Language:
English
forumhelp.me
Sign up

Administrative issues


avatar

John

SSL Certification

Dear Site Administrators...

 

Why is a site asking for my payment details using a Free, Open-Source 3 month SSL certificate? Why aren't you using a proper SSL certificate from the likes of Thawte, Symantec, etc? This does not give me very much confidence in your HTTPS payment security since the open source certificate you are using is already known to be a significant security risk.


 

Regards.
Translate || Reply
Add to favourite (1)
avatar

Nira, 42 y.o.

Russia

All the user's posts


Thank you for your question.

Yes, we use Free, Open-source 3 month SSL certificates from Letsencrypt.org. The reason is simple: it is the best and most forward technology at present. You can look at the list of sponsors of LetsEncrypt that put money into developing of this technology- it is tens of IT companies and Google and Cisco among them.
And the result proves to be great!
Compare yourself
https://www.ssllabs.com/ssltest/analyze.html?d=dmpayment.com
gives our domain overall rating "A+"
and look here
https://www.ssllabs.com/ssltest/analyze.html?d=www.facebook.com&s=31.13.77.36&hideResults=on&ignoreMismatch=on
that receives this overall rating only "B". It is 2 levels worse.

Our Free, open-source 3 months ssl certificate is better than facebook certificate. I think, that it is a good reason to trust the acheivement of modern technologies

Translate ||Reply

avatar

John

Reply to Nira on View the commented comment

SSL labs is not the definitive test of SSL certificates. In addition, you are susceptible to DROWN attacks: https://test.drownattack.com/?site=dmpayment.com

 

This certificate has been in place for less than 3 months, and it only gives you a DV cert vs. the much more desirable EV certificate. When you're asking for payment and personal information from people all over the world, you shouldn't take the cheap route for security and public accountability.   

Translate ||Reply
avatar

Nira, 42 y.o.

Russia

All the user's posts

Reply to John on View the commented comment

please, look more attentively at the result of research in your link.

=== Results for dmpayment.com ... updating 0 of 1 ===

It means, that this server is immune to this attack. There are 0 servers that needed to be upgraded. And vulnerable sslv2 is disabled there, you can make assure in this by yourself.

Then, you mix together the quality of certificate and the how the server is configured. The certificate from LetsEncrypt is good for current use. And it is reliable. Of course, if an admin of the site is sad sack, he can active SSLv2 on the server and receive vulnerable system. We do not do it.

Then why are you shocked with the term of certificate - 3 months? For all our domains the automatic renewals is done. So term of certificate does not influence anything. Automatically we can renew it if we want once a week or any other time limit. There was at LetsEncrypt a discussion among very competent people what is the best term for certificate and this term was acknowledged to be the best .

Translate ||Reply




top