I have a customer who has a page with a form that they'd like to appear 
as https but they're not taking credit cards or anything like that and 
they don't want to spend much. Can anyone recommend, or suggest, a cheap 
shared certificate type of thingy?

"treadmill-- with the great taste of fish" <nope> wrote in message 
news:48c822f3$0$2930$fa0fcedb@news.zen.co.uk...
>I have a customer who has a page with a form that they'd like to appear as 
>https but they're not taking credit cards or anything like that and they 
>don't want to spend much. Can anyone recommend, or suggest, a cheap shared 
>certificate type of thingy?

Check with the host. Several I've used have a free shared SSL solution 
included for free.

AC

"AC"  writes:

> "treadmill-- with the great taste of fish" <nope> wrote in message 
> news:48c822f3$0$2930$fa0fcedb@news.zen.co.uk...
>>I have a customer who has a page with a form that they'd like to appear as 
>>https but they're not taking credit cards or anything like that and they 
>>don't want to spend much. Can anyone recommend, or suggest, a cheap shared 
>>certificate type of thingy?
>
> Check with the host. Several I've used have a free shared SSL solution 
> included for free.

They usually have severe restrictions, though, that make them
unsatisfactory.

To the OP: the usual "shared certificate" simply means that you must
access one or make pages at a domain name that is covered by that
certificate.  The most common ways are a sub-domain
(https://www.mysub.host.com covered by a wildcard certificate for
host.com) and an area you are grated permission to load pages
(https://host.com/~mysub).

In both cases, unless your client is prepared to forgo their own
domain name for URLs based on host.com the effect is that some pages
appear to be from another site, and they are exactly those pages you
want people to have the most confidence in.

-- 
Ben.

"Ben Bacarisse"  wrote in message 
news:877i9jebo1.fsf@bsb.me.uk...
> "AC"  writes:
>
>> "treadmill-- with the great taste of fish" <nope> wrote in message
>> news:48c822f3$0$2930$fa0fcedb@news.zen.co.uk...
>>>I have a customer who has a page with a form that they'd like to appear 
>>>as
>>>https but they're not taking credit cards or anything like that and they
>>>don't want to spend much. Can anyone recommend, or suggest, a cheap 
>>>shared
>>>certificate type of thingy?
>>
>> Check with the host. Several I've used have a free shared SSL solution
>> included for free.
>
> They usually have severe restrictions, though, that make them
> unsatisfactory.
>
> To the OP: the usual "shared certificate" simply means that you must
> access one or make pages at a domain name that is covered by that
> certificate.  The most common ways are a sub-domain
> (https://www.mysub.host.com covered by a wildcard certificate for
> host.com) and an area you are grated permission to load pages
> (https://host.com/~mysub).
>
> In both cases, unless your client is prepared to forgo their own
> domain name for URLs based on host.com the effect is that some pages
> appear to be from another site, and they are exactly those pages you
> want people to have the most confidence in.
>
> -- 
> Ben.

"appear"

AC

"AC"  writes:

> "Ben Bacarisse"  wrote in message 
> news:877i9jebo1.fsf@bsb.me.uk...
>> "AC"  writes:
<snip>
>>> Check with the host. Several I've used have a free shared SSL solution
>>> included for free.
>>
>> They usually have severe restrictions, though, that make them
>> unsatisfactory.
>>
>> To the OP: the usual "shared certificate" simply means that you must
>> access one or make pages at a domain name that is covered by that
>> certificate.  The most common ways are a sub-domain
>> (https://www.mysub.host.com covered by a wildcard certificate for
>> host.com) and an area you are grated permission to load pages
>> (https://host.com/~mysub).
>>
>> In both cases, unless your client is prepared to forgo their own
>> domain name for URLs based on host.com the effect is that some pages
>> appear to be from another site, and they are exactly those pages you
>> want people to have the most confidence in.
>>
>
> "appear"

I don't know how else to put it.  Unless you forgo the site's original
URL, the https pages will have a fundamentally different URL.  How
would you put it?

-- 
Ben.

On 10 Sep, 21:41, treadmill-- with the great taste of fish <nope>
wrote:
> I have a customer who has a page with a form that they'd like to appear
> as https but they're not taking credit cards or anything like that and
> they don't want to spend much. Can anyone recommend, or suggest, a cheap
> shared certificate type of thingy?

GoDaddy the big US ISP sells certs very cheaply (from around £15 or
$15 can't remember which). Should do what you want so long as it is
just the main domain and you're not trying anything complicated like
subdomains. Installing it I think you need to have access to
Apache .conf files if it's on Apache (? don't know if .htaccess would
be able to do this?).

Otherwise you have to host the form on someone else's https system.


