Please help us to make AbanteCart Ideal Open Source Ecommerce Solution for everyone.

Support AbanteCart eCommerce

Author Topic: What is the need for HTTPS? I have PayPal Standard acct but may add others  (Read 34935 times)

Offline DavidLIR

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +7/-0
    • View Profile
    • Love is Real
Do I need to have HTTPS activated on my domain?  It will cost me $30/ year with my hosting package.  I have PayPal standard account and I know that they process all the card information, however there is personal information on the personal account pages where individuals sign in for my store.  Is this information already secure or do I need to have https in order to have that be secure for my customers?

Can someone please enlighten me on this question?

Thank you,
Davd
Love is Real....All Else is Illusion

Offline abantecart

  • Administrator
  • Hero Member
  • *****
  • Posts: 3970
  • Karma: +243/-9
    • View Profile
    • Ideal Open Source Ecommerce Solution
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #1 on: November 20, 2013, 08:23:02 PM »
It is recommended to have HTTPS if you operate with customers personal information. You can find rapidssl certificate for about $10 per year
We need your help to build better free open source eCommerce platform for everyone.
See how you can help

Offline DavidLIR

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +7/-0
    • View Profile
    • Love is Real
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #2 on: November 20, 2013, 11:10:37 PM »
Abantecart,

Thank you for the reply.  I have tried to find the answer to this question...perhaps you know.  I have AbanteCart cart installed on an add-on domain.  would I install the ssl certificate on the main domain...and then it would apply to all the domains under it? Or, would it only apply to one domain...I believe if I do it through my domain hosting plan it applies to all the domains.

Thank you ,
I appreciate any help with this.\
David
Love is Real....All Else is Illusion

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1365
  • Karma: +348/-2
    • View Profile
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #3 on: November 21, 2013, 09:57:21 AM »
Hi David LIR, 

Let me added my opinion to this and it does vary from Abantecart's.  But after more than a decade of running online sites for ecommerce, directories, blogs, and content management  I have developed from guidelines for my operation that seem to work.

In my opinion you only need a real SSL  when you are capturing and/or keeping credit card or bank account info on YOUR server.   If you are passing transactional information to PayPal or some other gateway BEFORE the customer has to input the credit card information  then you don't need to have SSL on your site.

If you are only storing your customers name/address/phone  these pieces of information are easily found in many, many places and don't require SSL in my opinion

In addition to the increased cost of having the SSL,  there is a cost in the delivery speed of your site pages also.
Here's a link to an good article that explains it better.

http://support.exware.com/ssl.html

You will need to check with your hosting -  but a shared SSL usually doesn't provide enough protection for running the PCI for the credit card processing. 

But I do often used the shared SSL (or a self-signed certificate) for the email portion of my sites.  In my experience shared ssl or self-signed certs do not show on your public links - that means they don't need the https for the URL.
 The shared SSL certificate is intended to be used in situations where you wish to have a secure connection to the server that is not typically seen by the general public.  For example, when logging into the administration area of your website.
 Shared SSL is not recommended for e-commerce sites, because customers expect to see your domain in the URL.  And if you attempt to use your domain name with the shared certificate, it is not guaranteed to work. Even if visitors can see your site, the shared SSL warnings  will make customers uncomfortable submitting their credit card information through your website
In summation -  if you determine you do need a SSL for your customers "peace of mind"  you will need to use a private SSL rather than a shared one.
Lee


Offline DavidLIR

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +7/-0
    • View Profile
    • Love is Real
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #4 on: November 21, 2013, 05:05:25 PM »
Very useful information, Lee, Thank you.  Looks like we would not need the ssl at this time because all the 'sensitive information' is being collected on PayPal Site....

David
Love is Real....All Else is Illusion

Offline DavidLIR

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +7/-0
    • View Profile
    • Love is Real
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #5 on: November 22, 2013, 09:14:10 PM »
Lee,
After considering the information.  We feel it would be helpful for the customers peace of mind to have the ssl certificate...to show the little lock on the page when they are setting up an account on our website...

Is there a way to set up this so that it is only secured on the login, account, checkout, pages....but not on the general open pages?

Also I noticed that in the extensions there is a 'encryption_data_manager' extension...with a warning that it cannot be uninstalled once installed....I can get the ssl from the site abantecart suggested for $10.00 as he said...however I would like to have some info on what to do before starting with that....and do we use the above extension as part of this set up...

