What is .well-known?

Comodo SSL Certificate logoIronically, not that well known – even among technies!

You’ve seen it in cPanel and you’re wondering what this new folder is. “Well known you say – certainly isn’t to me!”. As already mentioned you’re far from alone.

But have I…?

No, you’ve not. The first question you want in answering is, ‘have I been hacked’. All security-conscious website owners these days ask the very same question when random files and folders appear on their hosting area – and if they’re not, they should be!

On the contrary, having this folder is a demonstration of the fact that you are security conscious and you care about your visitors!

The reason you have your not-so-well-known well-known folder is because you are using the Comodo AutoSSL feature – a nifty little tool for effortlessly managing your websites SSL certificate. Comodo AutoSSL places text files in here that are used to validate the domain.

Why is it doing this?

Comodo AutoSSL is doing this as it uses the text files to validate your domain name. Comodo must validate your domain name prior to issuing it with an SSL certificate.

What should I do with .well-known?

Absolutely nothing. Just leave it there, let Comodo sort out your SSL’s and keep the valid and live a happy and secure web life!

SSL Certificates – More Expensive Doesn’t Mean A Thing!

Now normally in life, going for the cheap option doesn’t always work out well in the medium to long term – or if you’re really unlucky in the short term.

Although not free, we can definitely confirm that sometimes the best things in life are cheaper (OK, that’s not quite as catchy granted!).

SSL or Secure Socket Layer certificates are understandably (and rightly so) becoming more popular.  For companies of all sizes with an online presence they are pretty much a given these days.  And for most personal sites as well – even if its “just” protecting a members area, forum or blog.

SSL certificates can range from in the tens of pounds a year to the thousands of pounds a year

The Big SSL Myth

There’s a myth going round about SSL certificates, and its been going around for a while now.  So I only feel its right to dispel it.

“More expensive SSL certificates usually offer 0% extra protection”

Shocked?  Most are.  Apologies if you’ve just spat out your cornflakes as you’ve spent loads on one recently.

Most of the time more expensive on an SSL certificate means no extra protection.  The likely difference is the company providing it – i.e. there are well respected companies that have been around for a long time and have gained the trust of users – so they can be seen as more ‘valuable’ when it reality its the same as a genuine new start up that’s offering them much cheaper.

It’s the online equivalent of saying this site is protected by ‘Well Repsected and Established Company Ltd’ rather than ‘New Startup Ltd’.  The fact is, if they both sold you the same security, but for vastly different prices, your security would still be the same – the only difference would be the price you pay.

Having Said That….

Sometimes you do get nice extras thrown in – maybe a financial warranty backing up the certificate in case something goes wrong – however the chances of a claimable situation arising aren’t very likely and the benefit to most people will likely be nil (or not a lot).

However, the core point remains – the strength of the security offered is likely to be the same!

Lets Compare A Typical Offering…

123-Reg are a popular domain name, web hosting and SSL certificate provider (among other things web related).

Lets take a quick look at the SSL certificates they are offering:

Now, as you can see, we’ve got everything ranging from just £9.99 a year to £249.99 a year.  A big difference in price.

For some big businesses maybe the warranty or extra add ones might possibly be useful at some future point in time.  Might.  However, for all personal sites, 99.9% of contractors and the self employed as well as probably a great deal of small to medium sized businesses, the £9.99 a year 123-Reg SSL is probably going to be enough for your needs.

Need a little more convincing?

Lets take it line by line:

Activates Browser Padlock

Important feature – not from a security point of view but from a reassuring the user and giving them the signal that they are connected securely to your website.

Good job its included as standard with all of the SSL certificates.  No expensive SSL certificate is going to provide you with a nice padlock! ;).

Activates Browser Green Bar

Yes, a browser green bar is a nice little touch.  But are you really considering spending £249.99 on an SSL certificate?  If not, then as you can see, there’s no difference between the first three (except £60 a year in price!).

Unless you’re a bank, your users aren’t going to bat an eyelid about it not being there.  Pretty much the only organisations that have these are banks, the government and multi million pound corporations (and even some of them don’t bother with it).

Yes, it can sometimes give an extra warm fuzzy feeling of security to your user – but quite frankly, the vast majority of users don’t actually notice its there.

The extra security, you will probably not be surprised to find out, is not based on the browser bar being green rather than white (if only it was this easy….) but on the extra checks they have to go through to get the certificate – usually including some offline verification checks.

