IT Development/Proposals/SSL: Difference between revisions
(draft) |
m (Richard Symonds (WMUK) moved page Development/Proposals/SSL to IT Development/Proposals/SSL over a redirect without leaving a redirect) |
||
| (11 intermediate revisions by 6 users not shown) | |||
| Line 20: | Line 20: | ||
==Options/Cost== | ==Options/Cost== | ||
"Signing Authority" is the company that will directly sign your certificate (they in turn will be using a certificate signed by a "Certificate Authority"). Fasthosts/UK-Reg, the company where Wikimedia UK currently registers its domains, does not offer SSL certificates (well, they do but only in association with their dedicated servers!). "Green Bar" refers to the green bar appearing in the browser bar, e.g. http://static.123-reg.co.uk/library/images//v2/ssl/ssl_diff_02.png | |||
{| class="wikitable sortable" | |||
! Provider !! Yearly Cost !! Signing Authority !! Features !! Green Bar? !! Notes | |||
|- | |||
| [https://www.gandi.net/ssl Gandi Standard Wildcard SSL] | |||
| £110 (excl VAT) | |||
| Gandi | |||
| | |||
* 2048 bit key | |||
* 60 Day Money Back Guarantee | |||
| No | |||
| Online validation (i.e. not much :)) | |||
|- | |||
| [https://www.gandi.net/ssl Gandi Pro Wildcard SSL] | |||
| £237 (excl VAT) | |||
| Gandi | |||
| | |||
* 2048 bit key | |||
* 60 Day Money Back Guarantee | |||
* Secure transactions up to $250,000 | |||
| No | |||
| Paper validation, which means submitting documents to Gandi | |||
|- | |||
| [https://www.gandi.net/ssl Gandi Business Multi-Domain SSL] | |||
| £800+ (excl VAT) | |||
| [http://www.comodo.com/ Comodo] | |||
| | |||
* 2048 bit key | |||
* 60 Day Money Back Guarantee | |||
* Secure transactions up to $250,000 | |||
* Validated by Comodo | |||
| Yes | |||
| Additional validation requirements & as a result the certificate. Also, this is not traditional "wildcard" certificate - you give them a list of domains to sign and they validate only those. This certificate has the "green bar" feature. | |||
|- | |||
| [http://www.123-reg.co.uk/ssl-certificates/wildcard-ssl-certificates.shtml 123 Reg Wildcard SSL] | |||
| £79.99 | |||
| 123-SSL | |||
| | |||
* [http://www.123-reg.co.uk/ssl-certificates/123-ssl-certificates.shtml Limited to 3 servers] | |||
| No | |||
| Online validation, I don't know who the ultimate Certificate Authority is for this. | |||
|- | |||
| [http://www.123-reg.co.uk/ssl-certificates/wildcard-ssl-certificates.shtml 123 Reg Wildcard SSL] | |||
| £174.99 | |||
| [https://www.globalsign.eu/ Globalsign] | |||
| | |||
* [http://www.123-reg.co.uk/ssl-certificates/domain-ssl-certificates.shtml Warrantied up to £10,000] | |||
| No | |||
| Unclear what level of validation is required, but I think that it's document submissions. They check we own the domain. | |||
|- | |||
| [http://www.123-reg.co.uk/ssl-certificates/wildcard-ssl-certificates.shtml 123 Reg Organisational SSL] | |||
| £224.99 | |||
| [https://www.globalsign.eu/ Globalsign] | |||
| | |||
* [http://www.123-reg.co.uk/ssl-certificates/organisational-ssl-certificates.shtml Warrantied up to £75,000] | |||
| No | |||
| Domain & Business validation, so definitely document submission. | |||
|- | |||
| [https://www.globalsign.eu/ssl/wildcard-ssl/ Globalsign Domain SSL] | |||
| £533 | |||
| Globalsign | |||
| | |||
* $10K warranty | |||
* 2048 bit key | |||
* Free site malware monitor | |||
| No | |||
| Domain validation only | |||
|- | |||
| [https://www.globalsign.eu/ssl/wildcard-ssl/ Globalsign Organisational SSL] | |||
| £609 | |||
| Globalsign | |||
| | |||
* $1.25M warranty | |||
* 2048 bit key | |||
* Free site malware monitor | |||
| No | |||
| Organisational validation (i.e. documents submission) | |||
|- | |||
| [https://www.globalsign.eu/ssl/unified-communications/ Globalsign Multi-Domain Extended SSL] | |||
| £1000+ | |||
| Globalsign | |||
| | |||
* $1.5M warranty | |||
* 2048 bit key | |||
* Free site malware monitor | |||
| Yes | |||
| Extended checks. Again not traditional wildcard & includes additional costs for extra subdomains (£63 per domain). I've estimated the rough costs to secure all of our domains based on our current subdomains. | |||
|- | |||
| | |||
| | |||
| | |||
| | |||
| | |||
|- | |||
| | |||
| | |||
| | |||
| | |||
|} | |||
Latest revision as of 16:58, 7 July 2014
| IT Development |
| Main page — Infrastructure — Documentation / Tools — Portfolio — Technology Committee — Project requests |
Currently Wikimedia UK has one SSL certificate, set up for the donate.wikimedia.org.uk domain. This proposal addresses the need for a wildcard SSL certificate to allow all of WMUK's web properties to use HTTPS.
