| General FAQ
See also:
• Technical FAQ - Enrollment, ordering
and tech questions
• Product
Selection Wizard - helps you choose the best SSL certificate for you
• Free Guides
& White Papers
• Jargon Buster
What is SSL?
The SSL (and TLS) protocol is the Web standard for encrypting communications
between users and SSL (secure sockets layer) e-commerce sites. Data sent
via an SSL connection is protected by encryption, a mechanism that prevents
eavesdropping and tampering with any transmitted data. SSL provides businesses
and consumers with the confidence that private data sent to a Web site,
such as credit card numbers, are kept confidential. Web server certificates
(also known as secure server certificates or SSL certificates) are required
to initialize an SSL session.
Customers know when they have an SSL session with a website when their
browser displays the little gold padlock and the address bar begins with
a https rather than http. SSL certificates can be used on webservers for
Internet security and mailservers such as imap, pop3 and smtp for mail
collection / sending security.
What is a StarterSSL
Certificate?
StarterSSL Certificates uniquely enable businesses to obtain low cost
1 year fully functional single root trusted SSL certificates
and are ideal for websites conducting lite levels of ecommerce. FreeSSL.com
owns the root used to issue the certificates, making StarterSSL both stable
and far easier to install than a chained root install certificate.
StarterSSL lowers the barrier of entry for companies that want single
root SSL security by providing immediately issued certificates at the
lowest cost available.
See a StarterSSL Certificate
in action - click here for a Secured by StarterSSL test page
What is
a ChainedSSL Wildcard Certificate?
ChainedSSL Wildcard is a chained root SSL certificate that can be used
to secure multiple sub domains on a single domain name. ChainedSSL Wildcard
allows web sites to conduct secure e-commerce with an encrypted SSL connection
and is ideal for low volume, low transaction value websites.
Comparable chained root wildcards certificates sell in excess of $449
each, while ChainedSSL Wildcard provides the same industry standard chained
root wildcard SSL security at fantastic savings!
See a ChainedSSL
Certificate in action - click here for a Secured by ChainedSSL test page
What is a Single
Root SSL Certificate?
When connecting to a webserver over SSL, the visitor's browser decides
whether or not to trust the website's SSL certificate based on which Certification
Authority has issued the actual SSL certificate. To determine this, the
browser looks at its list of trusted issuing authorities - represented
by a collection of Trusted Root CA certificates added into the browser
by the browser vendor (such as Microsoft and Netscape).
Most SSL certificates are issued by CAs who own and use their own Trusted
Root CA certificates, such as those issued by GeoTrust and FreeSSL.com.
As GeoTrust and FreeSSL.com is known to browser vendors as a trusted issuing
authority, its Trusted Root CA certificate has already been added to all
popular browsers, and hence is already trusted. These SSL certificates
are known as "single root" SSL certificates. FreeSSL.com, a
subsidiary of GeoTrust, also owns the UTN root used to issue FreeSSL certificates.
Some Certification Authorities, like Comodo, do not have a Trusted Root
CA certificate present in browsers, therefore they need a "chained
root" in order for their certificates to be trusted - essentially
a CA with a Trusted Root CA certificate issues a "chained" certificate
which "inherits" the browser recognition of the Trusted Root
CA. These SSL certificates are known as "chained root" SSL certificates.
Installation of chained root certificates are more complex and some web
servers are not compatible with chained root certificates.
For a Certification Authority to have its own Trusted Root CA certificate
already present in browsers is a clear sign that they are long-time, stable
and credible organizations who have long term relationships with the browser
vendors (such as Microsoft and Netscape) for the inclusion of their Trusted
Root CA certificates. For this reason, such CAs are seen as being considerably
more credible and stable than chained root certificate providers who do
not have a direct relationship with the browser vendors.
You can view the Certification Authorities who have their own root certificates
by viewing the list in your browser. Click here for instructions.
Chained root certificates require additional effort to install as the
webserver must also have the chained root installed. This is not necessary
for single root certificates.
Both FreeSSL.com's ChainedSSL Wildcard product and Comodo's InstantSSL
product are chained root certificates. However FreeSSL.com own the trusted
CA root used to issue ChainedSSL and are therefore the only stable chained
root provider. Comodo do not own the BeTrusted root used to issue InstantSSL
certificates and therefore cannot offer the stability of ChainedSSL or
our single root certificate StarterSSL.
Why
is stability important for SSL certificates?
All SSL certificates issued by FreeSSL.com are issued from a trusted CA
root certificate that is owned by FreeSSL.com. This means that all our
certificates are stable.
