SSL Pricing, Differences, HSTS – Kitchen Sink – March SIG Meeting Wrap-Up

Our February session on SSL was well received and proved to be extremely interactive. We had a good discussion but at the end of our 55 minutes, we were left with questions and wanting to know more.
So what are the differences between the various SSL certificates? Do I need a DV, OV or EV certificate? Will a wildcard cert take care of every domain name I own?

Is HSTS the same as HTTPS? Where can I buy that certificate?

What’s the deal with pricing all over the map when it comes to SSL certificates? Is the free one from Let’s Encrypt any less secure than the $69 one from GoDaddy?

SSL Certificate basics

DV – Domain Validated Certificate – capwebsolutions.com

• Padlock/HTTPS
• Validates domain is registered
• Someone with Admin rights approved certificate request
• Verified against domain registry
• Least expensive
• Verified by email or DNS – very quick – approved in minutes

OV – Organization Validated

• Padlock/HTTPS
• Validates domain is registered, plus organization info eg. name, city, state, country
• Trusted
• Authenticated by agents against business registry databases
• Verified in a few hours to weeks
• Company info shown in certificate details

EV – Extended Validation – twitter.com

• Green bar/Padlock/HTTPS
• Validation governed by Guidelines for Extended Validation
• Provides vetting process much stricter than OV certificates

Wildcard

• Secure unlimited number 1st level sub domains on single domain
  • *.yourdomain.com as the common name.
  • Secures www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com, anything.yourdomain.com

HSTS vs HTTPS

Again, we jump out to the web authority – Wikipedia – to get the scoop on HSTS.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

• Webserver issues header indicating can only be communicated with from HTTPS sites
• Protects public from man-in-the-middle SSL stripping mechanisms
• HSTS forces browsers and app connections to use HTTPS
• Browsers use a preload list that specifies sites that must connect via HTTPS from the initial connection
• Excellent Reference with more details, and step by step directions to implement HSTS on your website.

globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/

Pricing?

• All over the place – See NameCheap: https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
  • DVs $9 – $99
  • OV $39 – $59
  • EV $89 – $169
  • Let’s Encrypt DV – $0

Resources

• Get your site into browser preload. Site preload status => https://hstspreload.appspot.com/
• HSTS Browser Compatibility – //caniuse.com/#feat=stricttransportsecurity
• Good link for more detail: https://kinsta.com/knowledgebase/hsts/

Ideas for Upcoming Meetings?

Feel free to ask questions, offer feedback, or suggest topics for an upcoming meeting via the form below.