Local website purchase SSL or self signed?
-
@Breffni-Potter said:
@DustinB3403 said:
@Jason said:
You need good user training in addition to AV and network firewalls. User training is the most important.
User training..... hahaha....
So as with anything lets perform a math exercise and calculate the continuing cost of effectively training users, versus the cost of build a good security policy with backup and recovery functionality (not excluding cost to upgrade it and maintain it)
Don't forget to add the cost of a breach.
Reputation
FinesI really hate to be the pessimist... but do companies really care about loss of reputation after a breach? To the average consumer I don't think they really understand or care that their data has been stolen... For us sure it matters but everyone else?
-
@coliver said:
I really hate to be the pessimist... but do companies really care about loss of reputation after a breach? To the average consumer I don't think they really understand or care that their data has been stolen... For us sure it matters but everyone else?
I know many people who aren't IT or security minded at all who won't shop at Kmart & Target now. So I guess they do.
-
@Jason said:
@coliver said:
I really hate to be the pessimist... but do companies really care about loss of reputation after a breach? To the average consumer I don't think they really understand or care that their data has been stolen... For us sure it matters but everyone else?
I know many people who aren't IT or security minded at all who won't shop at Kmart & Target now. So I guess they do.
But is it enough to impact their sales? TJ Maxx did this stuff too, but has that stopped people shopping there? People forget really, really quickly. Investing in company reputation is often worthless as consumers just don't remember.
-
@johnhooks said:
If you just need the SSL, StartSSL offers free certs. You don't have the insurance of a paid cert, but it's still encrypted and it's still green.
what insurance would that be?
And you get green? That doesn't seem right. Green is suppose to mean extended validation. I can't imagine that StartSSL is doing that for free.
-
The padlock HTTPS bit is always green regardless of cert level.
You are thinking of the green bar which is called Extended Validation.
-
@Dashrender said:
@johnhooks said:
If you just need the SSL, StartSSL offers free certs. You don't have the insurance of a paid cert, but it's still encrypted and it's still green.
what insurance would that be?
And you get green? That doesn't seem right. Green is suppose to mean extended validation. I can't imagine that StartSSL is doing that for free.
from Comodo:
What does the Warranty actually mean?
We believe it is important to protect the end user. If we were to mis-issue a certificate to a fraudulent site, that fraudulent site has an SSL link with an end user and as a result of this the end user loses money the end user had what they thought was a "trusted session". Comodo should never have provided the fraudster with the ability to engineer this situation we therefore have insurance to pay the end user for any losses that they may incur. Why would we do this?
We value the end customer
We believe the insurance provides greater peace of mind and therefore allows the merchant to sell more products
Most importantly, we value our validation techniques (delivered through www.comodo.com)
We pre-validate customers and provide validation that is far higher than the majority of other SSL providers. Some CA's have weak validation so they do not offer insurance! We also offer high validation, but not at the compromise of speed. You can still obtain SSL instantly.Also
Warranty: Comodo’s guarantee against loss associated with an online credit card transaction caused by Comodo’s failure to exercise reasonable care to perform the validation steps set forth in the Comodo CPS prior to the Certificate’s issuance.
As @Breffni-Potter said, the lock is always green, but only the bar is the extended validation.
-
@johnhooks said:
@Dashrender said:
@johnhooks said:
If you just need the SSL, StartSSL offers free certs. You don't have the insurance of a paid cert, but it's still encrypted and it's still green.
what insurance would that be?
And you get green? That doesn't seem right. Green is suppose to mean extended validation. I can't imagine that StartSSL is doing that for free.
from Comodo:
What does the Warranty actually mean?
We believe it is important to protect the end user. If we were to mis-issue a certificate to a fraudulent site, that fraudulent site has an SSL link with an end user and as a result of this the end user loses money the end user had what they thought was a "trusted session". Comodo should never have provided the fraudster with the ability to engineer this situation we therefore have insurance to pay the end user for any losses that they may incur. Why would we do this?
