SSL Certification with full business name (green bar)


(Daveyon Mayne) #1

I’m reviving my online store I once have. I need a ssl cert, pref the one that shows the full company name in the green bar. I like that. Gandi.net charges £300 per year (£25 a month). Is there cheaper around? I also have the domain with Gandi.

I’m hosting the website on DigitalOcean. I did managed to look around but checking here to see what who you guys trust and use. Thanks


(Jon) #2

Have you discovered this is important to your (potential) customers? I think I wouldn’t mind if someone was just on Lets Encrypt, especially given they’re forced to renew the cert every 30 days or so.


(Daveyon Mayne) #3

This type of SSL was not discovered, I simple like to the see the name appearing in the green bar. Im sure they’d be ok to see some sort of green bar and their browser not complaining of ssl issues. Im also configuring HTTP2 on a work server so will be adding that to my personal server :wink:


(Jon) #4

An additional thought - the best single thing you can do for security is not to touch credit card numbers at all. Let Stripe/WorldPay/PayPal handle it instead, on a separate domain.

Then, if you get a breach, it’s just customer addresses and orders that will be stolen, which is not particularly sensitive. Don’t store customer date of birth either, as that is (unreasonably) valuable.


(Marc Cooper) #5

You need to be PCI compliant to store credit card numbers: https://www.pcicomplianceguide.org/faq/ I seem to recall that storing CVVs is illegal.

Stripe’s mechanism is great for card storage. Multiple cards per customer, default card, etc. Best of all: no legal requirements \o/ and you can be up and running in an afternoon.


(Daveyon Mayne) #6

I’ll be using spree commerce + stripe :wink: So basic, I think, PCI is needed. I only like to the see the company name in the green bar but I guess any other will do.


(Greg Robson) #7

PCI is required, although if your volume is small and your cart is outsourced (Stripe, Braintree or anything else that gives your app a token instead of card details) and you’re only taking payments online you’ll only need to meet some basic requirements. (To be fair general security practices and data protection would cover those bases)

Stripe’s Javascript widget (and possibly others) takes care of everything because the card details go over HTTPS to their server in the browser and only the token goes to your application. You’ll never see the card details!
I think this is what Spree is hinting at: https://guides.spreecommerce.org/developer/security.html#pci-compliance

As for SSL Certs (possibly handy if site is for something requiring a user’s trust like healthcare or banking)…


(Daveyon Mayne) #8

Cheap but this bit got me:

Available to order when you have a hosting plan

Are they saying certs are only available when you host with them?


(Greg Robson) #9

I had not noticed that. Perhaps that’s why their cheaper - they might have some automated deployment on their platform to reduce their costs???


(Matthew Somerville) #10

I would just use free certificates from LetsEncrypt; they even do wildcard domains now. No-one cares about the name appearing in the URL bar, and EV doesn’t prevent phishing e.g. https://stripe.ian.sh/ - so why spend money when you don’t have to. We have LE certs on all our websites, and use Stripe.


(Daveyon Mayne) #11

Excellent! Thanks