Which SSL certificate?

Hi, we're starting a new ecommerce store. On the new domain, I have the Comodo Positve SSL certificate.

We'll be selling some fairly high-priced items, and accepting credit cards. I know the cert I have is compatible with TLS 1.2, so no problems there. Is there any security reason I should go to another SSL certificate?

There's EV certificates, but they don't provide extra security, just the green bar. I'd prefer just to stay with the SSL certificate I have, if nobody thinks it's a problem. Thanks in advance.
Melody ScottAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
There's EV certificates, but they don't provide extra security, just the green bar.

You receive 0 enhanced security from an OV certificate than you do a DV or OV certificate. You are paying to have your company name displayed in the URL bar. It is the CA's way of saying they have made more of an effort to validate your company owns the domain. You would rarely see anyone outside of large enterprise or financial related companies/businesses (not online stores) use an EV. EV certs have more stringent verification requirements on the company to validate their ownership of a domain than an OV cert. DV certs aren't worth knowing about in my opinion. For EV You need to provide details like:

  • Contacts
  • Phone numbers
  • Addresses
  • Corporate documents
  • And so on...

EV certs are a pain in the arse (well not really but relative to an OV cert they are). I manage around 2,000 certs and less than 10 are EV certs (the rest are OV certs). Of those 10 they're almost all for Internet Banking related related sites, ATM related operations, or inter bank related connections which for whatever reason the regulator has stipulated an EV cert must be used.

Are EV certs worth it? The short answer is no. The vast majority of users would have no idea if they were dealing with an OV or EV cert let alone some crud DV cert. We spend a lot of money on certs every year due to regulatory requirements and so buying up a bunch of OV certs isn't really a big deal for us in the grand scheme of things. But for a SMB I would not recommend wasting money on OV certs.

We'll be selling some fairly high-priced items, and accepting credit cards.

So does eBay, they do not use an EV cert. But you will notice that PayPal does. This is to bring them inline with other finance companies.

At the end of the day its your money, you can spend it how you want. I would probably spend the money making sure your site/servers are more secure than on an EV cert.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
You don't absolutely have to get an EV cert, and most places never do. But you better be sure you properly secure the transaction process. You could certainly revisit the topic after you grow to a certain point but it wouldn't make sense right now.
0
LearnctxEngineerCommented:
You receive 0 enhanced security from an OV certificate than you do a DV or OV certificate.

This should read "You receive 0 enhanced security from an EV certificate than you do a DV or OV certificate."
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Melody ScottAuthor Commented:
Ok, so you would recommend an OV cert over a DV cert for an ecommerce store? Thanks for this answer, I needed this info badly!
0
Melody ScottAuthor Commented:
Masnrock, we'll be using authorize.net, is that what you mean?
0
Melody ScottAuthor Commented:
Sorry, just saw this: But for a SMB I would not recommend wasting money on OV certs. Got it, thanks- um, but what is an SMB? :)
0
masnrockCommented:
... we'll be using authorize.net, is that what you mean?
Yes, so you should be pretty solid on that end. And I think everything else has been answered clearly.
1
LearnctxEngineerCommented:
Ok, so you would recommend an OV cert over a DV cert for an ecommerce store? Thanks for this answer, I needed this info badly!

It depends on the size of the company and the purpose of the site. If you're just talking about brochure ware static pages I would say DV is fine (if you're using a CA that will issue a DV cert, some will not). If you're a retailer I would go the extra step and recommend an OV cert. A little bit more effort, but the extra validation looks good and your company will be listed on the certificate (vs. just being a certificate for the domain). At the end of the day though, if you are running HTTPS end to end and encrypting your data correctly you are winning and you can't go wrong. Everything else can be sorted out or improved at a later date.
1
Melody ScottAuthor Commented:
Wonderful information, just what I needed. Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
E-Commerce

From novice to tech pro — start learning today.