SSL Pricing, Differences, HSTS – Kitchen Sink – March SIG Meeting Wrap-Up

graph of browsers supporting hstsOur February session on SSL was well received and proved to be extremely interactive. We had a good discussion but at the end of our 55 minutes, we were left with questions and wanting to know more.
So what are the differences between the various SSL certificates? Do I need a DV, OV or EV certificate? Will a wildcard cert take care of every domain name I own?

Is HSTS the same as HTTPS? Where can I buy that certificate?

What’s the deal with pricing all over the map when it comes to SSL certificates? Is the free one from Let’s Encrypt any less secure than the $69 one from GoDaddy?

SSL Certificate basics

DV – Domain Validated Certificate – capwebsolutions.com

  • Padlock/HTTPS
  • Validates domain is registered
  • Someone with Admin rights approved certificate request
  • Verified against domain registry
  • Least expensive
  • Verified by email or DNS – very quick – approved in minutes

OV – Organization Validated

  • Padlock/HTTPS
  • Validates domain is registered, plus organization info eg. name, city, state, country
  • Trusted
  • Authenticated by agents against business registry databases
  • Verified in a few hours to weeks
  • Company info shown in certificate details

EV – Extended Validation – twitter.com

  • Green bar/Padlock/HTTPS
  • Validation governed by Guidelines for Extended Validation
  • Provides vetting process much stricter than OV certificates

Wildcard

  • Secure unlimited number 1st level sub domains on single domain
    • *.yourdomain.com as the common name.
    • Secures www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com, anything.yourdomain.com

HSTS vs HTTPS

Again, we jump out to the web authority – Wikipedia – to get the scoop on HSTS.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

  • Webserver issues header indicating can only be communicated with from HTTPS sites
  • Protects public from man-in-the-middle SSL stripping mechanisms
  • HSTS forces browsers and app connections to use HTTPS
  • Browsers use a preload list that specifies sites that must connect via HTTPS from the initial connection
  • Excellent Reference with more details, and step by step directions to implement HSTS on your website.

globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/

Pricing?

 

 

Resources

https emphasis on secure

Ideas for Upcoming Meetings?

Feel free to ask questions, offer feedback, or suggest topics for an upcoming meeting via the form below.

Use this form to offer feedback, suggest topics or ask questions.
  • This field is for validation purposes and should be left unchanged.

Leave a Reply

Your email address will not be published. Required fields are marked *