IT Development/Proposals/SSL
IT Development |
Main page — Infrastructure — Documentation / Tools — Portfolio — Technology Committee — Project requests |
Currently Wikimedia UK has one SSL certificate, set up for the donate.wikimedia.org.uk domain. This proposal addresses the need for a wildcard SSL certificate to allow all of WMUK's web properties to use HTTPS.
Why HTTPS?
Using HTTPS everywhere is good practice; ssl encrypts your connection to the server, ensuring the security of data. This is especially important for the office/board wikis and civicrm, but also WMUK's other "public" sites. In addition, access to the email server requires SSL and currently this is creating an error message due to the use of a self-signed certificate.
A wildcard SSL can be used for all of the .wikimedia.org.uk domains & servers to address these issues.
What is Wildcard SSL?
WMUK's current SSL certificate is signed for donate.wikimedia.org.uk only. This means that it can only be used for HTTPS on that domain (for any other domain, the browser will throw errors/warnings). A wildcard SSL certificate is valid for any subdomain of the wikimedia.org.uk domain.
Obviously, such a certificate comes with additional cost - but given that it can be used for any combination of subdomains, it represents good value for money over purchasing individual certificates.
When registering for an SSL certificate there are also a number of "validation" options, with scaling costs. A basic certificate does no validation and it will be issued merely signed to the domain name, with no other identifying information. More expensive certificates offer warranties on financial transactions conducted through HTTPS, andf these require the sending of some documents to the certifying agent. Finally, the most expensive option involves additional checks, and will validate the name of the organisation as part of the SSL certificate - in practical terms this means that the name Wikimedia UK would appear next to the SSL "lock" icon in browsers, confirming we own the certificate.
Pricing ranges from ~£100 for basic wildcard, up to ~£500 for the most premium options.
Options/Cost
"Signing Authority" is the company that will directly sign your certificate (they in turn will be using a certificate signed by a "Certificate Authority"). Fasthosts/UK-Reg, the company where Wikimedia UK currently registers its domains, does not offer SSL certificates (well, they do but only in association with their dedicated servers!). "Green Bar" refers to the green bar appearing in the browser bar, e.g. http://static.123-reg.co.uk/library/images//v2/ssl/ssl_diff_02.png
Provider | Yearly Cost | Signing Authority | Features | Green Bar? | Notes |
---|---|---|---|---|---|
Gandi Standard Wildcard SSL | £110 (excl VAT) | Gandi |
|
No | Online validation (i.e. not much :)) |
Gandi Pro Wildcard SSL | £237 (excl VAT) | Gandi |
|
No | Paper validation, which means submitting documents to Gandi |
Gandi Business Multi-Domain SSL | £800+ (excl VAT) | Comodo |
|
Yes | Additional validation requirements & as a result the certificate. Also, this is not traditional "wildcard" certificate - you give them a list of domains to sign and they validate only those. This certificate has the "green bar" feature. |
123 Reg Wildcard SSL | £79.99 | 123-SSL | No | Online validation, I don't know who the ultimate Certificate Authority is for this. | |
123 Reg Wildcard SSL | £174.99 | Globalsign | No | Unclear what level of validation is required, but I think that it's document submissions. They check we own the domain. | |
123 Reg Organisational SSL | £224.99 | Globalsign | No | Domain & Business validation, so definitely document submission. | |
Globalsign Domain SSL | £533 | Globalsign |
|
No | Domain validation only
|
Globalsign Organisational SSL | £609 | Globalsign |
|
No | Organisational validation (i.e. documents submission) |
Globalsign Multi-Domain Extended SSL | £1000+ | Globalsign |
|
Yes | Extended checks. Again not traditional wildcard & includes additional costs for extra subdomains (£63 per domain). I've estimated the rough costs to secure all of our domains based on our current subdomains. |