Is there anything inherently more insecure about using a wildcard SSL certificate over a regular SSL certificate?
We are looking to implement a subdomained web application (a la FreshBooks and BaseCamp, where users pick a subdomain), and one of our team members is concerned that a wildcard SSL approach is not secure enough (if so, how do FreshBooks and BaseCamp do it?!?).
The alternate solution is to use a single subdomain, like https://ssl.domain.com
and when a user types in http://user.domain.com
we set the subdomain in the session, and immediately redirect the user's future requests to "https://ssl.domain.com" and use the session information to show the user's information.
My concern is that if a user wants to send a link to their domain to a friend, they will copy/paste the URL in the browser (now https://ssl.domain.com
) which will be our main home page, and not the user's home page.
BTW, if I have missed a major best-practice for this kind of scenario, please let me know.
Best Answer
To my knowledge, there is no difference between wildcard and normal certificates. So long as you have full control over
domain.com
's DNS, then there's no reason not to use a wildcard. In fact, I would recommend it in your case. What are your specific concerns with them?(IMO, Redirects such as the one you suggest are always a bit of a fudge when they're visible to the end user.)