Difference between revisions of "Secure Website"

What kind of certificate your require depends on what you are going to use the site for.  Generally speaking a website that's going to be accessed by the general public or non IT-literate users will need to be signed by one of the big certificate authorities (aka well-known root CA) which are already trusted by web-browsers; but if its a internal or test site, or its only going to be access by people who know and trust you, a self-signed certificate will be fine. It boils down to how much trust a user needs to have in your website, and what level of monetary insurance there should be if the security mechanism breaks down.

A '''self-signed certificate''' will present an alert to the user, asking them if they really trust the website they're accessing.  They can either decide that they do trust you or close the page.  If they do trust you, and trust that they're hit your genuine website, they can permanently accept your self-signed certificate as valid and trustworthy.  Note that if they (for some  reason) go to an invalid website masquerading as you on, before they've accepted your certificate as valid, they can be tricked into trusting somebody else instead.

A '''commercially signed certificate''' will normally automatically provide validation that the website is valid and trustworthy, but will also normally cost money.  Cheaper (or sometimes free if you're a person rather than a company) require limited validation that you are who you say you are, and minimal insurance for an loss due to security breach.  More expensive certificates can be more flexible (can cover an entire domain rather than just a single host), provide greater insurance, and should provide greater assurance to your users (they'll also require much more stringent validation to confirm you (or your company) actually exists, you own your domain etc etc).

If you expect to be handling any money/card transactions or other highly sensitive data, then securing your website can be hard-work and expensive.  Both in terms of the certificate(s) you need to purchase, and other measures you need to take to ensure your site is actually secure.  There is good reason why many online businesses use 3rd party websites for their transactions.  Unless you have dedicated staff that can continually apply preventative measures (be it OS patching, reacting to PHP vulnerabilities, or whatever) and that can promptly detect and react to potential security breaches, do not take on the responsibility yourself.  If your site gets breeched, and your clients/customers become exposed, its your fault.