The green bar kind of validates that you are ‘speaking’ to who you think you are speaking to.  However if you don’t know ‘who’ is behind the website that you’re about to enter you personal details on, maybe you shouldn’t be entering them on the site at all (green bar or otherwise)?

In short, for 98% of websites – this isn’t a deal breaker.  Forget the green bar (and the extra setup pain that comes with it)!

Validity Period

This is the number of years you can buy the SSL certificate for in one go – i.e. how long you can choose to buy it before you have to renew it.  When applied to domains for example, the ‘Validity Period’ of a .co.uk domain would be between 1-10 years.

The validity period has absolutely zero impact on the security provided by the SSL certificate.

Discounts are usually given for ordering multiple years in advance – although you can of course buy 1 year and renew yearly if you like – whichever is more convenient.

In this example, the most expensive SSL certificate is actually the most inconvenient!  You can only order that one for up to 2 years in advance (most likely due to the rigorous – and largely irrelvant for most – security hoops that you have to jump through).

The first three are much of a much – all being able to be ordered for between 1 and 5 years.

Multi Year Savings

Savings – we all like savings!  As mentioned above, ordering for multiple years in one go produces a saving.

The most expensive SSL certificate actually puts you at a disadvantage here as it can only be ordered for a maximum of two years in advance, whereas the others can all be ordered for up to 5 years (see above).

Encryption Level

Prepare for the shocker!

Encryption level.  Probably – no wait definitely – the most important feature of your SSL certificate.  How strong is the encryption it provides.

As you can see above, paying more gets you 0% more security!  That’s it, not extra protection for your extra £240 a year!

This is what I mean when I say that paying more for an SSL certificate doesn’t get you more security – it just gets you a bigger brand name to stick on your site.  And if over a decade of web development has taught me anything its this:

99% of customers won’t care if your website is ‘Secured by’ VeriSign or ACME Ltd.

That statement is of course with the caveat that you pick a reputable company – not Card Fraud R Us Ltd etc.

Remember:

Big names just mean big price tags – nothing else.

Secures WWW and non-WWW sites

Standard feature – as evidenced by the fact that its available on all SSL certificates from the cheapest to the most expensive.

Using DPS Computing’s website as an example this means that using any of these certificates we could secure pages starting both www.dpscomputing.com and dpscomputing.com – i.e. with or without the www prefix.

Warranty

This is the biggie difference – without actually meaning a lot in reality.

Warranty – as described by 123-Reg is:

The more expensive GlobalSign certificates come with an insurance policy.  If the certificate is issued or used incorrectly (i.e. they cock up or an act of fraud is commited against you).

I’m not sure on the number of claims that there are on these warranties by the people that have cover from them, but it is likely a very small percentage.

Don’t forget the amount specified isn’t the amount you’d get paid out in the rare situation that the certificate is issued or used incorrectly.  It’s the maximum amount you would be entitled to.

The ‘value’ or a warranty – or lack there of – shouldn’t influence which SSL certificate you pick.  Spend the money on something else – something that will help your website or business more than this is ever likely to – and don’t forget, its not just a one off cost – its a recurring, and for most people, unnecessary cost.

Again there’s one key thing to remember:

The value (or lack of) a warranty has 0% impact on your security

It doesn’t make your site any safer.  And even if you were in a claimable situation (extremely unlikely!), its not just going to be a hand over of the maximum amount in a cheque to you – prepare for a drawn out process, potentially even a legal battle (at which point, is it worth it any way?).

Typical Issuance Speed

Again, on the issue of speed from purchase to being live and available for use on your site, cheaper is better.

Due to the, for many, unnecessary extra security checks you have to wait nearly an entire working work compared to just 10 minutes for the lower paid options.

Vetting

Vetting – here’s some of the extras that you get – kind of.

As the name implies, the increased levels of vetting available with more expensive SSL certificates basically mean that you’ve had more background checks done to ensure your website (and with the more expensive ones, your business) is who it says it is.

It does not, I repeat does not impact on the level of security offered by your SSL certificate.

Con men and fraudsters can successfully complete these checks on occasions just as they can with other systems designed to protect authenticity.

Reputable businesses usually have many ways for their customers to check their history, trading status, previous customer experiences etc through sites like Companies House, TrustPilot etc.

