While developing for a health care company I've come upon some questions regarding SSL. This is an area I've been unfamiliar with until just recently and I think I understand the basics, but would appreciate a friendly shove in the right direction.

The client's hosting plan includes shared SSL. Some forms on the site will be used to submit patient information which is of course highly sensitive. Are there potential security issues using shared SSL?

What would be the advantages of purchasing a certificate? And is it necessary for the site to reside on its own server if doing so?

Any experiences with particular Certification Authorities would also be great.

I've found lots of info, but most of it seems to come from folks who are selling their own product, so I'm looking for some objective info or first hand experiences.

Thanks.

shared SSL is as secure as your own cert , at least at the sharp end of encryption etc , the main downside is that the URL shown in the browser will not be the same as the users domain , probably something like https: // secure.vendor.com/~username which is a bit offputting to paranoid users

popups can hide this but the standards-compliance police will give you stick for such.

A quick explanation to users should be enough for those who even notice the change of URL!

I could not recommend any one CA over another as I don't fully understand why the prices vary so wildly

Thanks for the reply Firepages.

I'm going to relate what I've learned to my client and let them choose between using their host's shared SSL or purchasing a cert.

Cheers.