Idiots Guide To Dynamic Website Seals Please (and how to build them)

[british steve]

If I wanted to launch a new business and provide all my customers with a secure dynamic (so we could turn it off if necessary) website seal (like you get with some SSL certificates - but this requiremnent is not for SSL certs) how would you go about setting this up and what you you need other than servers and developers etc? Platform would need to be able to extend to potentialy hundreds of thousands (or more) live website seals at any one time.

Have an idea for a unique business and have decided to look in to it a little further!

Also looking for any potential developers who could actually build this or any further suggestions or advice how to build this or move forward.

Thanks

 

[karmacomputing]

Hi Steve,

When you say "website seal" do you mean the name that appears against an SSL certificate? This is known as the Certificate Authority, (CA). You say "but this requiremnent is not for SSL certs" so what is the seal, is it a embedded picture, something else?

If changing an SSL 'seal' is indeed what you're referring to then, you would need to become a certificate authority. This isn't a small undertaking. I'm trying to think of a bricks and mortar comparison, but one does not simply become a certificate authority; Signed Certificates work on a assurance referred to as "Nonrepudiation" , and enforced by a chain of Certificate Authority's signing certificates down to what's called a Root CA. This is how websites allow you to 'change' the name on the seal- a certificate is signed by a CA with a company name of your choosing e.g. example.com , could show Example Ltd on the 'seal'.

Now, if you're simply looking to offer a scalable service which gives out SSL certificates, there's nothing unique here, for example letsencrypt allows automation of SSL certificate signing.
Having said that, to the lay person anything technical like 'SSL' is already too confusing so perhaps your packing something up so that people don't need to worry about that. But ultimately you probably don't want to be in the business of becoming a CA, and I would question the benefit of being able to change the "seal" name anyway- it's mostly not on show by default anymore in most browsers, and if you did show something unfamiliar to the user it would be more concerning for them than reassuring.

Sorry that's a lot of text if you're not referring to SSL certs, but may be of interest to others

 

[british steve]

Nothing to do with SSL certs - just interested in the technology behind site seals.SSL was just for reference!

Just want to find out how to build, control and mange site seal across what would I hope be hundreds of thousands of domains / websites - assuming site owners would sign up for the service.

 

[fisicx]

The process of ordering a seal and allocating a ID is easy. You can do this the same way you do for any other downloadable product. All you do then is send the integration code. This is usually a simple HTML import. For wordpress and other CMS you can have a plugin/extension.

This is how I manage all my plugins - it's all automated and trouble free.

 

[andygambles]

Technically it is pretty simple to implement. Build it with a client side language such as JS then any site can use it and not worry about coding language. You can also make use of browser caching to reduce load on your own systems.

The JS would then call an API to get the information needed to put in the seal.

The difficult part is actually validating the information you put in the seal.

If you are putting in a company name how do you know this is correct?
How do you know the site the seal is being used on is the same company?
How are you going to deal with consumers that rely on the seals trustworthiness and then get ripped off?
What insurances will you have in place?
What about preventing abuse?
Are you going to limit the domains the seal can be used on?
What efforts will you put into getting websites using the seal without authorisation to take it down?

These are the more difficult things to manage.

 

[british steve]

fisicx - this would need to be designed to work on all websites regardless of which platfrom they are built on - not just Wordpress

The difficult part is actually validating the information you put in the seal.

If you are putting in a company name how do you know this is correct? Will be checked manually - later this will be automated
How do you know the site the seal is being used on is the same company? Domain locked
How are you going to deal with consumers that rely on the seals trustworthiness and then get ripped off? See below for more details
What insurances will you have in place? Not SSL so no Insurance required
What about preventing abuse? See below for more details
Are you going to limit the domains the seal can be used on? Will also offer wildcard to cover all sub-domains
What efforts will you put into getting websites using the seal without authorisation to take it down? By using Dynamic seal can effectivly switch it off!

These are the more difficult things to manage.

Without giving any detail about real concept / project here is a very simple analogy

Website owner / customer buys service and downloads and installs site seal on to predetermined (by domain) website which could include sub domains if necessary

Customer visits website, see's the site seal and hovers over it which expands to provide more info such as date, seal validity etc. Seal would also have a like and dislike button and abuse button if what was on the website was not what they were expecting to see!

 

[fisicx]

fisicx - this would need to be designed to work on all websites regardless of which platfrom they are built on - not just Wordpress

I know. I was just pointing you could build a plugin (for wordpress) or an extension for other platforms that install the seal for you.