Coupled with the fact that most con and fraud websites are discovered relatively quickly and the people behind them stay in ‘business’ by setting up and closing down in a matter of weeks (or at most months), one of the biggest free security checks that can be done by anybody with an Internet connection is check the age of company.

Now, not all new companies are scammers, obviously.  But most scammers are, or appear to be, new companies, with little trading history and probably not a big online footprint.  This alone, evidently, doesn’t confirm devious intentions but it should raise a healthy level of suspicion – after all, if you were fully confident in their identity in the first place you wouldn’t be investigating who they are ;).

Also, things like checking addresses exist, ringing the office phone number, consulting previous customers can also yield important information.

All in all, despite the extra checks offered with the more expensive SSL certificates, there are probably more cost effective and beneficial ways to do these checks.  Unless you’re a big business, probably not much point in having any more checks than the basic 123-Reg SSL certificate offers.

Simple Set Up With AutoCSR

Again, on this one, it doesn’t matter how expensive you go, you get the same auto set up service which helps you install the SSL certificate on your website.

Easy to set up service if you are hosting elsewhere, even easier to set up service (it’s done for you) if you have 123-Reg hosting.

Secure Unlimited Sub Domains (Wildcard SSL)

Wildcard SSL – again something you are only likely to require if you’re a big business.  Only available as standard in the most expensive certificate.

Wildcard SSL lets not not only secure your main domain.com but also any subdomain.domain.com.

So without wildcard SSL you could have securely via https (using DPS Computing as an example):

  • www.dpscomputing.com/billing/
  • www.dpscomputing.com/customers/
  • www.dpscomputing.com/secure/
  • dpscomputing.com/billing
  • etc…..

What you couldn’t have would be:

  • secure.dpscomputing.com
  • billing.dpscomputing.com
  • customers.dpscomputing.com

With wildcard SSL you can have subdomain.domain.com as well as domain.com/subdomain.

The cheapest ‘optional’ extra wildcard SSL is on the 123-Reg variety – but that still increases the price from £9.99 to £79.99.

Again, if you’re not a big business, its not really likely to be of any use.  In fact would it really matter to a big business if it was domain.com/subdomain rather than subdomain.domain.com?  Possibly – there are some evidence that using subdomains can help with SEO but for individuals and small to medium sized businesses, there are probably many more (cheaper) things that you can do to improve your SEO.

Strong Security In Older Browsers With SGC

Strong security in older browsers – always a good thing as some of us don’t update (for free) our web browsers ;).

However, we can relax as its offered as standard on all the SSL certificates on offer.

Server Licenses

Unlimited things are nice, but largely unnecessary.

Most website run by individuals, small to medium sized companies will be hosted on one server.  Even if there not it will usually involve ‘only’ a main server, a backup server and a mirror server which would cater for a fairly busy website.

Even with 3 servers, the cheapest SSL certificate will still cater fully for your needs.  If you’re using 4+, then maybe consider the next one up (£49.99/year) – which is unlimited.  If you’re getting to the stage of needing 4 servers, you’re likely not to be as bothered about the extra £40/year.  But just remember, there’s no point spending it if you don’t need it.  3 servers or less – plump for the cheapest option.

Browser Support

 

Browser support – important for both the reasons given above regarding web users not always being the best at updating their browsers on a regular basis but also the fact that there are many different browsers being used by a significant proportion of web users now, examples being Internet Explorer, Firefox and Google Chrome, to mention a few.

Again, all the SSL certificates from the cheapest right up to the most expensive cover you in exactly the same way.

Mobile Device Support

With the ever increasing popularity of mobile devices, including smart phones and tablets and also the rise in m-commerce (mobile commerce) we need to consider security not just among desktops and laptops but also on mobile devices.

As you can see from the above, the cheapest SSL certificate covers you across mobile devices.

Use With Intranet

Building an Intranet?  No, then you don’t need it.

Again, even if you are building an Intranet, you’re only going to likely need this kind of security if you’re a big business – individuals and SMEs probably aren’t going to have extensive intranets – and even if you do have (and require security) you can always use some self signed certificates (issued by yourself but still just as secure).

Secured By Site Seal

A deal breaker of course – not!

It doesn’t matter whether it you have a site seal that says secured by MI5 or the Secret Service – its no more or less safe than the Secured By 123-Reg SSL seal!

We’re talking about being security here, not an fancy image ;).

Top Image: jeffanddayna.

All other images: DPS Computing.