Saul
www.notanant.com
Communities of websites

"Ben Bacarisse"  wrote in message 
news:87ljxydesc.fsf@bsb.me.uk...
> "AC"  writes:
>
>> "Ben Bacarisse"  wrote in message
>> news:877i9jebo1.fsf@bsb.me.uk...
>>> "AC"  writes:
> <snip>
>>>> Check with the host. Several I've used have a free shared SSL solution
>>>> included for free.
>>>
>>> They usually have severe restrictions, though, that make them
>>> unsatisfactory.
>>>
>>> To the OP: the usual "shared certificate" simply means that you must
>>> access one or make pages at a domain name that is covered by that
>>> certificate.  The most common ways are a sub-domain
>>> (https://www.mysub.host.com covered by a wildcard certificate for
>>> host.com) and an area you are grated permission to load pages
>>> (https://host.com/~mysub).
>>>
>>> In both cases, unless your client is prepared to forgo their own
>>> domain name for URLs based on host.com the effect is that some pages
>>> appear to be from another site, and they are exactly those pages you
>>> want people to have the most confidence in.
>>>
>>
>> "appear"
>
> I don't know how else to put it.  Unless you forgo the site's original
> URL, the https pages will have a fundamentally different URL.  How
> would you put it?
>
> -- 
> Ben.

Fine. Cant be bothered.

AC

Saul  writes:

> On 10 Sep, 21:41, treadmill-- with the great taste of fish <nope>
> wrote:
>> I have a customer who has a page with a form that they'd like to appear
>> as https but they're not taking credit cards or anything like that and
>> they don't want to spend much. Can anyone recommend, or suggest, a cheap
>> shared certificate type of thingy?
>
> GoDaddy the big US ISP sells certs very cheaply (from around £15 or
> $15 can't remember which). Should do what you want so long as it is
> just the main domain and you're not trying anything complicated like
> subdomains. Installing it I think you need to have access to
> Apache .conf files if it's on Apache (? don't know if .htaccess would
> be able to do this?).

That's not the problem (though it might be).  The problem is that you
can't run SSL when using named-based virtual hosts which is how almost
all cheap hosting deals get the cost down.

If your host is set up to give you unique IP address for your server or
they can play some clever tricks with port numbers, you can get SSL
working.  This is why there are two components to the cost of having
you own certificate -- the cost of getting one signed by a reputable
authority and the cost of hosting that can direct the requests to your
server before unwrapping the HTTP contained in the SSL session.

> Otherwise you have to host the form on someone else's https system.

True.  However, if having separate domain names for the https part is
acceptable, the solution already suggested by AC is much cheaper.
Only the OP can say if that is a reasonable way to go.

-- 
Ben.

Thanks to everyone for the helpful replies.

I'm really looking for suggestions for a shared cert. The customer's 
site is on a virtual server, but they want the cheapest solution 
available and I don't think they'd mind a different domain name. The 
page is not selling anything, it's just that possibly sensitive 
information is being sent via a form.



Ben Bacarisse wrote:

> If your host is set up to give you unique IP address for your server or
> they can play some clever tricks with port numbers, you can get SSL
> working.  

Thank you. That sounds intriguing - can you tell me a bit more, or give 
me a link to more information?

Saul wrote:
> On 10 Sep, 21:41, treadmill-- with the great taste of fish <nope>
> wrote:
>> I have a customer who has a page with a form that they'd like to appear
>> as https but they're not taking credit cards or anything like that and
>> they don't want to spend much. Can anyone recommend, or suggest, a cheap
>> shared certificate type of thingy?
> 
> GoDaddy the big US ISP sells certs very cheaply 


Thanks Saul. I did try and buy a cert from GoDaddy a while back but they 
sent a strange email saying that our account had been locked in case of 
fraud and could we send a driver's licence picture to prove otherwise. I 
thought this was nuts - how hard is it to fake something in Photoshop 
after all? - and suspected they might want this information for ulterior 
motives so I told them to either accept the order without any messing 
about or take a hike. Eventually I asked for a refund, which they gave, 
but it came back minus a few pence because the exchange rate had moved.

Are there any other vendors of certs that anyone could recommend?

treadmill-- with the great taste of fish <nope> writes:
<snip>
>> If your host is set up to give you unique IP address for your server or
>> they can play some clever tricks with port numbers, you can get SSL
>> working.  
>
> Thank you. That sounds intriguing - can you tell me a bit more, or
> give me a link to more information?

The basic point is that when an https connection is made the server
must open the encrypted stream before it has any idea what URL is
being requested.  Some servers use a single IP address for multiple
sites and decide what "virtual server" (a rather vague term with lot
of slightly different meanings) is to get the request by looking at
the URL.  This does not work with SSL.  The incoming request must be
"opened" using the credentials that are associated with the connection
alone.  This is usually done based on the IP address: the server for
www.xxx.com listens on IP address a.b.c.x:443 and that for www.yyy.com
on a.b.c.y:443 so each server knows what credentials to use (443 is
usual port number for https).

