Which SSL certificate?

Hi, we're starting a new ecommerce store. On the new domain, I have the Comodo Positve SSL certificate.

We'll be selling some fairly high-priced items, and accepting credit cards. I know the cert I have is compatible with TLS 1.2, so no problems there. Is there any security reason I should go to another SSL certificate?

There's EV certificates, but they don't provide extra security, just the green bar. I'd prefer just to stay with the SSL certificate I have, if nobody thinks it's a problem. Thanks in advance.
mel200Asked:
Who is Participating?
 
LearnctxEngineerCommented:
There's EV certificates, but they don't provide extra security, just the green bar.

You receive 0 enhanced security from an OV certificate than you do a DV or OV certificate. You are paying to have your company name displayed in the URL bar. It is the CA's way of saying they have made more of an effort to validate your company owns the domain. You would rarely see anyone outside of large enterprise or financial related companies/businesses (not online stores) use an EV. EV certs have more stringent verification requirements on the company to validate their ownership of a domain than an OV cert. DV certs aren't worth knowing about in my opinion. For EV You need to provide details like:

  • Contacts
  • Phone numbers
  • Addresses
  • Corporate documents
  • And so on...

EV certs are a pain in the arse (well not really but relative to an OV cert they are). I manage around 2,000 certs and less than 10 are EV certs (the rest are OV certs). Of those 10 they're almost all for Internet Banking related related sites, ATM related operations, or inter bank related connections which for whatever reason the regulator has stipulated an EV cert must be used.

Are EV certs worth it? The short answer is no. The vast majority of users would have no idea if they were dealing with an OV or EV cert let alone some crud DV cert. We spend a lot of money on certs every year due to regulatory requirements and so buying up a bunch of OV certs isn't really a big deal for us in the grand scheme of things. But for a SMB I would not recommend wasting money on OV certs.

We'll be selling some fairly high-priced items, and accepting credit cards.

So does eBay, they do not use an EV cert. But you will notice that PayPal does. This is to bring them inline with other finance companies.

At the end of the day its your money, you can spend it how you want. I would probably spend the money making sure your site/servers are more secure than on an EV cert.
0
 
masnrockCommented:
You don't absolutely have to get an EV cert, and most places never do. But you better be sure you properly secure the transaction process. You could certainly revisit the topic after you grow to a certain point but it wouldn't make sense right now.
0
 
LearnctxEngineerCommented:
You receive 0 enhanced security from an OV certificate than you do a DV or OV certificate.

This should read "You receive 0 enhanced security from an EV certificate than you do a DV or OV certificate."
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
mel200Author Commented:
Ok, so you would recommend an OV cert over a DV cert for an ecommerce store? Thanks for this answer, I needed this info badly!
0
 
mel200Author Commented:
Masnrock, we'll be using authorize.net, is that what you mean?
0
 
mel200Author Commented:
Sorry, just saw this: But for a SMB I would not recommend wasting money on OV certs. Got it, thanks- um, but what is an SMB? :)
0
 
masnrockCommented:
... we'll be using authorize.net, is that what you mean?
Yes, so you should be pretty solid on that end. And I think everything else has been answered clearly.
1
 
LearnctxEngineerCommented:
Ok, so you would recommend an OV cert over a DV cert for an ecommerce store? Thanks for this answer, I needed this info badly!

It depends on the size of the company and the purpose of the site. If you're just talking about brochure ware static pages I would say DV is fine (if you're using a CA that will issue a DV cert, some will not). If you're a retailer I would go the extra step and recommend an OV cert. A little bit more effort, but the extra validation looks good and your company will be listed on the certificate (vs. just being a certificate for the domain). At the end of the day though, if you are running HTTPS end to end and encrypting your data correctly you are winning and you can't go wrong. Everything else can be sorted out or improved at a later date.
1
 
mel200Author Commented:
Wonderful information, just what I needed. Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.