Thank you,

David   
Love is Real....All Else is Illusion

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1365
  • Karma: +348/-2
    • View Profile
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #6 on: November 22, 2013, 11:34:04 PM »
David,

First - I believe the encryption data manager from Abantecart is a standalone data encryption.  This note in the documentation is pretty straightforward.
NOTE: Do not confuse SSL data encryption with signed SSL certificates (HTTPS) used for browser access to sites

Next - things that you might not know:

An SSL Certificate is purchased for the entire domain name (be sure you're getting one that works for both www.  and no www on your domain as most sites work now either way or set up redirects to handle it.  But to a SSL cert www.mydomain.com and mydomain.com are two different names.  And if you are running in a subdomain  that is a standalone name, or you can buy a wildcard cert for mydomain.com and it will cover no www,  www, and all subdomains on mydomain.com

Also you must have a dedicated IP address for your domain - if you are on a hosted account,  you can usually obtain a dedicated IP address for a couple of bucks a month more.

Next, in most cases you can control the pages or sections of your site having some under http://  and others under https://.  This is usually done via .htaccess and rewrites.  I am unsure how this would need to be engaged within Abantecart as I haven't done it. 

Unless you are quite comfortable with adding things and solving any server setup issue -  I would suggest to see what your hosting provider is offering for SSL, and most importantly if they will install it.  The other question is to see what they will charge to install a cert they didn't sell,  or if they will do that.

I don't like doing things to my server personally so I either use a managed server box (which is what I am testing Abantecart on),  or on self-managed servers I use a server admin service.  In either configuration  I just let those guys install my certs and attend to my annual renewal updates. My feeling is they know the server side and I don't,  so I let them attend to it. 

The certificate cost is an annual fee,  not a one-time fee  and most certs issue a new key when you renew -  that key has to be changed in your server information for your cert to continue to work correctly.  It's just maintenance,  not hard,  but has to be done or customers get scary warnings when things are out of sync.  Since it is once a year,  it sometimes get overlooked, or you can purchase for extended periods of time (multiple years).

For me since the setup of the keys, is critical and it comes so infrequently  I always have someone else do it for me. As I tend to forget some important step when it comes up.  Once you get the rewrites setup - and Abantecart can direct you there,  that won't need attention.

I hope this provided a bit more clarity rather than a bit more confusion.

Lee













Offline abantecart

  • Administrator
  • Hero Member
  • *****
  • Posts: 3970
  • Karma: +243/-9
    • View Profile
    • Ideal Open Source Ecommerce Solution
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #7 on: November 23, 2013, 10:07:05 AM »
Thanks llegrand for your detailed explanation 
We need your help to build better free open source eCommerce platform for everyone.
See how you can help

Offline DavidLIR

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +7/-0
    • View Profile
    • Love is Real
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #8 on: November 23, 2013, 01:36:29 PM »
Lee, and Abantecart,

Thanks for the great information.  It sounds like you may be saying that it would be better or at least easier to just have the hosting provider do the ssl install....I checked and they said it would be for the entire domain I have which if I understand correctly would include the add-on domains..since they are under the main domain in the directory...I have webhostingpad for my hosting...  I am asking about the dedicated IP...perhaps that is already a part of what they do...I have found them to be a reliable hosting company so far...

Still not sure I understand the need of  the data encryption manager that is on abantecart, vs/ and/or the ssl package that I would get say from my hosting company...do I need both???   Or for the basics that I am doing will the ssl cover what I need?

Thanks again,
You both have been so helpful

David

I would need help with how to do .htaccess and rewrites...
Love is Real....All Else is Illusion

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1365
  • Karma: +348/-2
    • View Profile
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #9 on: November 23, 2013, 04:33:44 PM »
This is going to be a longer answer than you expected -  but I believe knowledge is power -  at least a path to understanding to help make a good decision. 8)

 Encryption manager that is on Abantecart is server side encryption.  The data on the server is encrypted, not the transmission of the data.  I have not explored the functionality of Abantecart Data encryption.  Encrypting the data is not a level of security that I think I need in my cart operations as I pass communication of critical info to the payment gateway servers. 
SSL is client side encryption – the data is transmitted over an encrypted connection.
This will be a very simplistic explanation but I think it will help clarify the process for you hopefully. Hope you’re familiar with the old Buck Rogers decoder ring – encryption is like that.  Both ends of a message have the same set of instructions.  If you’re not privy to the specific set of instructions understanding the message won’t be easy (not impossible).
Now think of a cord being plugged into a receptacle – one must align prongs with the holes in order to obtain connection – that’s the SL (socket layer) of SSL.  The first S is for Secure and that’s the encryption part.
So the SSL (secure socket layer) means that a user someplace is connecting to your server over a “cord” that is aligned (plugged in) and both ends has the decoder ring instructions.  The intent is to make it more difficult for someone “listening in” to understand the conversation because they don’t have the decoder ring instructions.  Now there are various levels of encryptions – I am sure you’ve seen 256 and 428 expressed.  That refers to the bits of encryption level sand the more levels, more difficult to “break the code” More difficult not impossible.
That’s SSL in a very basic description.   Remember SSL is a conversation that takes place to your server and the files are placed in a directory on your server in a location that requires the decoder key. 
I would not think that a standard cart would ever need both of these.  Of the two SSL makes more sense in that you are concerned about customer perceptions of security.
I think the question is not to ask how 100% security would look like (it would unusable and still not 100%) but how much the data is worth to protect and how much damage could be done if the data is exposed. Depending on that analysis you should check how much effort you can afford and what the most likely attack vectors are.  For most of us small-medium size ecommerce vendors not storing credit card information it is usually pretty low.
Hopefully this makes it a bit clearer. 

