Indeed, you can secure all the subdomains with a wild card certificate,
you can’t be certain which host in the domain you are connecting to
This may not matter to you but it will matter to th customer.
Heck, it may matter to you if the customer gets upset about it or
The padlock showing up only says that a SSL connection been established.
You could do the same thing with a self-signed certificate.
From the vulnerability POV you have a common failure mod; an attacker
needs to subvert on certificate and he has the whole domain. This means
have a ‘weakest link in the chain situation’.
Suppose you put the same certificate on a “test server” and on your main
production server. The security from the SSL server authentication for
main server will depend on the security on your test server.
You’ve in effect multiplied your risk.
The history of attacks is that the attackers don’t try for the
connection. Its much easier to subvert the machine in any number of
My newsfeeds tell me of more and more each week.
If cost is an issue, you may wish to investigate Reverse Proxying with a
single external certificate and multiple internal certificates (either
self-signed or issued from an internal CA).
Chris G. said the following on 03/03/2007 02:52 PM:
On Mar 2, 1:38 pm, Anton A. [email protected] wrote:
I’m getting my first SSL cert and have to specify whether the cert is
Many of the characters are fools and they are always playing
tricks on me and treating me badly.
– Jorge Luis Borges, from “Writers on Writing” by Jon Winokur
I’m always interested when [cold callers] try to flog conservatories.
Anyone who can actually attach a conservatory to a fourth floor flat
stands a marginally better than average chance of winning my custom.
(Seen on Usenet)