Although having an SSL certificate can present certain user errors in regards to notification from older browsers certificate-authenticated SSL is considered mandatory by all security guidelines whenever a web site hosts confidential information or performs material transactions.
- There is a problem with this website's security certificate" when you try to visit a secured website in Internet Explorer. This problem can occur if the client computer's clock is set so that the date/time is later than the expiry date of the web server's SSL certificate. http://support.microsoft.com/kb/931850
- http://windows.microsoft.com/en-US/windows-vista/About-certificate-errors
WildCard Domains:
Unfortunately there has never been a good RFC on how wildcard matching works so the different implementations (SChannel and NSS mainly) are slightly different. However, here's the draft standard which will pin this down:
http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3
And here's Microsoft's take on it:
http://support.microsoft.com/kb/258858
Accepted wildcard examples
- www.example.com matches www.example.com
- *.example.com matches www.example.com
- w*.example.com matches www.example.com
- ww*.example.com matches www.example.com
- Www.Example.com matches www.examPle.cOm
Nonaccepted wildcard examples
- *www.example.com
- *w.example.com
- w*w.example.com
- *ww.example.com does not match www.example.com
- www.e*ample.com does not match www.example.com
- www.*ample.com does not match www.example.com
- www.ex*.com does not match www.example.com
- www.*.com does not match www.example.com
- example.com does not match *.com does not match www.example.com
- www.example.abc.com does not match *.abc.com
- example.com does not match *.*
- example does not match *
- abc.def.example.com does not match a*.d*.example.com
- www.example.com.au does not match *.*.com.au
- www.example.com.au does not match www.*.com.au
Basically, a wildcard may appear as the left-most label and it matches exactly one label. So *.example.com matches www.example.com, but not example.com (because that would mean matching zero labels).