.. from time time, as I discovered when placing an order for new bedding through Sainsbury’s web site.
I’ve been dealing with web servers and SSL certificates since I was a wee nipper. Okay, well, maybe that’s a tad exaggerated – since at least my university days at any rate.
So I was a little shocked when I went to check out my order at www.sainsburys.co.uk to find it had redirected to sainsburys.co.uk which isn’t protected by the SSL certificate Sainsbury’s bought from Verisign.
When you buy a SSL certificate from most SSL vendors, your certificate allows you to use the bare domain (using Sainsbury’s as an example: sainsburys.co.uk) or specific subdomains, namely www (e.g. www.sainsburys.co.uk). From the looks of things, the SSL certificate Sainsbury’s uses only protects www.sainsburys.co.uk.
So when Sainsbury’s checkout system redirected to https://sainsburys.co.uk, I saw the yellow background of shame from Chrome:
I proceeded anyway, despite the URL not matched the SSL certificate, because it the connection is still encrypted.
I reached out via Twitter and the problem was fixed pretty quickly (albeit the subsequent confirmation page was loading non-SSL objects and throwing up further warnings – hopefully Sainsbury’s web team have fixed that as well).
I’d imagine that there was some cock-up in the store code that sets the URL used for the checkout. But this issue would have been less noticeable had Sainsbury’s picked a better single SSL certificate type from Verisign, or had gone for a wildcard certificate. Wildcard certificates protect the bare domain (e.g. sainsburys.co.uk) as well as any other subdomains (e.g. www.sainsburys.co.uk, wibble.sainsburys.co.uk, whatever.sainsburys.co.uk).
Wildcards are considerably more expensive than single certificates, but depending on how Sainsbury’s utilises certificates and the sainsburys.co.uk domain within their organisation (extranets, etc.), it could actually save them money (especially as SSLs can be deployed across many servers – issue once, use many times).
I use a £54 wildcard SSL certificate to protect the whole of drake.org.uk – it’s used by cPanel services (webmail, cPanel, WHM, etc.), the WordPress admin section, the stats server, everything that requires encryption is protected by a single SSL certificate.
I managed to place my order with Saisnbury’s successfully in the end.
This kerfuffle isn’t a big or too a serious problem, but having seen the reaction from customers using self-signed or misconfigured SSL certificates, it’s nevertheless very important to get sites protected by SSL configured properly and tested first. With paranoia with the whole NSA and GCHQ saga at an all-time high, encryption is very much in the public eye at the moment.
Now I’ve got to persuade nectar.com site that I’m not my ex-wife despite me being the only person on the account. And I can’t add a new card holder because the form demands I specify a title AND a gender, but won’t allow me to fill in one without blanking out the other. Data validation gone mad, I tell you.
Fridays are never a good idea to roll out updates or launch new products or services. Sigh.