Some SSL certificate providers cannot offer this stability. For example,
Comodo InstantSSL do not own their own trusted root, which means that
they can only offer chained root certificates chained to a trusted root
certificate that they do not own. They rely on the trusted root certificate
owner to allow them to issue certificates and have no control over what
the owner of the certificate does with the certificate - as has recently
been shown when Baltimore has decided to sell its root certificate. The
only way to offer a stable chained root product is to own the root being
used to issue the chained root certificates.
More
information about the issues surrounding unstable SSL certificate offerings
is available on SSLreview.
What do you
consider low volume, low transaction?
If you have a low volume website and you decide that your customer's confidence
is not affected at all by the brand behind the SSL certificate or the
volume of customers that would have an issue are insignificant in number
then StarterSSL is the perfect answer.
It is all about customer confidence. Whilst StarterSSL technology is production
grade, only you can really determine whether your customers confidence
will improve significantly if you purchase an established brand like GeoTrust.
As a guide, typical customer transaction value is sub 50 USD, and volumes
of transactions are less than 50 per week.
Note: The 50 per week example figure is simply a commercial guide and
not a technical restriction. Technically the StarterSSL certificate will
not be restricted from conducting more transactions than 50 - they are
still industry standard 128 bit SSL certificates. However it is our opinion
that sites conducting more than 50 transactions will require a Professional
Level SSL certificate due to the increased likelihood that the website's
customers will expect SSL from a highly credible and established SSL provider
and well known internationally accepted SSL brand.
What
is a FreeSSL Certificate?
FreeSSL is a FULLY FUNCTIONAL single root test certificate valid for 30
days. It is the only fully trusted single root trial certificate available.
If you need to test your server, or would like to test our support and
issuance speed then FreeSSL is an ideal solution.
FreeSSL certificates have the same browser recognition rates as both our
StarterSSL and ChainedSSL Wildcard, and upgrading to either one of these
certificate is easy.
What browser
versions are compatible with StarterSSL, ChainedSSL Wildcard and FreeSSL?
StarterSSL and FreeSSL are compatible with IE 5.01+, Netscape 7+, Mozilla
1+ and are single root install certificates (they do not use chaining
technology), meaning that they are compatible with SSLv2 and SSLv3. Single
root certificates are also more widely accepted by web servers with some
web servers not accepting chained root technology.
ChainedSSL Certificates are compatible with Internet Explorer 5.01+, Netscape
7+, Mozilla 1+. ChainedSSL certificates use chaining technology and requires
the webserver to be SSL v3 or above compatible.
Why are you
providing StarterSSL and ChainedSSL Wildcard secure server certificates?
By providing StarterSSL and ChainedSSL Wildcard certificates, we are lowering
the barrier of entry for companies and websites wishing to secure their
low volume and low value online transactions and data with the lowest
cost chained root certificates available.
How long are
the your SSL certificates valid for?
StarterSSL certificates are valid for either 1, 2 or 3 years.
ChainedSSL Wildcard certificates are valid for 1 year.
FreeSSL certificates are valid for 30 days.
Our Professional Level Certificates from GeoTrust are available for up
to 5 years.
When your SSL certificate expires and you wish to renew with us, we will
give you instructions on how to renew with us.
How long
does it take to issue my Certificate?
If you need an SSL certificate right away, you have options. If you can
wait 3-5 days, you can get certificates from established vendors that
use slow traditional validation methods. However, immediate issuance certificates
use alternate validation methods. Please review our information on validation
to familiarize yourself with standard methods and question your vendors
when in doubt.
StarterSSL, ChainedSSL and FreeSSL are issued immediately.
Is there a limit
to the number of certificates I can order?
We do not limit the amount of StarterSSL or ChainedSSL Wildcard certificates
that can be ordered. Go ahead and get as many as you need!
We limit one FreeSSL certificate to a domain name - FreeSSL is only a
test certificate designed to help you test your system and evaluate using
FreeSSL.com for your production certificates.
What is browser
ubiquity or browser recognition?
Browser ubiquity is the term used in the industry to describe the estimated
percentage of Internet users that will inherently trust an SSL certificate.
The lower the browser ubiquity, the less people will trust your certificate
- clearly, if you are operating a commercial site you require as many
people as possible to trust your SSL certificate. As a general rule, any
SSL certificate with over 95% browser ubiquity is acceptable for a commercial
site.
Ubiquity is however not the only consideration in deciding whether one
SSL certificate is better than another. Many companies running high transaction
volume web sites need to maximize customer confidence and therefore buy
certificates from well known, long time security vendors and mostly use
the major players e.g. GeoTrust and Verisign who are all WebTrust compliant.
