Greetings all,

In the past couple of months, we have received a lot of requests from our customers regarding shared SSL. I was wondering how can we offer shared SSL to all of your clients? What would the costs be? How would we go about getting it up and running?

Any advice would be appreciated.

Best Regards,
Boris

If you're running a CP based box, then setup a ssl cert for a account such as secure.whatever.com. Then all the clients on the box can access the shared ssl by going to secure.whatever.com/~account.

Yeah, we are running a box at VDI with Cpanel. The question is... how exactly do we set this up?

Boris

Just get SSL and when they go to https://yourdomain.com/~username Their site will be secure.

1.Generate a Certificate and an RSA key in the WHM.
2.Go to a company like thawte.com or verisign.com and register that certificate.
3.They will encrypt everything and send you another key back.
4.Go to you WHM and insert what ever it asks you to do.I think they ask you for the RSA key and the Certificate the company sent you.
5.Once its installed uses can now access their site through ss by going to a link such as https://yourservername.com/~theirusername/

Hope that helps.

This information came from a white paper written by Verisign about just the issue of sharing your SSL certificate with your customers. http://www.verisign.com/rsc/wp/certshare/certshare.html

You might want to think long and hard about the legal ramifications before sharing your cert.


Shared SSL for Service Providers
Many ISPs and Web host companies offer "Shared SSL" Web host plans as their entry-level plans for newer customers to the Internet. A shared SSL plan offers the use of a certificate that has been issued to the ISP and is typically registered to the ISP's domain name: for example, https://secure.isp.com. Typically, entry-level customers are extremely price-sensitive, want ease of use, and are not interested in the technical requirements of their Web site.

These are the requirements set forth by VeriSign for using your own SSL certicates in a shared environment:



Merchants must communicate in writing to their customers that the site's encryption is provided by their ISP and not by them. The ISP can accomplish this by providing the merchant with the ISP's Secure Site Seal, which users can use to verify the SSL certificate for the Web site.
The ISP is responsible for guaranteeing that payment has been received and processed and for the fulfillment of any goods or of services that are rendered due after the transaction has been completed, unless other legal agreements are in place that state otherwise (VeriSign would have to review these documents to assure validity).
NetSure warranty protection is forfeited for merchants using shared-SSL plans.
ISPs must give merchants the opportunity to obtain a dedicated Server ID.
The ISP may not charge the customer additional costs for using a VeriSign ID for shared SSL deployments.



Are you sure you still want to share your certificate?

While agree with Phoenix that host should really think twice about using shared, I really do not see this happening for most. It is hard to tell a price-sensitive customer that after they pay $100/yr for hosting, that they need to pay an additional $100 - $350/yr for a cert. If our customers need SSL, we tell them they need their own cert. While many do it, we still lose customers to those who allow sharing.

I believe this is just a typical strong arm tactic by Verisign. They see huge revenue lost to shared certs, so they can't legally force you not to share, so they feed you this S***.

Hmm... it's worth bearing in mind that in some cases it's worth having a secure connection for use other than credit card details...

I have come across some situations where users prefer to send what they consider private information about themselves over a secure link. Here in the Uk for example it would strengthen your claims if you're planning to store information that comes under the data protection act.

Just a thought anyway...

Greetings all,

After some consideration we decided to offer shared SSL to all of our customers at no charge one one condition: they may not use it to process credit card or other HIGHLY sensitive information.

Any comments about a policy like that?

Boris

echoweb thats what the clients need SSL for to proccess credit cards or valuable information.If not then why would they need it.

I think that if a client wants to process credit cards online and gets a merchant account to do so, he can afford to purchase his own certificate.

Shared SSL will be used to process clients' "contact forms" or whatever else they might see it useful for.

Boris

I never thought much about it before, but it seems by sharing the SSL cert., hosts are somewhat negating the whole *purpose* of a secure cert. for the most part??? Hmmm. True?

I realize the encryption factor, I mean more the 'trusted' factor.

i have to agree with chicken here.. the point of having SSL or a any other form of security layer is so you can differentiate between sites... so you know that this site is safe, and this isnt... sharing info like this over a public box is not a good idea at all... it makes running a scam and fraudulent transactions more authentic...

i could sign up for a service like this, and run a credit card authentication.. and bill the user.. the host wouldnt detect this in any way... but the transaction would be authentic.. correct?

its like running a bank with the valt [sp?] keys with all your customers

Originally posted by kunal
its like running a bank with the valt [sp?] keys with all your customers

Hmm good point... I guess what you're basically saying is that the information is only as safe as your least trustworthy customer.

Originally posted by WebSnail.net


Hmm good point... I guess what you're basically saying is that the information is only as safe as your least trustworthy customer.

yes :)

Originally posted by WebSnail.net


Hmm good point... I guess what you're basically saying is that the information is only as safe as your least trustworthy customer.

Bingo!

There's another reason for businesses to want to share their host's SSL cert besides just the cost of the cert.

SSL certs are not just issued to anyone who requests one. The certificate issuers have strict criteria for issuing the certs. They reject any request that doesn't meet their criteria.

If you are going to serve as a de facto certificate issuer by allowing them to use yours, you owe it to yourself and the rest of the customers using that cert to be particular about who you share it with.

If you are afraid of losing sales to a host who will give them shared SSL, let potential customers know that if they use a shared certificate, that it is unethical, there are a number of security risks involved, and their customers could sue them.

If after all that, they still wish to go for the shared SSL, then you probably aren't losing anything in the long run.

I've done it before
contact me (herps@ewsnl.com) if you'd like me to help