Forum: Ruby on Rails using SSL with Rails Apps

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
John H. (Guest)
on 2007-01-23 01:41
hi,

any advice on who to buy SSL certificats from and how to install them?

my site is hosted on a dedicated linux box for which I have root access.

i'm not sure if there is much difference between the cheap and the
expensive suppliers.
does it matter who you choose?

are they hard to install?

all advice much appreciated...

-john
Eric G. (Guest)
on 2007-01-23 02:03
Hey John,

I launching an internet e-commerce site where we will be taking
payments. I've been doing a lot of research on this.

I spoke to Verisign and Thawte (owned by Verisign) who have this
technology to step up old browsers to 128 bit encryption if they are
lower. That service costs $600 with Thawte and $1000 with Verisign.

There normal SSL service is a few hundred dollars less.

In any case, NO the ssl certificate authorities don't really matter. You
want to make sure that its well known so that browsers don't popup a
certificate acceptance notice.

With that said, we went with comodo at instantssl.com, you can even get
the plan to step people up to 128 bit for like 250 which is much
cheaper.

Verisign was the first and most recognized, but for now my company
probably won't even put up the SSL logo.

Now, if you are doing something small, just go with a comodo's lowest
plan which is around $100, MOST browsers are 128bit and higher anyways.
Hope this helps. -Aryk
John H. (Guest)
on 2007-01-23 02:14
Aryk G. wrote:
> Hey John,
>
> I launching an internet e-commerce site where we will be taking
> payments. I've been doing a lot of research on this.
>
> I spoke to Verisign and Thawte (owned by Verisign) who have this
> technology to step up old browsers to 128 bit encryption if they are
> lower. That service costs $600 with Thawte and $1000 with Verisign.
>
> There normal SSL service is a few hundred dollars less.
>
> In any case, NO the ssl certificate authorities don't really matter. You
> want to make sure that its well known so that browsers don't popup a
> certificate acceptance notice.
>
> With that said, we went with comodo at instantssl.com, you can even get
> the plan to step people up to 128 bit for like 250 which is much
> cheaper.
>
> Verisign was the first and most recognized, but for now my company
> probably won't even put up the SSL logo.
>
> Now, if you are doing something small, just go with a comodo's lowest
> plan which is around $100, MOST browsers are 128bit and higher anyways.
> Hope this helps. -Aryk

cheers:)

i got stung for a huge Verisgn fee many years ago and I was wondering if
there was anything missing if I went with one of these $100
certificates, but if they're all much the same then that's great.

when i buy it, is there much to do to install it?

-john
Jon G. (Guest)
on 2007-01-23 02:15
(Received via mailing list)
I've been using certs from godaddy for several years on multiple
projects. No problems yet.  For Rails projects, I use pound as a front
end that handles the encryption/decryption, and then passes the rest of
the processing off to mongrel or lighttpd.  It's fairly easy to setup if
you're familiar with SSL.  The pound mailing list would also be a good
source of assistance if needed.  The godaddy instructions that come with
the certificates did NOT include instructions for installation with
pound the last time I bought one 6 months ago.
Jon G. (Guest)
on 2007-01-23 02:26
(Received via mailing list)
Aryk G. wrote:
>
>
> Now, if you are doing something small, just go with a comodo's lowest
> plan which is around $100, MOST browsers are 128bit and higher anyways.
> Hope this helps. -Aryk
>
>
I've been using godaddy's $19.99/year certs for several years on
projects with users with all kinds of browsers.  I really don't see any
reason why anyone would spend several hundred (or even one hundred)
dollars when they don't need to.  I would strongly recommend *against*
Verisign for anything and everything they offer.
John H. (Guest)
on 2007-01-23 02:35
Jon G. wrote:
> Aryk G. wrote:
>>
>>
>> Now, if you are doing something small, just go with a comodo's lowest
>> plan which is around $100, MOST browsers are 128bit and higher anyways.
>> Hope this helps. -Aryk
>>
>>
> I've been using godaddy's $19.99/year certs for several years on
> projects with users with all kinds of browsers.  I really don't see any
> reason why anyone would spend several hundred (or even one hundred)
> dollars when they don't need to.  I would strongly recommend *against*
> Verisign for anything and everything they offer.

$20 a year sounds good to me!  i've just had a look at their site and I
think i'll go with them...

thanks

-john
nick (Guest)
on 2007-01-23 16:35
what do you think about create a own SSL certificate ?
Benjamin Ritcey (Guest)
on 2007-01-23 20:05
(Received via mailing list)
nick wrote:
> what do you think about create a own SSL certificate ?
>

That's perfectly fine - for testing or, perhaps, internal-only use.  For
a real site, you need a cert signed by a CA who's cert comes with the
user's browser, else you'll get security warnings (any anybody with any
sense won't start typing in their credit-card info if that happens =)
nick (Guest)
on 2007-01-23 20:13
Benjamin Ritcey wrote:
>
> That's perfectly fine - for testing or, perhaps, internal-only use.  For
> a real site, you need a cert signed by a CA who's cert comes with the
> user's browser, else you'll get security warnings (any anybody with any
> sense won't start typing in their credit-card info if that happens =)

godaddy are recognized from browsers?
but if you don't need credit card but just a SSL for login ? it's always
a secure connection, also if it's own made, obviously if someone has to
pay it's different... :)
Benjamin Ritcey (Guest)
on 2007-01-23 20:32
(Received via mailing list)
nick wrote:
>
godaddy has a CA cert in Firefox, not sure about IE - they're claiming
99% browser recognition.

If SSL is just for login, it's still a bad idea to self-sign - again,
it's fine for dev/internal-only site, but for a "real" site, users may
(rightfully) think their credentials are trying to be hi-jacked.

If you _are_ doing internal-only apps w/ SSL,  your best bet is to
generate your own CA cert & have it installed in the end user's browsers
- that way you can use that to generate multiple legitimate site certs.
nick (Guest)
on 2007-01-23 21:25
Benjamin Ritcey wrote:
> nick wrote:
>>
> godaddy has a CA cert in Firefox, not sure about IE - they're claiming
> 99% browser recognition.
>
> If SSL is just for login, it's still a bad idea to self-sign - again,
> it's fine for dev/internal-only site, but for a "real" site, users may
> (rightfully) think their credentials are trying to be hi-jacked.
>
> If you _are_ doing internal-only apps w/ SSL,  your best bet is to
> generate your own CA cert & have it installed in the end user's browsers
> - that way you can use that to generate multiple legitimate site certs.

ok, thanks... i think I'll use godaddy too :)
This topic is locked and can not be replied to.