uncommon for proof of identity, capacity, and place of business to be requested and verified. Before the certificate is issued, the identity of the legal entity that controls the website is determined and published. As a bonus, most modern web browsers will indicate that an EV certificate is being used by showing a green Uniform Resource Locator (URL) bar.

[rth_discos]

For sites like our own, use a host that provides support for Let's Encrypt which is a free SSL certificate.

Perfect for your site.

Happy to help further if required.

[DJWilson]

one.com include this within their packages.

[yourdj]

I don't know about anyone else, but I am always a little dubious of anything that is being provided for free. I have looked at the free ones, but a lot of the advice says that the suppliers vary massively & you are effectively trusting a third party with your data flow & website security?

There is also the level of security attainable which I guess will eventually also affect ranking, when everyone gets on board. I believe the lilttle padlock and the HTTPS is important. If I am wrong then I guess I can go for a free one and then change my mind, but I was keen to go for one of the best companies rather than one everyone else is choosing as it's free. I want at least 256 bit encryption & a padlock and don't mind going through all the verification checks as thats the whole point isn't it?

I may choose these for my other websites, but YourDJ is a large site that ranks well & am am pretty protective about sharing any security related services with anyone else. If you can clarify on that then that would be great. I don't mind paying £100 a year if I can see the benefits over a £10 or free policy.

one.com include this within their packages.

That looks good, nice packages there. I believe they will all be free at some point. This is domain validated, which I think is a basic option, so need to look into the differences perceived by Google as thats the point. i don't take card payments or anything, so don't need anything mega.

[Marc J]

Web traffic goes through numerous hops between the visitor and the web server, and so traffic each way can be read at any point on the journey if unencrypted. An SSL certificate enables encryption between these two endpoints, thus preventing "man-in-the-middle" attacks.

An SSL certificate is only good (trustworthy) if the private key is not compromised. That's really all you should be worried about, and as Gavin says the free Let's Encrypt certs are probably fine for most people here. I recommend them to all my clients, and only suggest using paid certs on ecommerce sites or where there is more user data or payment info on required on the site - but that's just my recommendation, Let's Encrypt certs are absolutely fine and should get an "A" rating on tests like https://www.ssllabs.com/ssltest/ (here's one of mine). Let's Encrypt certs will also satisfy anything Google needs, both in search results and in Chrome.

If you do want to pay for a cert, Domain Validated (DV) certs are absolutely fine for what you're doing, I certainly wouldn't go any higher if I were you. You're quote: -

Domain-Validated (DV) Certificate. Ranging in cost from free to cheap, such as Geotrust's QuickSSL Premium option or RapidSSL's offering, this kind of certificate is fine for internal projects but not acceptable for the open web. Use extreme caution on websites using this kind of certificate. In fact, you're probably best off clicking away from them as fast as you can.

is a bit of scare-mongering by someone trying to sell something to you, IMHO.

Remember that, for most websites here, the only security that's a real issue is personal details submitted via an enquiry form. Securing the site via an SSL is fine, nothing can intercept data between the browser and the server, but 99% of these then fire off an email from the web server with all of these submitted details and email is a very insecure method of transmitting anything - but I don't see anyone bleating on about that

Most decent hosts should now provide a Let's Encrpyt cert for free (I do ). And, again, that's probably all you need.

[yourdj]

Web traffic goes through numerous hops between the visitor and the web server, and so traffic each way can be read at any point on the journey if unencrypted. An SSL certificate enables encryption between these two endpoints, thus preventing "man-in-the-middle" attacks.

An SSL certificate is only good (trustworthy) if the private key is not compromised. That's really all you should be worried about, and as Gavin says the free Let's Encrypt certs are probably fine for most people here. I recommend them to all my clients, and only suggest using paid certs on ecommerce sites or where there is more user data or payment info on required on the site - but that's just my recommendation, Let's Encrypt certs are absolutely fine and should get an "A" rating on tests like https://www.ssllabs.com/ssltest/ (here's one of mine). Let's Encrypt certs will also satisfy anything Google needs, both in search results and in Chrome.

If you do want to pay for a cert, Domain Validated (DV) certs are absolutely fine for what you're doing, I certainly wouldn't go any higher if I were you. You're quote: -



is a bit of scare-mongering by someone trying to sell something to you, IMHO.

Remember that, for most websites here, the only security that's a real issue is personal details submitted via an enquiry form. Securing the site via an SSL is fine, nothing can intercept data between the browser and the server, but 99% of these then fire off an email from the web server with all of these submitted details and email is a very insecure method of transmitting anything - but I don't see anyone bleating on about that

Most decent hosts should now provide a Let's Encrpyt cert for free (I do ). And, again, that's probably all you need.

Great thanks, I shall try that then.

[rth_discos]

Google is a top-tier sponsor of Let's Encrypt - of which is backed by many well known brands in the web world.

It's been a real game changer in the world of SSL.

For a typical website there's no advantage in other SSL options, unless you're providing online payments directly through your website (few websites even do that anyway) or handling lots of personal data on the website and require the warranty that paid for SSL certificates provide.

[yourdj]

Google is a top-tier sponsor of Let's Encrypt - of which is backed by many well known brands in the web world.

It's been a real game changer in the world of SSL.

For a typical website there's no advantage in other SSL options, unless you're providing online payments directly through your website (few websites even do that anyway) or handling lots of personal data on the website and require the warranty that paid for SSL certificates provide.

Cool thats good news. Thanks for your help.