I launching an internet e-commerce site where we will be taking
payments. I've been doing a lot of research on this.
I spoke to Verisign and Thawte (owned by Verisign) who have this
technology to step up old browsers to 128 bit encryption if they are
lower. That service costs $600 with Thawte and $1000 with Verisign.
There normal SSL service is a few hundred dollars less.
In any case, NO the ssl certificate authorities don't really matter. You
want to make sure that its well known so that browsers don't popup a
certificate acceptance notice.
With that said, we went with comodo at instantssl.com, you can even get
the plan to step people up to 128 bit for like 250 which is much
cheaper.
Verisign was the first and most recognized, but for now my company
probably won't even put up the SSL logo.
Now, if you are doing something small, just go with a comodo's lowest
plan which is around $100, MOST browsers are 128bit and higher anyways.
Hope this helps. -Aryk
I've been using godaddy's $19.99/year certs for several years on
projects with users with all kinds of browsers. I really don't see any
reason why anyone would spend several hundred (or even one hundred)
dollars when they don't need to. I would strongly recommend *against*
Verisign for anything and everything they offer.
what do you think about create a own SSL certificate ?
That's perfectly fine - for testing or, perhaps, internal-only use. For
a real site, you need a cert signed by a CA who's cert comes with the
user's browser, else you'll get security warnings (any anybody with any
sense won't start typing in their credit-card info if that happens =)
That's perfectly fine - for testing or, perhaps, internal-only use. For
a real site, you need a cert signed by a CA who's cert comes with the
user's browser, else you'll get security warnings (any anybody with any
sense won't start typing in their credit-card info if that happens =)
godaddy are recognized from browsers?
but if you don't need credit card but just a SSL for login ? it's always
a secure connection, also if it's own made, obviously if someone has to
pay it's different...
godaddy has a CA cert in Firefox, not sure about IE - they're claiming
99% browser recognition.
If SSL is just for login, it's still a bad idea to self-sign - again,
it's fine for dev/internal-only site, but for a "real" site, users may
(rightfully) think their credentials are trying to be hi-jacked.
If you _are_ doing internal-only apps w/ SSL, your best bet is to
generate your own CA cert & have it installed in the end user's browsers
- that way you can use that to generate multiple legitimate site certs.
