Since all webfaction users have a default subdomain at [username].webfactional.com if the ssl available to all users was assigned to .webfactional.com instead of .webfaction.com (or in addition to), users could direct secure transactions through that subdomain and bypass the browser warnings of a mismatched certificate. For those users who are not trying to run their entire site on ssl, but specific secure transactions, I imagine this to be a viable alternative to purchasing a dedicated IP and a certificate. I am aware of the current methods to setup ssl, but I was wondering if there is there any possibility this can be added to webfaction's features in the future? |
The question has been closed for the following reason "The question is answered, right answer was accepted" by seanf 25 Jan '16, 22:49
No, sorry - that's not going to happen. By doing so, we would basically be vouching for the security and trustworthiness of every site running on a "webfactional.com" subdomain, and that's not something we can do. If you need SSL with a certificate matching your domain, then your best option is to get a domain name, get a dedicated IP, and then either purchase a certificate from a provider, or get a free certificate from someone like StartSSL. answered 27 Jun '11, 17:32 seanf I see, so the ssl setup is very intentional. It allows users to use certificate but through the warning alleviates any liability.
(27 Jun '11, 17:37)
aishny
That's more or less it, yes. And don't get me wrong, we'd love to be able to offer SSL without the need for dedicated IPs, but right now that's simply not feasible. There is a way to make it work - see Server Name Indication - but it's not well-supported on the client side, so it's not practical for most users.
(27 Jun '11, 17:45)
seanf
We now support SNI on all servers, so if you want to run a HTTPS site using your certificate without a dedicated IP, you can do so. To do so:
(We still don't have plans to add a shared *.webfactional.com certificate.)
(01 Dec '11, 12:59)
seanf
Has this policy changed in the last four years, or is the answer still "no, we don't have plans to add a shared *.webfactional.com certificate"?
(30 Dec '15, 20:38)
enfascination
The policy has not changed.
(30 Dec '15, 20:45)
seanf
|
By doing so, we would basically be vouching for the security and trustworthiness of every site running on a "webfactional.com" subdomain How so? All that an SSL certificate for *.webfactional.com would mean is that the host name that your browser is pointing to is the same as on the certificate information (in this case something.webfactional.com). Some kind of 'you're at the right address'. I don't see how this equates to vouching for the security and trustworthiness of those sites. All you're basically vouching for is that it's hosted on webfaction (which it is), and that you're helping your customers use SSL to protect communication without giving a nasty unnecessary warning. This would prevent making webfaction (and your customers) look unprofessional by issuing a mis-matching certificate. I thought that the choice for webfactional.com instead of webfaction.com was (at least in part) for this purpose. So that it's very clear this is not actually webfaction. An alternative solution would be to create a wildcard certificate for *.webfaction-customers.com or a completely unrelated domain name. I think many hosting providers are doing this. If that was the case (vouching for the security/trustworthiness), then all those SSL providers, particularly instant/cheap ones, will instantly go out of business. How can they vouch for the security and trustworthiness of the websites they issue certificates for? All they do is check that they are the legitimate owners of the domain name. answered 27 Aug '11, 07:25 yoav_aner Any SSL certificate includes the name of the person or the company who bought that certificate and they are the ones vouching for the content of the website. If we bought an SSL certificate for *.webfactional.com then we would be vouching for any content under *.webfactional.com served by that SSL certificate.
(29 Aug '11, 04:35)
remi
The same can be said for content under webfactional.com without an SSL certificate. You're the owners of the webfactional.com domain name, so any content under it you're vouching for to a lesser or greater extent. I don't think SSL makes it any different.
(29 Aug '11, 16:36)
yoav_aner
I agree with yoav_aner here. If other hosts are able to provide shared SSL certs (with matching domain name) without being liable for all their users' content, then why not WebFaction?
(24 Sep '11, 02:07)
dzv
Webfaction must be losing a lot of business due to this decision, if you want to develop a simple facebook app then a https domain is a requirement. Heroku & AppFog provide this ability so I don't understand why webfaction can't.
(04 Sep '12, 18:12)
isis
Aggree. If it will be basic non-varified certificate WF will guarantee for nothing. It just enables us to to use encryption without scary warnings for some simple tools what do not needs their domain.
(15 Mar '15, 18:19)
ibobik
I can't deny the logic in @yoav_aner 's comment. It would be nice to have SSL on the *.webfactional.com domain.
(25 Jan '16, 22:02)
JoshS
showing 5 of 6
show 1 more comments
|