security - Shared SSL - Better or worse than resorting to OpenID? -

-

I am working on a project that requires user login / registration, I am using a private hosting provider I want to host more than one domain of the same plan, so I would like to avoid personal SSL set up (but when a dedicated IP for a personal SSL certificate is required, then I only plan ... but still All my sites Micro safe to do).

I am debating between

  1. using OpenID (though all complaints for non-technical audiences I found that will be multiplied on the SO)
  2. Using the shared SSL of my host (which will pop up annoying certificate warnings in the browser, sites which do not match).

What looks like a better option? Or would you suggest that they run away from both and only suggest to buy it and buy additional / better hosting plans?

itemprop = "text">

With the experience of dealing with SO and Google App Engine (and their authentication system) Using a fairly simple site, I recommend the following:

  • Do not use OpenID for identification, it can work for authentication with your own identity management, but as such Only you try to identify a specific user, there are still problems.
  • How many open IDs this would be wonderful for people, so be prepared to support multiple open-end proof URLs (more than 1 plus, maybe more than 2)
  • if high Safety is a requirement, so be very careful with OpenID. Many people will use providers that they normally only use for low-security tasks (and therefore weak passwords). This particular problem hit Jeff Atwood directly (his account was stolen due to this mistake)!
  • Keep things easy for your users If you go with OpenID, then emphasize on one or two providers, which are already likely (for example, Google), and then generic providers Provide a valuable selection for Users with more simple mindedness should not think about OpenID.
  • With that thought, a simple "login with your Google Account" button works wonders, I thought people would be confused in logging into their third party site with their Google Account, But in practice it is not a problem with our .appspot.com domain.

The bottom line is that you should not expect your users to like opted, but it can be an acceptable agreement I do not think showing an invalid certificate has many end users There is a reasonable choice for.

Of course, the different certs option is the most obvious, but you have to decide whether I actually got a pricepace and I have a chopskit for it to avoid myself :)


Comments

Post a Comment