 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Bill Horne wrote: > ...we're talking about putting up a "donations" page, and that means > using SSL. Not necessarily. You can outsource that to PayPal or Amazon, both of which offer a turn-key payment collection system that runs on their secure servers, which can be linked to from a non-secure page. Google Checkout used to be another option, but Google is shutting it down, and is moving merchants to Google Wallet, which isn't really the same functionality from the merchant's perspective. (Requires your own merchant account.) I've heard the web hosting bundled with Google Apps includes HTTPS, but I haven't investigated to see what additional costs or restrictions apply. (Theoretically, it could be very cheap or free. Google already has the hardware infrastructure at scale to do SSL hosting, and is a certificate authority, and has already validated your domain ownership.) There are also companies you can outsource the e-commerce portion to - basically hosted shopping carts. They offer varying levels of integration, with some bundling a shopping cart with a payment gateway and merchant account. This comes down to a usual trade-off between control and convenience. If you host the donation page yourself, you can make it perfectly integrate into the look of your site, and not send the user off to another domain or subdomain, but in addition to having to maintain a current SSL cert, you'll need to maintain some additional software (at minimum, code that talks to a payment gateway), and a merchant account. > I want to know where I can get one for less. DigiCert (http://www.digicert.com/) is quite popular, and their entry-level cert starts at $175/year, if you buy a 3-year term. Same ~$200/year as you found elsewhere if you buy a 1-year term. Extended validation certs are not much more, starting at $234/year over 2-year term. Dreamhost (http://www.dreamhost.com/) charges $15/year for certs, but that offer seems to be available only to their customers that host sites with them. StartSSL (http://www.startssl.com/) starts at free, and goes up to about $70/year for an extended validation cert. (I've used them for email certs.) The StartSSL web site doesn't seem to point this out, but the Wikipedia page below notes several times that the free certs are for non-commercial use only. They reference section 3.1.2.1 of StartSSL's "Certificate Policy & Practice Statements"[1], which says, "Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature, when using high-profile brands and names or if involved in obtaining or relaying sensitive information such as health records, financial details, personal information etc." 1. http://www.startssl.com/policy.pdf > I need a certificate from someone who's already in /EVERY/ browser... A forum posting from 2010 where someone attempted to catalog the browsers and other things that support StartSSL: https://forum.startcom.org/viewtopic.php?f=15&t=1802 And: http://en.wikipedia.org/wiki/StartCom#Trustedness In contrast to CAcert.org, which also offers free Class 1 SSL certificates, the StartSSL certificate is included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009, and Opera since 27 July 2010. Since Google Chrome, Apple Safari and the Internet Explorer use the certificate store of the operating system, all major browsers include support for StartSSL certificates. > ...I don't care if I use a company in South Africa or one in Beijing... How about he Hong Kong Post Office[2]? :-) (Not sure what they charge.) 2. http://www.hongkongpost.gov.hk/product/ecert/apply/certapply.html > I only care if the users see a lock icon. Sadly, the whole SSL cert model is only as strong as the weakest certificate issuer that has widely deployed root certificates. No end-user is scrutinizing issuers and rejecting certs based on that. As long as the issuer does a good enough job to avoid the browser/OS vendors from kicking out their root cert, little else matters. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
