# Mobile Applications, SSL Certs, and Encryption



## cmd12188 (Jul 6, 2007)

Hello, 

I have a scenario that I am not personally familiar with, and i would really appreciate some guidance. 

I have a Server in house running Windows Server 2003. I recently paid an app developer to develop and install a web based java application on this server. After forwarding the respective ports to the local address where this application is being hosted, I am successfully able to open a browser and hit this application both internally using the local IP as well as externally, using my public IP.

Now, I would like to secure the communication for my mobile workforce by encrypting the transmission of information from their mobile phones to this application. I think this is where Secure Socket Layer comes into play. I understand that SSL works in conjunction with a specific domain, and cannot be used soley with an IP address or DDNS.

The company that i work for already owns a domain with iPage hosting [call it example.com], and according to their support team, i would need to purchase a WildCard SSL for my needs, and then create an A record pointing to my public IP[call it webapp.example.com]. With this said, iPage does not offer WildCard SSLs, so what are my options? Am i limited to purchasing/transferring my current domain to another hosting company that offers WildCard SSLs? Is a WildCard SSL even the type of SSL that i am looking for?

Also, correct me if im wrong, but the sole purpose of an SSL certificate is to verify the identity of the server that one is communicating with. In other words, if i access this webapp via the external ip using https://123.45.67.890 or my custom A record using https://webapp.example.com, would the transmission of information still be encrypted, or is encryption the responsibility of the SSL cert?

Thanks in advance, 

Chris


----------



## Stephen Bowles (Jan 28, 2011)

There are different type of SSLs, a Wildcard SSL will allow you to secure multiple domains, assuming the end domain is always the same, with the same certificate, i.e., webapp.example.com and anotherapp.example.com.

iPage support may have suggested this if, your currently secured domain is themainapp.example.com (for example) and you now wish to secure webapp.example.com.

If however, you currently have no SSLs and you only wish to secure this one domain, then you do not need a Wildcard SSL. It sounds like what you need is a Domain Validated Certificate (DV) (or maybe a Company Validate Certificate, perhaps an EV (extended) if needed). These certificates mostly do the same thing, although providing more verification of who you are as they go on.



cmd12188 said:


> ...With this said, iPage does not offer WildCard SSLs, so what are my options? Am i limited to purchasing/transferring my current domain to another hosting company that offers WildCard SSLs?...


You can purchase certificates from providers such as Comodo and you should be able to stay with iPage for your domain and hosting needs.



cmd12188 said:


> ...
> Also, correct me if im wrong, but the sole purpose of an SSL certificate is to verify the identity of the server that one is communicating with.
> ...


Yes. You can use HTTPS without an SSL, but by providing one, it allows clients to verify you. Without providing one, whenever a client attempts to connect to your site, their browser will show a warning page.



cmd12188 said:


> ...
> In other words, if i access this webapp via the external ip using https://123.45.67.890 or my custom A record using https://webapp.example.com, would the transmission of information still be encrypted, or is encryption the responsibility of the SSL cert?
> ...


No (and yes). As soon as a user goes to an IP address under HTTPS, they would get a warning from their browser, unless you had a certificate that verifies the IP address (you can get them). If they continue through the warning, often it will redirect them to the looked-up domain name, which will hopefully have SSL and show no warning. Unless your IP address is not going to change, it is probably easier just to get an SSL for your domain.


----------



## Fjandr (Sep 26, 2012)

Just a note, you can't actually use HTTPS without SSL, since HTTPS is HTTP layered over SSL/TLS.

What you can also do is sign your own certificate. If only your mobile workforce is connecting, you can install your self-signed cert on any device they use. A public SSL cert is only necessary for external users who won't necessarily know to trust your self-signed cert. It is a bit more work though, so it may be easier to just buy a cert if your company budget doesn't care about maximum cost savings.

A public cert will be one issued by an entity already installed in all browsers, such as Comodo, VeriSign, Thawte, DigiCert, GlobalSign, GeoTrust, RapidSSL, etc.


----------



## cmd12188 (Jul 6, 2007)

Thank you both for your input!


----------

