SSL more information


#1

Hi guys,

So we deal with small business, and a normal use scenerio for us is if we build a website that isn’t accepting money, then we give a free SSL using lets encrypt

If we do a website that does accept money, then we tend to get something like GeoTrust QuickSSL Premium which offers $500k warranty for £40 a year.

We are introducing cloudflare into our bubble and can’t justify anything other than the free cloudflare plan, so we are unable to use custom SSL certificates.

So now the scenerio is set up for you and you know where I am coming from, I would like to know if the “dedicated SSL” that cloudflare offer for $5 per month has warranty?

If not, is there an SSL option via cloudflare that does have warranty?

Otherwise, I guess I am cornered into either paying for a cloudflare business plan or not using cloudflare at all (other than on hobby websites that we only install lets encrypt on anyway)

Thanks


#2

Our certificates are issued by Comodo and Digicert so to the extent that you believe these to be reputable certificate authorities they provide the same value when purchased through Cloudflare.

Reading what that warranty actually covers I’m not sure what value it actually provides.


#3

HI,

Thanks for this. Yes we trust Comodo, we use it ourselves. But when buying a Comodo certificate (any of them) it also gives you warranty. I guess in the event that a website customers card gets hacked and they lose money, then the SSL provider will refund the customer.

I am presuming by your answer that your certificates do not offer warranty?

I also get the impression that your suggesting that the warranty offered by these certificates isn’t all that trustful anyway and could just be ignored?

Cheers


#4

I’m not sure what warranty you’re referring to that provides a refund if a customer’s credit card gets hacked… I read the GeoTrust QuickSSL premium warranty and that’s decidedly not what it says it warrants. That might be the impression they try to impart upon those who purchase their certificates but that’s not what they do.

From Comodo’s FAQ:
“If we fail to properly validate the information contained in a digital certificate, and our failure causes the end-user to lose money in connection with a fraudulent online credit card transaction, then the end-user may have a claim to recovery under our certificate warranty. (see complete Relying Party Warranty and Agreement for complete details)”

So they warrant if they fail to validate a digital cert (e.g. they’ve revoked it but then say it is valid latter if a browser checks and the user can prove that it was already revoked) and the end user can prove that that incident on your website or a website using that revoked certificate allowed someone somewhere somehow to glean their credit card details and then use their details online fraudulently then the user “may” have a claim to recovery.

I’m not aware that any warranty Comodo or Digicert might offer transits when ordered/issued through Cloudflare. You might ask them, but I don’t see the warranty as any kind of a real selling point.


#5

OK, so warranty isn’t that big a deal.

So my next thought is how much benefit is there in real world situations, over a shared SSL and a dedicated SSL?

Thanks


#6

Dedicated supports older browsers that don’t support SNI on the universal (free) certificate.

Beyond that the only real difference is if you dig into the names of other domains that are on a shared cert it might be possible that the shared cert contains a domain name you might find unsavory or unflattering to your own brand. Personally I don’t care what other domains might be on shared certs for my free domains, but I guess some folks might.

For your use case I think the bigger difference (vs. SSL cert differences) is that sites which process payments would likely benefit from the Web Application Firewall which is available on paid plans.