If you are prepared to use non-standard ports, you can have all the
servers listening on one IP address, but different ports.  The
incoming requests then still arrive at uniquely identified virtual
servers so the server know which credentials to use.  There are, no
doubt, other port mapping games that can be played, but end result
must be that the server can choose the right keys to open the SSL
connection before knowing any part of the URL.

Sorry if this is a bit vague, and I have probably slipped up in a
couple of places, but it might help you to know what you need from
your host.  Buying the certificate is only one part of the task, but
if you are paying for SSL hosting all this will be set up already.

The best reference is probably the manual for you server.  If you are
using Apache: http://httpd.apache.org/docs/

-- 
Ben.

Ben Bacarisse wrote:
> treadmill-- with the great taste of fish <nope> writes:
> <snip>
>>> If your host is set up to give you unique IP address for your server or
>>> they can play some clever tricks with port numbers, you can get SSL
>>> working.  
>> Thank you. That sounds intriguing - can you tell me a bit more, or
>> give me a link to more information?
> 
<snip>
> The best reference is probably the manual for you server.  If you are
> using Apache: http://httpd.apache.org/docs/


That's most helpful. Thanks Ben.

On Thu, 11 Sep 2008 22:32:22 +0100, Ben Bacarisse 
wrote in :

>That's not the problem (though it might be).  The problem is that you
>can't run SSL when using named-based virtual hosts which is how almost
>all cheap hosting deals get the cost down.

Transport Layer Security (TLS), the successor to SSL, has an extension
called "Server Name Indication" (SNI) that does let you do that.

<http://en.wikipedia.org/wiki/Server_Name_Indication> the SNI entry at
Wikipedia gives some pointers to an experimental Apache module for SNI
and lists other servers that support it.

The browser must support SNI too and recent versions of the popular ones
aparently do.

I have no idea whether or not any hosting companies offer SNI. A search
did not turn up any useful information.

-- 
Owen Rees
[one of] my preferred email address[es] and more stuff can be
found at <http://www.users.waitrose.com/~owenrees/index.html>

Owen Rees  writes:

> On Thu, 11 Sep 2008 22:32:22 +0100, Ben Bacarisse 
> wrote in :
>
>>That's not the problem (though it might be).  The problem is that you
>>can't run SSL when using named-based virtual hosts which is how almost
>>all cheap hosting deals get the cost down.
>
> Transport Layer Security (TLS), the successor to SSL, has an extension
> called "Server Name Indication" (SNI) that does let you do that.
>
> <http://en.wikipedia.org/wiki/Server_Name_Indication> the SNI entry at
> Wikipedia gives some pointers to an experimental Apache module for SNI
> and lists other servers that support it.
>
> The browser must support SNI too and recent versions of the popular ones
> aparently do.

That's very interesting.  Thanks.  This will help reduce the costs of
secure hosting when it becomes more common place.

-- 
Ben.

On Fri, 12 Sep 2008 12:35:49 +0100, treadmill-- with the great taste
of fish <nope> wrote:

>Thanks to everyone for the helpful replies.
>
>I'm really looking for suggestions for a shared cert. The customer's 
>site is on a virtual server, but they want the cheapest solution 

A virtual server as in a VPS with its own IP address? If so they
should be able to use that IP address for SSL as long as it's the only
https site on the server. A RapidSSL cert will cost £9 for a year.

Or, if you mean virtual/shared hosting rather than a VPS of their own,
check with their HSP what they would charge for an extra IP address.
As an example only Fasthosts charge £1pcm per extra IP address on
dedicated so it's not that expensive, £21p.a. in this example -
depending on the HSP.

>available and I don't think they'd mind a different domain name. The 
>page is not selling anything, it's just that possibly sensitive 
>information is being sent via a form.

In that case, as AC said, ask what their HSP's shared-cert price is.

Aside: If they are not your only client who wants a shared-cert for
low security information, you could get cert of your own and offer
your own shared cert service to your clients, under your own domain
name - as long as your HSP has the facilities in place to allow it. A
simple https://secure.example.com/ could cost you the £21p.a. above
with each client in their own folder, or you could get a wildcard
RapidSSL cert for about £79p.a. IIRC and offer them their own
sub-domains.

They should also consider what happens to the "possibly sensitive
data" after it's submitted, e.g. is it mailed in plain-text format to
them, saved to an unencrypted file or database, GPG encrypted before
being e-mailed to them, etc. There's little point encrypting the
client-server data itself if it's stored or e-mailed unencrypted
afterwards ;-)

The risk of a MITM attack is far lower than the risk of the data being
accessed by some "unauthorised person" on either the server or
destination PC simply because there are less people in a position to
carry out a MITM attack. However, the "PR value" of SSL can blind
end-users to what happens afterwards in most cases!