We value the end customer
We believe the insurance provides greater peace of mind and therefore allows the merchant to sell more products
Most importantly, we value our validation techniques (delivered through www.comodo.com)
We pre-validate customers and provide validation that is far higher than the majority of other SSL providers. Some CA's have weak validation so they do not offer insurance! We also offer high validation, but not at the compromise of speed. You can still obtain SSL instantly.Also
Warranty: Comodo’s guarantee against loss associated with an online credit card transaction caused by Comodo’s failure to exercise reasonable care to perform the validation steps set forth in the Comodo CPS prior to the Certificate’s issuance.
That's laughable. Who cares about this insurance? The end user visiting that website? Really? I suppose some ambulance chasing lawyer could try to go after the SSL cert provider in the case where a client's CC or other information was exposed due to some negligence on the SSL providers part, but that seems pretty far fetched.
Additionally, considering things like Let's Encrypt, soon anyone, including the hackers, will be able to get a free basic SSL cert.
End-users don't know/understand or care about SSL certs. A few might understand that the green bar they get when visiting places like Ebay and paypal as a good thing, but probably don't know why it's a good thing.
The insurance seems more like a gimmick to get those buying a SSL cert to buy from Comodo instead of the competition.
As @Breffni-Potter said, the lock is always green, but only the bar is the extended validation.
It is? this is FireFox and Facebook.
-
https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure
Is your FireFox misbehaving?
-
Oh wait, gray padlock means SSL but without Extended Validation. Firefox is the only browser to do this by the looks of it, everyone else has a green padlock.
-
@Breffni-Potter said:
Oh wait, gray padlock means SSL but without Extended Validation. Firefox is the only browser to do this by the looks of it, everyone else has a green padlock.
Nope.
Here's IE 11 on Win10 pro
-
As can see here, Chrome does use a green padlock for non EV certs.
And a green box around a green padlock for EV
FF uses a green padlock for EV
and IE makes the whole bar green for EV. -
There's no consistency here at all. How are consumers suppose to protect themselves. This is ridiculous. The format for displaying EV should part of the EV spec or something. sigh.
-
@Dashrender said:
There's no consistency here at all. How are consumers suppose to protect themselves. This is ridiculous. The format for displaying EV should part of the EV spec or something. sigh.
This isn't about security, it's about selling certs.
-
@scottalanmiller said:
@Dashrender said:
There's no consistency here at all. How are consumers suppose to protect themselves. This is ridiculous. The format for displaying EV should part of the EV spec or something. sigh.
This isn't about security, it's about selling certs.
I'd mostly agree, but I'd say it's a tiny bit about security.
-
@Dashrender said:
I'd mostly agree, but I'd say it's a tiny bit about security.
Seems almost like security being lost here.
-
@scottalanmiller said:
@Dashrender said:
I'd mostly agree, but I'd say it's a tiny bit about security.
Seems almost like security being lost here.
The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
I'd mostly agree, but I'd say it's a tiny bit about security.
Seems almost like security being lost here.
The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.
I feel like this is one of those things that I would say and people would point out that I'm crazy and a tech and that absolutely zero consumers would understand this or look into it. It's all for the sales, I think, not at all for the security.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
I'd mostly agree, but I'd say it's a tiny bit about security.
Seems almost like security being lost here.
The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.
I feel like this is one of those things that I would say and people would point out that I'm crazy and a tech and that absolutely zero consumers would understand this or look into it. It's all for the sales, I think, not at all for the security.
You're absolutely right. I thought I was saying that. The IDEA was to enhance security.. but you can't just put something in place and expect the public to understand what it is or why it's good or even more... CARE... they don't. Just like people (at least in the US) don't care about identity theft. I think we all agree that it's a huge problem, but even as big a problem as it is, it hasn't affected enough people to cause the masses to really care about it.
-
I think that the masses really care about identify theft but too many do not understand that it is three companies responsible for it and that voting to hold them accountable is the only option.
-
@Dashrender said:
The reality perhaps is a loss of security, but the hope was that EV would show the consumer that the site went through more rigorous verification process, so you should be able to trust that that they are who they say they are.
I feel like this is one of those things that I would say and people would point out that I'm crazy and a tech and that absolutely zero consumers would understand this or look into it. It's all for the sales, I think, not at all for the security.
I'll call anyone that thinks this crazy
@scottalanmiller is most certainly right here. There is nothing security related here. it is all good marketing allowing cert providers to charge more money for something no one cares about and does zero for security.