Why HTTPS?
Using HTTPS everywhere is good practice; ssl encrypts your connection to the server, ensuring the security of data. This is especially important for the office/board wikis and civicrm, but also WMUK's other "public" sites. In addition, access to the email server requires SSL and currently this is creating an error message due to the use of a self-signed certificate.
A wildcard SSL can be used for all of the .wikimedia.org.uk domains & servers to address these issues.
What is Wildcard SSL?
WMUK's current SSL certificate is signed for donate.wikimedia.org.uk only. This means that it can only be used for HTTPS on that domain (for any other domain, the browser will throw errors/warnings). A wildcard SSL certificate is valid for any subdomain of the wikimedia.org.uk domain.
Obviously, such a certificate comes with additional cost - but given that it can be used for any combination of subdomains, it represents good value for money over purchasing individual certificates.
When registering for an SSL certificate there are also a number of "validation" options, with scaling costs. A basic certificate does no validation and it will be issued merely signed to the domain name, with no other identifying information. More expensive certificates offer warranties on financial transactions conducted through HTTPS, andf these require the sending of some documents to the certifying agent. Finally, the most expensive option involves additional checks, and will validate the name of the organisation as part of the SSL certificate - in practical terms this means that the name Wikimedia UK would appear next to the SSL "lock" icon in browsers, confirming we own the certificate.
Pricing ranges from ~£100 for basic wildcard, up to ~£500 for the most premium options.
Options/Cost
"Signing Authority" is the company that will directly sign your certificate (they in turn will be using a certificate signed by a "Certificate Authority"). Fasthosts/UK-Reg, the company where Wikimedia UK currently registers its domains, does not offer SSL certificates (well, they do but only in association with their dedicated servers!). "Green Bar" refers to the green bar appearing in the browser bar, e.g. http://static.123-reg.co.uk/library/images//v2/ssl/ssl_diff_02.png
| Provider | Yearly Cost | Signing Authority | Features | Green Bar? | Notes |
|---|---|---|---|---|---|
| Gandi Standard Wildcard SSL | £110 (excl VAT) | Gandi |
|
No | Online validation (i.e. not much :)) |
| Gandi Pro Wildcard SSL | £237 (excl VAT) | Gandi |
|
No | Paper validation, which means submitting documents to Gandi |
| Gandi Business Multi-Domain SSL | £800+ (excl VAT) | Comodo |
|
Yes | Additional validation requirements & as a result the certificate. Also, this is not traditional "wildcard" certificate - you give them a list of domains to sign and they validate only those. This certificate has the "green bar" feature. |
| 123 Reg Wildcard SSL | £79.99 | 123-SSL | No | Online validation, I don't know who the ultimate Certificate Authority is for this. | |
| 123 Reg Wildcard SSL | £174.99 | Globalsign | No | Unclear what level of validation is required, but I think that it's document submissions. They check we own the domain. | |
| 123 Reg Organisational SSL | £224.99 | Globalsign | No | Domain & Business validation, so definitely document submission. | |
| Globalsign Domain SSL | £533 | Globalsign |
|
No | Domain validation only
|
| Globalsign Organisational SSL | £609 | Globalsign |
|
No | Organisational validation (i.e. documents submission) |
| Globalsign Multi-Domain Extended SSL | £1000+ | Globalsign |
|
Yes | Extended checks. Again not traditional wildcard & includes additional costs for extra subdomains (£63 per domain). I've estimated the rough costs to secure all of our domains based on our current subdomains. |