Of course there are always exceptions - may be it's a "report your
employer for X" thing and the employer has a proxy recording the
employees' web traffic. But, in that case, better hope they don't have
key-logging in place too ;-)

Saul wrote:
> On 10 Sep, 21:41, treadmill-- with the great taste of fish <nope>
> wrote:
>> I have a customer who has a page with a form that they'd like to appear
>> as https but they're not taking credit cards or anything like that and
>> they don't want to spend much. Can anyone recommend, or suggest, a cheap
>> shared certificate type of thingy?
> 
> GoDaddy the big US ISP sells certs very cheaply (from around £15 or
> $15 can't remember which). Should do what you want so long as it is
> just the main domain and you're not trying anything complicated like
> subdomains. Installing it I think you need to have access to
> Apache .conf files if it's on Apache (? don't know if .htaccess would
> be able to do this?).
> 
> Otherwise you have to host the form on someone else's https system.
> 
> 
> Saul
> www.notanant.com
> Communities of websites

Does Godaddy give you any more than a self-signed certificate? I think 
both a self-signed certificate and one from GoDaddy will generate 
warnings from browsers (Firefox anyway, perhaps not the less secure 
Internet Explorer).

I've used a self-signed one for a mate so he could download his MP3's 
without anyone else getting access to them.

Perhaps someone will create a web page one day where you get the ssl 
certificate for free. It is probably not too hard to do. All the tools 
are free.

On Mon, 15 Sep 2008 08:44:36 +0100, Dave  wrote in
:

>Does Godaddy give you any more than a self-signed certificate? I think 
>both a self-signed certificate and one from GoDaddy will generate 
>warnings from browsers (Firefox anyway, perhaps not the less secure 
>Internet Explorer).

See <http://www.mozilla.org/projects/security/certs/included/>. Go Daddy
is one of the CAs included in the Mozilla project Root CA store so
certificates signed by the Go Daddy CA will be accepted as valid by
Firefox. As far as I know, other browsers also accept Go Daddy signed
certificates.

-- 
Owen Rees
[one of] my preferred email address[es] and more stuff can be
found at <http://www.users.waitrose.com/~owenrees/index.html>

Owen Rees wrote:
> On Mon, 15 Sep 2008 08:44:36 +0100, Dave  wrote in
> :
> 
>> Does Godaddy give you any more than a self-signed certificate? I think 
>> both a self-signed certificate and one from GoDaddy will generate 
>> warnings from browsers (Firefox anyway, perhaps not the less secure 
>> Internet Explorer).
> 
> See <http://www.mozilla.org/projects/security/certs/included/>. Go Daddy
> is one of the CAs included in the Mozilla project Root CA store so
> certificates signed by the Go Daddy CA will be accepted as valid by
> Firefox. As far as I know, other browsers also accept Go Daddy signed
> certificates.
> 

I might be wrong, but I think that must be pretty recent.

I note that the Mozilla site says "class 2" for GoDaddy. I don't know 
how that equates to Godaddy's 'Standard, 'Delux' and 'Premium' SSL 
certificates. Will their cheap 'Standard Certificate', costing from only 
£16 for a year be enough to get rid of all warnings? Or perhaps one 
might need to pay out for one of their 'Premimum' certificates. The 
latter is about 15x the cost of the former.

Depending on the application, a self-signed certificate might be enough.
Dave

On Wed, 17 Sep 2008 12:25:08 +0100, Dave  wrote in
:

>I might be wrong, but I think that must be pretty recent.

According to the Mozila CVS log, the Go Daddy CA certs were added to the
certdata.txt file at 2005-04-12 18:45. I believe that means that they
have been shipped with Firefox since release 1.5.

>I note that the Mozilla site says "class 2" for GoDaddy. I don't know 
>how that equates to Godaddy's 'Standard, 'Delux' and 'Premium' SSL 
>certificates. Will their cheap 'Standard Certificate', costing from only 
>£16 for a year be enough to get rid of all warnings? Or perhaps one 
>might need to pay out for one of their 'Premimum' certificates. The 
>latter is about 15x the cost of the former.

If you have a certificate issued by Go Daddy, you can check the
certificate hierarchy to see which CA issued the certificate and compare
that with the certificates listed as built in to Firefox.

One thing that can trip people up is if there is an intermediate CA
involved - I believe that is the case for certificates issued by Go
Daddy. You have to set up the server to deliver the certificate chain
properly. If the server does not have the intermediate certificate set
up properly then the browser will not be able to follow the chain back
to the root CA certificate that it trusts.

-- 
Owen Rees
[one of] my preferred email address[es] and more stuff can be
found at <http://www.users.waitrose.com/~owenrees/index.html>