tags:

views:

62

answers:

2
+3  Q: 

ssl multi domain website

We need to secure a multi-langual web application with SSL (registration, login,..). However, this application is accessed by different domain names, exactly a domain name for each language (domainName.co.uk, domainName.fr, domainName.it and so on). We're looking for the simplest and cheapest solution. We don't want to purchase a certificate for each domain name. Some one has an idea ? the web server : IIS 6 Thanks

+1  A: 

You can purchase a "wild-card domain certificate" so it will cover *.whatever.com these certificates are a couple hundred dollars. The benefit is that there is no limit on the sub-domains that it covers.

If you have a mess of TLD's i recommend forwarding over to a "secure" server for sessions. Remember the entire session must be protected via ssl or there is no point. Your cookie value will be leaked and an attacker can authenticate without a username/password. This is gone into grater detail in the Owasp Top 10 for 2010 A3: "Broken authentication and session management".

Another option is that some Certificate Authorities offer quantity discounts, but you'll still get raped in terms of cost.

Rook  2010-04-15 00:02:20
it seems he has completly seperate domains, not sub domains
WalterJ89  2010-04-15 00:05:02
Then he will have to purchase completely separate certificates. Some companies offer quantity discount.
Rook  2010-04-15 00:07:53
No, you can get multiple unrelated domains in a single certificate. See for example http://help.godaddy.com/article/3908. GoDaddy charges $90 per year for up to five domains, about twice as much for up to 10 domains, etc. Other CAs do similar.
GregS  2010-04-15 00:35:16
@GregS that is cool i didn't know that. I'm sure you still have to pay extra for each domain.
Rook  2010-04-15 00:38:04
Absolutely, but maybe less than a wildcard cert. I don't know where the crossover is.
GregS  2010-04-15 00:39:50
+1  A: 

You can purchase multi-domain certificates from several certificate authorities including GoDaddy who calls them multi-domain certificates or UCC certificates.

GregS  2010-04-15 00:38:58

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security