Shared SSL Certificates
 

My friend is setting up a website and wants users to make payment online using their debit/credit cards and net banking. This will be used only when they click a particular page (http://www.shop.example.com/) that says, for example:

Plan A : $100 Select

Plan B : $200 Select

and when users click on any of the Select links above then they are to be redirected to the Secure Transaction page / gateway with the amount $100 or $200 whatever is being passed to the next page.


If my friend goes for a Web Hosting plan that provides Shared SSL Certificates then will it suffice? Or should he go for a web hosting plan that provides a Private SSL Certificate?

I read some notes on Shared SSL Certificates here. However, I am not much familiar with this stuff.


Any insight on that?


A Side Note: When our web site is going to have an SSL Certificate, are there any things that we should take care of wile building / developing the website keeping the SSL Certificate thing in mind? I build the website for him without any SSL stuff attached to it. Do I need to make any changes before going for the SSL Certificate?


Note on SSL:

My friend just had a chat with a Web Hosting provider and the agent says:

Private SSL is preferred for protecting credit card information for E-Commerce websites. This is because shared SSL warnings make people uncomfortable with submitting their credit card information on your website.

I have compared two well known web hosting service providers prices. Their prices are equal at this level:


First Web Hosting Provider:

Unlimited Space/Domains/Band-Width or Transfer/

Second Web Hosting Provider:

Unlimited Space/Domains/Band-Width or Transfer/ + Shared SSL Certificate + 1st Year's Domain Registration is Free

If we pay about 40% more to this one then it will provide a Private SSL Certificate and an IP as well.

My friend's requirements are essentially and primarily supports for MySQL, PHP, Secure Transactions, and at least 3 to 5 sub-domains.

If you are concerned with ensuring the security of credit card details then stop. You should run a LONG way from actually handling any card details. Let them use paypal, world pay or another existing service for this. Don't handle this yourself. With that seperation in place, you should be fine for an shared SSL cert for other data.

I just checked some Payment Gateway Service Providers:

• ccavenue
  
• billdesk

I am familiar with them in the sense of that when I make payment online for my Credit Cards, etc. I am redirected to their sites for making the payments. For example, Citi Bank, and HDFC Bank use them respectively.

ccavenue says on the website:

How about it?

What about it? You absolutely do not want to be PCI DSS compliant, or rather, you won't realistically be able to be in the first place. Mo money = Mo problems. Make someone else deal with it.

I very strongly agree that you should use a third-party processor. I use http://e-junkie.com and have been quite satisfied with them for about a half-dozen years now.

Thanks for the pointer!


acid_kewpie: Thanks for your inputs as well. After discussing on this forum, I am at least sure that I do not require Private SSL Certificate. At least, I can go without it for some time and see how customers act/react.

As far as certificates are concerned, and especially given that I do not host payments directly on any web site (payments are routed to a third party processor which merely sends me back an acceptance-hash), I most commonly use self-signed certificates and simply tell the customer to accept them.

At the end of the day, any SSL certificate provides just as "good" security as any other. The entire very lucrative house-of-cards is built on the specious notion that there is one uber-trustworthy "root certifying authority." Which is very nice if your company happens to $$be$$ $$one$$ and if you manage to squelch the rather continuous reports of how someone has filched one of your crown jewels. (The problem is that, if that ever did happen once ... and it has ... then no one would know.) So, I simply avoid the contretemps, and the expense. Your communications are encrypted, and you are simply going to have to believe that the site is what it professes to be.

For an alternate strategy that actually works well, once again consider GPG/PGP, with it's "web of trust" model. The idea here is that if thousands of people say they trust the same thing, it's probably trustworthy.

Certainly the SSL trust model is *theorectically* nonsense, but you're stuck with it if you want to provide a decent and rewarding user experience. I work with enough IT staff who are scared of self signed certs, let alone customers.

Thousands? Would you believe 2000 people who told you faceb00k.com was legit?

sundialsvcs and acid_kewpie:


Both of you are thanked for your contribution to the post/question/problem. For the payment processing, I would use a PPG which is trustworthy enough to get business done from. I have indirectly used some PPGs when making payments, booking flight tickets, etc. and noticed how efficiently or poorly some of them work.

I listed two names above and the first of them meets the requirements efficiently as my bank would be involved in final processing of the payment.

For the SSL part, I think I can go with the Shared SSL Certificate plan. Can you thrown some light on the Private IP as well? Or shall I move this one to a new thread?

I generally wouldn't care about a private IP if you're only looking for a conventional website host.

Well, my friend is into some service providing business and the website would hopefully be visited by several users as the business would grow.

Besides, one more thing for you: :)

My friend wants to register two more suffixes to avoid misuse of his domain name such as:

domainName.net
domainName.co

So, would he require web hosting for them as well? Can he simply redirect from those URLs to his main domain (domainName.com) somehow?

you're welcome to host whatever domains you want, as long as you own them. Sounds like you want to be doing a explicit redirect to the preferred domain name though rather than actually hosting them. Whilst you can clearly do this yourself, I'm pretty sure some registrars provide noddy help like that as part of the registration fee, meaning you can just forget all about them if you are just parking them.

Not sure how to do it myself. But as you have pointed out the registrars can provide this functionality then let me contact them and most likely they can offer some discount also on multiple domains registration. ;)

an apache virtual host that just serves a 302 is very simple.

Without question, at this point, use a third-party payment processor that your bank trusts. There are gobs and gobs of so-called "PCI compliance issues" that you do not want to have to deal with on your own.

On our site we took pains to say: "We don't know what your credit-card number is. We never did know, and we never want to." Basically, there's nothing to steal from our site. The confidential financial information literally isn't there. All we have are confirmation hash-strings from the payment processor.