Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Wildcard SSL Certificate

Posted on 2012-09-17
16
Medium Priority
?
788 Views
Last Modified: 2012-09-26
We currently have 2 domain names on the same dedicated server, with serveral subdomains pointing to other servers...
ex:
  MyDomain.com and MonDomaine.com are on server IP 123.123.123.123
  We also got server1.mydomain.com at 123.123.123.124
                     server2.mydomain.com at 123.123.123.125,
                     server3.mydomain.com at ... etc

We need a wildcard certificate for mydomain.com.

I've been looking at that type of certificate for the whole afternoon, and from what i see, the price goes from 50$/year to 500$/year!

What justify such a huge difference of pricing?  (Is there anything i misunderstand here?).

Does anyone can suggest me a place where i can find a fair price with good service?

thanks for the information
0
Comment
  • 6
  • 5
  • 3
  • +1
16 Comments
 
LVL 5

Expert Comment

by:sfmny
ID: 38407303
Wildcard SSL certificates are more expensive than single domain ones because they relate to multiple domains. Technically, it doesn't really make a difference, it's just that since you can use one SSL cert for several sub domains, CAs just want to make sure they get some more money. You can have an SSL for hundred sub domains for $500 or get 100 Single Domain SSLs @ $5000. In that case, it makes better sense to go wildcard.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 38407367
Included with SSL certificates is an insurance policy or warranty that will reimburse you if the encryption fails for some reason.  Typically higher insurance values mean higher prices.
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 38407405
@SFMNY: I understand that, but for the same service, i get prices from 50$ to 500$...
I'm not comparing prices between Regular SSL vs EV SSL.   I'm comparing Wildcard SSL vs Wildcard SSL... the price should be similar.  I know they are there to make money.

@DAVE: Exactly.  That's the only difference i saw yet.  The one i've found at 50$ had a 10K$ warranty.  The others between 400-500$/year got a warranty of 100-125K$.

Also, i've noticed that some of them have similar pricing arround 500$, but it's for a SINGLE SERVER only!  (Thawte for example).  That mean that if you host subdomains on several servers, that cost your legs & arms!  Other with similar price have Unlimited subdomains on unlimited servers (Geotrust for example).
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 5

Expert Comment

by:sfmny
ID: 38409782
I see what you mean.

It's not just the Warranty, not all SSLs are the same. There are different levels of encryption too. The higher the encryption you want - if you're a bank - the larger the key size becomes. 2048 bit key is pretty good, but also slower to encrypt and decrypt and it turns into a trade off on performance and security. You usually get 1024 bit for cheaper but is considered less secure.

https:// is a two step process, where the browser uses the SSL (after it checks SSL veracity) to set a subsequent session key with the web server. The SSL is used for a key exchange. The subsequent key is usually of a smaller size, 128 bit (weak) and upwards.

As a commercial process though domain name, warranty, expiration period and CA reputation tend to form the basis for the price. Let me know if you want more info on SSLs as such.
0
 
LVL 5

Expert Comment

by:sfmny
ID: 38409837
You can check out Google's search tool's certificate on your browser. It's a 1024, if you're doing online banking, you need 2048-bit.
How to view SSL details on Firefox
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 38410009
It's for an "almost realtime" screen transmission... i seriously doubt that we would use 2048 bits for that, it would be too CPU intensive.
0
 
LVL 12

Assisted Solution

by:freshcontent
freshcontent earned 400 total points
ID: 38410047
I would urge you to look at NetworkSolution's certificate pricing.

Their wildcard certificates are competitvely priced, and I've gotten mine for $290/year for four years ($1100 total) when using a coupon.  You can search on Network Solutions coupons, but if you go to their home page, you will usually see a 40% discount on SSL certificates that includes wildcard certificates.

I just went to the home page for networksolutions.com, hovered over the top navigation SSL certificates, and there is a 40% off link to click on.

We've been pleased also with the name recognition of the Network Solutions trust seal and feel that the brand is recognized and trusted.

Maybe not as much as VeriSign (now Symantec), but the cost is so much cheaper and it is still well-recognized.

Still not cheap, but cheaper and as well thought of as most SSL certs.

