2

I want to purchase an SSL/TLS certificate for my website, for three reasons:

  • To be able to display web-push notifications
  • Improve website rankings on Google
  • Obtain more trust from visitors

I have a single domain. When the user is on the page I have some tracking JavaScript code which makes an HTTP request to a subdomain of my website, for tracking purposes.

This is a list of Certificates that I found

What would in my case be the best option?

  • The cheapest one doesn't support subdomains apparently - But for my use case, do I really need that kind of support? Visitors don't visit the subdomain, they just send requests to it.
  • If the first one is not good enough, then I see there's a decently priced one for "3 domains" - does it mean I can use it on a subdomain too? Or I must take the wildcard which is more expensive?
  • Why does only one of the packages say that you get "mobile browser support" - does it mean that all other packages won't show the SSL for mobile users?
Eelke
  • 506
  • 1
  • 5
  • 18
rockyraw
  • 121
  • 2
  • 3
    Why purchase when you could obtain from LetsEncrypt for free? – multithr3at3d Apr 28 '18 at 16:01
  • Never heard about this option. What the downside of it? I don't mind spending a bit if a paid service is more reputable and more easy to install. – rockyraw Apr 28 '18 at 16:15
  • LetsEncrypt and others are highly reputable. The certificates can be installed and renewed automatically, and there isn't really a disadvantage unless you are looking for something like an EV certificate. – multithr3at3d Apr 28 '18 at 16:17
  • 1
    Maybe a good starting point is [this thread](https://security.stackexchange.com/questions/87443/what-makes-lets-encrypt-secure). – Arminius Apr 28 '18 at 16:24
  • which kind of certificate do I need though? – rockyraw Apr 28 '18 at 16:47
  • The disadvantage of Let's Encrypt is that the certificate expires in just three months (most paid providers provides at least a year and up to two-three years). Though this isn't an issue since the normal way of setting up Let's Encrypt is to install an ACME client which automates renewal. Also LetsEncrypt only provide free DV certificate. – Lie Ryan Apr 30 '18 at 12:53

3 Answers3

2

You do need to have a certificate for your sub-domain, otherwise you will get mixed-content warnings. So option one is out.

Having "3 domains" includes sub-domains. You can see it in their example when you click on the option. You certainly don't need a wild-cart certificate.

blog.mysite.com, secure.mysite.co.uk, payment.mysite.net, www.blog.mysite.org

As for mobile support, when I click on the certificates, all of them include mobile support in the table of features. I have no idea why they decided to specifically mention it in one description and not others.

Peter Harmann
  • 7,778
  • 5
  • 20
  • 28
  • thanks. what do you think about the LetsEncrypt option? – rockyraw Apr 28 '18 at 17:14
  • 1
    @rockyraw If you can set-up the automated renewal software, then Let's encrypt is probably the best option. Manually renewing Let's encrypt certificates every 3 months is too much of a pain IMO. If you want to go with them, you need automation. – Peter Harmann Apr 28 '18 at 17:16
1

Unless you would like an Extended Validation Certificate (green bar with organization displayed) just use LetsEncrypt - it’s not any more or less secure than any other CA Signed Certificate. LetsEncrypt makes it very easy to generate and renew SSL Certificates which I really like about it.

LetsEncrypt also creates a CSR rather than generating a private key in the browser which the CA could potentially store (cough cough Trustico cough cough).

-1

Like others suggest you can go for Let’s Encrypt. Wildcard SSL/TLS Certificate is the choice to go with, it will offer protection for one main domain with sub-domain.

Which one to purchase is up to you, if you are serious about the website, like its related to work or any other important thing, you can opt for the paid wildcard SSL/TLS Certificate. Now, from which CA (Certificate Authority) to purchase, its all up to you. Different brands are available like Comodo, RapidSSL, GeoTrust, Thawte. You can go with whichever you want as per your budget as all are world renowned & branded. If you’re not sure, tools like our SSL Wizard are also available, where you just answer few of the questions and you will be provided with the list of SSL/TLS Certificates as per your requirements.

If you go for free like Let’s Encrypt, there’s nothing wrong in it. From a technical point of view, there's no risk involved using any of the SSL/TLS Certificates provided free of cost. As every SSL/TLS Certificate protocol confirms that the handshake made between any client or server should generate secure and robust session keys to stop spoofing of data and cyber-attacks like man in the middle. What everyone should look out for is that whether the free SSL/TLS Certificate is capable of providing real-time certificate status using any of OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List) or not. The main thing is that the website owner should be capable of conveying a message to their website visitors that their website integrated with SSL/TLS Certificate is trustworthy.

Though some limitations do come in free SSL/TLS Certificates like, you have to manage your keys based on the installed client certificate in your browser. This can become a problem if you have to change your computer or you have to upgrade your OS and don't have any backup of installed client certificates. Some other limitations are like free certificates are offered for a limited period of time like 30, 60 or 90 days.

Apart from this, there does comes a possible disadvantage with Let's Encrypt due to which big companies definitely do not consider going with this. Let's Encrypt disadvantage is that visitors of the website cannot be sure that is the actual company is the one who is hosting the site. The main reason behind is that Let's Encrypt issues certificates for any webpage, without considering the need for identity validation (Personal or Corporate).

I hope it helps.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 9
    Welcome to [security.se] Stack Exchange! Please note that whenever you link to your own website, you must explicitly state so. See the [help center](/help/promotion) for more details. – Glorfindel Apr 30 '18 at 11:12
  • 2
    [This BS](https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/) again? It's not the CA's responsibility to verify anything more than the domain (for DV certs), and EV certs are largely useless (though at least this point is _somewhat_ debatable). – AndrolGenhald Apr 30 '18 at 14:14