This really isn't a complicated thing to do. Everything would be handled on your site (ordering, payment and validation). Your would have a database with the user ID and target site. The user would run a script on page loads that checks if they are authorised to use the seal. In not they get an 'unauthorised use' message.

This sort of thing has been around for years. You can probably find a ready made script you could adapt.

 

[british steve]

I know. I was just pointing you could build a plugin (for wordpress) or an extension for other platforms that install the seal for you. From my point of view I think it would be far simpler if the customer installed provided code on own site - less things to go wrong on my side! When I have bought SSL certs its pretty much just given me a piece of code to install but if building plugins / extensions works then so be it! Light touch is better for us

This really isn't a complicated thing to do. Everything would be handled on your site (ordering, payment and validation). Your would have a database with the user ID and target site. The user would run a script on page loads that checks if they are authorised to use the seal. In not they get an 'unauthorised use' message.Bingo!

This sort of thing has been around for years. You can probably find a ready made script you could adapt.Not really sure what I am looking for to make this all work - also still only an idea in my head at the moment

Would need to build a system / platform that could cope with unlimited domains!

 

[Alan]

Would need to build a system / platform that could cope with unlimited domains!

Scaleable cloud based apps platform like
- Firebase
- Google App Engine
- Herouku
and I'm sure there are more would be your starting point.

The actual 'seal' from and end users point of view would just a javascript file e.g.

<div id="#myseal"></div>
<script src="https://mysupercdn/mysealscript.js">

the javascript would do the validation ( make sure it is on the right domain ) and call a backend process to retrieve the seal data - the back end process could be written in a superfast language like GoLang, although initial for Minimum Viable Product (MVP) any backend via an API would work.

You would also need a custom webapp to sell / register the seals, that web app could be written in anything such as PHP/Laravel ( or even WordPress ).

It is an interesting project, to get the technology to a MVP shouldn't be to expensive. However the marketing to get the message out there to 100 of thousand or even millions of websites is a different story and an order of magnitude more expensive.

 

[fisicx]

The database can be as big as you want. The only thing that would slow it down is where you host it.

There isn't a lot of data to store (customer ID, domain, likes, report, customer details) so each request would only take a nanosecond.

The bit to order/download the script isn't anything complicated. It's a basic transaction script.

 

[british steve]

Anyone want to giving some ballpark numbers on build costs? Just want to get some sort of idea both MVP and full blown all singing and dancing. Just want to see if its viable really!

Would need a basic customer backend to provide usage stats (how many people even look at stats?) that could be further built on and developed over a period of time.

System security would be the number one priority!

Spoken to a few people I know who like the idea and think that with the right marketing it will fly! Or of course it could turn out to be yet another (No 3) epic and expensive failure. which would be a bit of a bugger!

I alreay have a viable route to market - which thank **** is not Google Adwords - or or anything else Google!

I already have the domains registered for this

 

[andygambles]

When I said insurance I meant insurance about being sued by someone who relied on your seal and then got defrauded.

By abuse I mean people will create their own version of the seal. They could even build their own dynamic seal. Website seals can be easily copied. You would not be able to disable it if someone made this themselves.

Companies like Norton spend mega bucks issuing takedown notices against websites showing fraudulent seals to prevent devaluing of the seal.

 

[fisicx]

Good point. It’s easy to scrape the js and copy the actual seal. Set up a dummy domain and resel the seal.

As to costs of the project, I did the sums last night and I reckon around £3000. Most of the money will be the database management systems - so you can edit/delete users. Another chunk will be setting up the subscription software. Unless you only want a single payment.

 

[british steve]

Good point. It’s easy to scrape the js and copy the actual seal. Set up a dummy domain and resel the seal. It’s easy to copy any element of any website - not a huge amount I can do about that one other than cease and desist letters and threat of court action where nesessary! Unlikely to get sued by someone relying on the site seal - as I said before this is not for SSL or anything similar!

As to costs of the project, I did the sums last night and I reckon around £3000. Most of the money will be the database management systems - so you can edit/delete users. Another chunk will be setting up the subscription software. Unless you only want a single payment.Have quite a lot of experiance with MongoDB? - used to manage quite a few wifi hotspots. Payments would be made yearly in advance. Would quite like to incorporate stats thats automaticaly get emailed to customer weekly or monthly etc - we offer our wifi customers access to usage stats and less than 3% ever bother logging in to view

I am quite tempted to push forward with this idea! What would be build time?