I haven't looked as much at insurance, but what I'm looking for is a responsible Certificate Authority (CA) that has a good reputation and won't allow "tainted" certs or a compromise to their certificate chain to affect my business.

NetworkSolutions offers that, in my opinion.

And no, I do not work for them...

I like GoDaddy.com as well, and they are cheaper on wildcard SSL certs ($199/year for 1 year without a coupon).

Hope that helps...
0
 
LVL 5

Expert Comment

by:sfmny
ID: 38410071
Unless you can differentiate sensitive info from the not so, I'd recommend having an SSL. 1024 is probably the way to go in this case.
0
 
LVL 12

Expert Comment

by:freshcontent
ID: 38410579
I use a 2048-bit CSR for all of our SSL certificates.
0
 
LVL 5

Expert Comment

by:sfmny
ID: 38413909
You probably want to look into this too. If you have heavy site visits, you might want to consider upgrading the server to deal with 2048 bit key. 1024 bit is good enough for now - is what I'm trying to say. If your server has resources in spare, then go with 2048.
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 38422936
But does anyone can explain me this example taken from Geotrust:
"Security: business identity authentication, strong 256-bit encryption, 2048-bit root"

I'm a bit lost...
0
 
LVL 12

Expert Comment

by:freshcontent
ID: 38423727
I found this article comparing 256-bit SSL encryption to 128-bit SSL encryption.


Hopefully it helps you understand the difference.

Also, looking at the wikipedia article on AES encryption may give you more insight as well.


~Andy
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 38434351
I was not clear.   What i meant is that i don't know what's the difference between the 256 bits encryptions, and 2048 bits ROOT.

And every transactionnal web sites i've found are using 256 bits, that's why don't understand... if it's so unsecure, then why are we using this for financial transactions?

Usually, when we talk about AES, we use 256 bits.  But for RSA, people use 2048.   I guess RSA is used for SSL Certificates?  I've checked one of the domain i've got a certificate for, and it's RSA 2048 bits.  When i check at Tiger Direct, it's also RSA 2048.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 800 total points
ID: 38434569
I think your answer is here: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO17346&actp=search&viewlocale=en_US&searchid=1348606272491

It says that the 2048-bit key is used as the basis for generating and communicating a 256-bit Session key that is used during the actual transmissions.
0
 
LVL 5

Accepted Solution

by:
sfmny earned 800 total points
ID: 38438309
Hello there,

I thought this issue was resolved and didn't get back. SSL certificates are one part of the encrypted transaction. I'll summarize the process but the book cryptography and network security is an excellent resource to get started if you have the time.

It's a two step process and here's the reason why:

1. SSL certs and 2048 bit key - Asymmetric algorithm where the public key is different from the private key

The SSL certificate has a "public" key that can be used by anyone (the public) to send information to the server. The server has a private key (that should be kept secret at all costs). This private key is used by the server to decrypt information. The asymmetric key encryption and decryption processes are very time consuming (key management is a factor too) and are hence used to determine the actual key which will be used to encrypt data to the server in step 2.

2. Session key and 256 bits - symmetric algorithm where there is a single key that is kept hidden

Symmetric algorithms are secure - the key length makes a big difference in both cases BUT the problem is how can two parties determine what the key should be?? A web server can have a million users and you can't have a million keys - one for each user. And worse you have to track and manage those keys! Therefore, the Asymmetric algorithm is used to determine what the session key will be. Remember the two parties have never "met" before. The session key is discarded after the session is complete and a new one is created for the next session. This way you don't have to track or manage keys.


Also, even though you see 2048-bits for the asymmetric key and 256-bits for the symmetric key - don't assume level of security purely on key length. The underlying algorithm also plays a role. A 256 bit symmetric key is much stronger than a 2048-bit asymmetric key. 2048 asym is approx equivalent to 112 sym key (See key length in wiki). Again, key size is not the only factor. The underlying algorithm and key management are equally important. Hope this answers your question. Let me know!
0
 
LVL 10

Author Comment

by:Christian de Bellefeuille
ID: 38439326
Thanks sfmny and DaveBaldwin.  That explain pretty much what i need to know.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question