If you have a low volume web site and you decide that your customers confidence
is not effected at all by the brand behind the SSL certificate, or the
volume of customers that would have an issue are insignificant in number,
then StarterSSL or ChainedSSL Wildcard certificates are ideal.
Can I see
which Certification Authorities have their own Trusted CA root present
in browsers?
Yes. Your browser contains a Trusted CA root certificate store. You can
access this by opening Internet Explorer, then go to Tools, select
Internet Options, select the Content tab, click Certificates,
select the Trusted Root Certification Authorities tab. You will
then see a dialog box presenting a list of all Certification Authorities
who own their own Trusted CA roots (you can examine the root certificate
by double clicking it):
GeoTrust owns the Equifax root (Equifax Digital Certificate services became
GeoTrust in 2001).
FreeSSL.com's StarterSSL product owns its own root. FreeSSL.com purchased
the USERTrust Network root a number of years ago.
FreeSSL.com's ChainedSSL Wildcard product uses an intermediate certificate
issued by the USERTrust Network root. FreeSSL.com purchased the USERTrust
Network root a number of years ago, making it the only stable
chained root certificate available on the market today.
Can I secure
multiple subdomains with a single Certificate?
An SSL certificate is issued to a fully qualified domain name (FQDN).
This means that an SSL certificate issued to "secure.freessl.com"
cannot be used on different subdomains, such as "www.freessl.com".
To get around this restriction we have available ChainedSSL Wildcard Certificates.
Wildcard Certificates allow you to secure multiple subdomains on the same
domain name, thereby saving you time and money, and of course you do not
need to manage multiple certificates on the same server.
So with a single certificate issued to *.yourdomain.com you could protect:
• www.yourdomain.com
• secure.yourdomain.com
• etc.yourdomain.com
For more details on our chained root Wildcard offerings, please click
here. Or please view Professional Level
products for single root, highly credible Wildcard solutions.
What validation processes
does FreeSSL.com use?
A trust hierarchy demands that entities "vouch" for each other.
Companies that issue SSL certificates are in the business of establishing
that entities on the web are, in fact, who they claim to be. The potential
for criminal activity on the web (in relevance to SSL anyway), is in online
‘hijacking’ of sites or connections to siphon encrypted data.
Persons so inclined can easily "copy" web site interfaces and
pose as well known vendors, simply to collect these data.
SSL certificates work to prevent this through ensuring that www.abc.com
is, in fact, ABC Co. In the “real world”, we use identification
procedures like photo ids, telephone calls and papers of incorporation
to know with whom we’re dealing. If products or services are defective,
buyers can seek recourse. In the “online world”, companies
wishing to use SSL certificates must prove to the certificate authority
that they have the right to present themselves online as ABC Co.
This is done through a variety of means in different SSL products. For
simplicity’s sake, consider the method started and championed by
Verisign, as the ‘traditional’ model. The process involves
certificate petitioners faxing in their articles of incorporation, and
then waiting several days to be granted a certificate to do business online
under that name. There is a fair amount of overhead related to this task,
as these credentials are examined and reviewed, and full-service products
in this arena can cost hundreds of dollars.
There are newer, lower-cost alternatives in which certificates are issued
more quickly. These certificates verify that the certificate holder is
the owner of that domain, ensuring customers that URL “owners”
are who they claim to be.
There are also other validation options, like two-way, real-time telephony.
Certificate applicants are required to provide telephone numbers, and
certificate authorities call to verify basic information, yet another
way to seek recourse in the event of problems.
As part of the provisioning process with StarterSSL, ChainedSSL Wildcard
and FreeSSL, your business will be registered with ChoicePoint* and assigned
a ChoicePoint Unique Identifier (CUI) — equivalent to a DUNS number.
The CUI provides a corporate profile to your Internet users through information
imbedded in your certificate. The business registration profile initially
contains the basic self-reported information from your CSR — your
Domain, Company Name, Division, Country, State and City. ChoicePoint will
allow relying parties to view and purchase additional data about your
company. With the ChoicePoint Unique Identifier, industry-recognized domain
control authentication, and two-factor telephony authentication, both
of these products add further validation to forge the strongest real-time
authentication process on the market today.
*ChoicePoint is the nation's leading provider of identification and credential
verification services. For more info about Choicepoint go to www.choicepoint.com.
What type of
customer service do you offer?
We offer full telephone, email and web support to our StarterSSL, ChainedSSL,
FreeSSL and Professional Level customers. Our support staff are highly
experienced in supporting SSL and webservers and will be happy to help
you with technical or sales inquiries from 1am to 9pm EST.
© 2003 InnoSSL.com.
|
