I really do learn something new every day. I’ve been handing eCommerce sites for a while now (as well as some other types of secure sites) and I knew that Secure Socket Layer certificates (SSL) came in many flavors (and styles!), but I always thought of it like car insurance: if you want better coverage, pay more. If you just need to be covered to drive, get 1-800-Safe-Auto.
Well, today I learned something new, but it took some doing, so I’m hoping I can save someone else time and effort through the magic of Google search. Here’s the backstory: Mad Science Department got brought in a few months ago to help patch up and update an existing eCommerce site. We added true credit card processing, helped the client through the Labyrinth that is Authorize.net (which is a whole separate post, provided there’s enough Run in my beaker), and patched some security holes. In the process, we had the host apply a stock SSL. All smooth and cool, right?
This morning we got a note from the client’s local folk, saying that the client cannot access the site admin (under SSL) from a mobile device! Oh no! So after recreating the issue on my handy dandy iPhone, I contacted the host, who assured me that the SSL was working properly. Well, that’s a weight off my shoulders, but why isn’t it working for mobile? Host’s support didn’t know, suggested it had something to do with the phone. Hrumph.
So I checked the cert and tracked down the issuer. This is where a nice young man called Jeff comes in. He explained to me that the various SSLs actually use different types of encryption, and therefore some certificates which are perfectly good for web use simply cannot encrypt data over mobile networks (GSM,G3,etc.). In order to add this level of encryption, my client would have to upgrade to a higher premium, which would allow for more diverse and stronger coverage. Now I know.
I don’t usually give shout outs in my Lab Notes, but Jeff from Comodo was very helpful, so thanks.
You’ll also find that some mobiles (old treo’s) dont support the standard of ssl used nowadays so will not be able to connect to various websites (ie webmail) – best advice is to buy a new phone in this case.
Also be wary that some cell phone providers also lock down what certificates can be trusted which makes it harder to install certificates on the phone (or even add support for common certificates like godaddy’s)