IT Development/Proposals/SSL

From Wikimedia UK
Jump to navigation Jump to search
IT Development
Main pageInfrastructureDocumentation / ToolsPortfolioTechnology CommitteeProject requests


Currently Wikimedia UK has one SSL certificate, set up for the donate.wikimedia.org.uk domain. This proposal addresses the need for a wildcard SSL certificate to allow all of WMUK's web properties to use HTTPS.

Why HTTPS?

Using HTTPS everywhere is good practice; ssl encrypts your connection to the server, ensuring the security of data. This is especially important for the office/board wikis and civicrm, but also WMUK's other "public" sites. In addition, access to the email server requires SSL and currently this is creating an error message due to the use of a self-signed certificate.

A wildcard SSL can be used for all of the .wikimedia.org.uk domains & servers to address these issues.

What is Wildcard SSL?

WMUK's current SSL certificate is signed for donate.wikimedia.org.uk only. This means that it can only be used for HTTPS on that domain (for any other domain, the browser will throw errors/warnings). A wildcard SSL certificate is valid for any subdomain of the wikimedia.org.uk domain.

Obviously, such a certificate comes with additional cost - but given that it can be used for any combination of subdomains, it represents good value for money over purchasing individual certificates.

When registering for an SSL certificate there are also a number of "validation" options, with scaling costs. A basic certificate does no validation and it will be issued merely signed to the domain name, with no other identifying information. More expensive certificates offer warranties on financial transactions conducted through HTTPS, andf these require the sending of some documents to the certifying agent. Finally, the most expensive option involves additional checks, and will validate the name of the organisation as part of the SSL certificate - in practical terms this means that the name Wikimedia UK would appear next to the SSL "lock" icon in browsers, confirming we own the certificate.

Pricing ranges from ~£100 for basic wildcard, up to ~£500 for the most premium options.

Options/Cost

"Signing Authority" is the company that will directly sign your certificate (they in turn will be using a certificate signed by a "Certificate Authority"). Fasthosts/UK-Reg, the company where Wikimedia UK currently registers its domains, does not offer SSL certificates (well, they do but only in association with their dedicated servers!). "Green Bar" refers to the green bar appearing in the browser bar, e.g. http://static.123-reg.co.uk/library/images//v2/ssl/ssl_diff_02.png

Provider Yearly Cost Signing Authority Features Green Bar? Notes
Gandi Standard Wildcard SSL £110 (excl VAT) Gandi
  • 2048 bit key
  • 60 Day Money Back Guarantee
No Online validation (i.e. not much :))
Gandi Pro Wildcard SSL £237 (excl VAT) Gandi
  • 2048 bit key
  • 60 Day Money Back Guarantee
  • Secure transactions up to $250,000
No Paper validation, which means submitting documents to Gandi
Gandi Business Multi-Domain SSL £800+ (excl VAT) Comodo
  • 2048 bit key
  • 60 Day Money Back Guarantee
  • Secure transactions up to $250,000
  • Validated by Comodo
Yes Additional validation requirements & as a result the certificate. Also, this is not traditional "wildcard" certificate - you give them a list of domains to sign and they validate only those. This certificate has the "green bar" feature.
123 Reg Wildcard SSL £79.99 123-SSL No Online validation, I don't know who the ultimate Certificate Authority is for this.
123 Reg Wildcard SSL £174.99 Globalsign No Unclear what level of validation is required, but I think that it's document submissions. They check we own the domain.
123 Reg Organisational SSL £224.99 Globalsign No Domain & Business validation, so definitely document submission.
Globalsign Domain SSL £533 Globalsign
  • $10K warranty
  • 2048 bit key
  • Free site malware monitor
No Domain validation only


Globalsign Organisational SSL £609 Globalsign
  • $1.25M warranty
  • 2048 bit key
  • Free site malware monitor
No Organisational validation (i.e. documents submission)
Globalsign Multi-Domain Extended SSL £1000+ Globalsign
  • $1.5M warranty
  • 2048 bit key
  • Free site malware monitor
Yes Extended checks. Again not traditional wildcard & includes additional costs for extra subdomains (£63 per domain). I've estimated the rough costs to secure all of our domains based on our current subdomains.