I would just suggest that you ask specially of your hosting if the SSL cert will cover whatever you cart requirements are. 

Let's say you have mymaindomain.com   and you have it setup to enable a customer to type in www.mymaindomain.com or mymaindomain.com  and they both end up in the same place  (note most setups already so this)   Now if you have your cart setup in a subdomain -  store.mymandomain.com  if you get a cert that covers all of these names you'll be good to go.  There are other solutions,  but that's the easiest to handle.
Just ask you host in specifics if the cert covers all of these names - and give them the names.   
The rewrites are difficult - once you get your SSL figured out,  you can ask Abantecart specifically what to do - it's just a couple of lines of code.

Offline DavidLIR

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +7/-0
    • View Profile
    • Love is Real
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #10 on: November 24, 2013, 04:50:18 PM »
Lee and Abantecart,

Again very helpful and detailed infromation.  This is the kind of info that would be great to be right in the installation manuals or tutorials.  Being a novice at this I am pleased with the things I have been able to do, and look forward to learning more and more as time goes...

I checked and my hosting company provides ssl that will cover one domain.  I had not considered to do an add on (example.mydomain.com) I have set it up as (mydomain.com/store)..so I am sure that this will be covered by the one domain.

Thanks again,
David
Love is Real....All Else is Illusion

Offline michael m

  • Newbie
  • *
  • Posts: 12
  • Karma: +2/-0
    • View Profile
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #11 on: December 03, 2013, 04:11:10 PM »
Thanks for the education. We are hosted by Arvixe whose SSL = $25 but also requires a dedicated server $2.00/mo. The info here seems to encourage signing up for it but I still wonder a bit.

I turned SSL (shared) on and entered the address Arvixe supplied. Checkout pages function normally but:

1) the url looks a bit scary, because our name is not part of it, though it does have the lock. Also our logo image (located in an AbanteCart image folder in the http section) disappeared, and I've been unable to configure a url that could make it show in its block even when I put the gif in the same default folder with the credit cards that do show (payment.gif) and used the same path to it.

I solved those problems for the time being by putting in a teal colored block with "Images and Things Secure Arvixe Cheetah Server" in it that ties our name to the cheetah.Arvixe ssl url and imparts an impression of security. Also, our charges are being processed by Authorize.net and PayPal whose logos will be on the Select Payment page.

2) If you delete the purchases in your cart and you are returned to the "Your shopping cart is empty!" page, the Continue button sends you to our home page, but does it using the base shared ssl url of that page instead of our domain url. That results in just the framework of our homepage showing without any images or css formatting.

Is there a way to get an image into protected pages from outside them or would there be a particular folder AbanteCart will be able to identify in which I would put  images that would be accessible from protected pages?

3) My main concern is whether or not a certificate warning is thrown up on entering our cart when shared SSL is operative. It does not appear when we go in. Does it appear when you click Add to Cart?

At this point, the thought of solving all these problems is making $49/year extra for a dedicated server and an SSL cert attractive!

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1365
  • Karma: +348/-2
    • View Profile
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #12 on: December 03, 2013, 05:26:46 PM »
In reply to #3 -  I did not receive any cert notification when going to your site  on Firefox, Chrome or IE.  So you're probably okay there.

I will tell you that I found your teal colored block more "scary" than a change in the url.  That may just be me.  It didn't make enough sense to me, and I thought - what's the deal here with that notification of a secure server?"  Again just my reaction.  Truthfully,  I didn't even notice the change in url  :-[

IMO,  I would suggest one of three actions:
1.  Bite the bullet and go for the $49/yr if you want to put forth the most professional solution.
2.  Leave it the way you have it with the shared SSL, and change your teal box to something a bit more informative like "All your purchase activity is on our secure server"  or something like that.
3.  If your Authorize.net is handling the security (that means you are transferred to their site prior to entering the card number) and you don't want to do suggestion 1 or 2,  it would remove the SSL

Again,  this is just my opinion -

PS,  The $2.00 a month is not for a dedicated server but for a dedicated IP address. 


Offline DavidLIR

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +7/-0
    • View Profile
    • Love is Real
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #13 on: December 04, 2013, 12:50:27 AM »

  I am finally getting some movement on the SSL setup...they sent me a form to fill out.  I am thinking that I would set it up for https://yourdomainname.com rather than https://www.yourdomainname.com they are saying that I have to choose one or the other for the ssl setup.  I am thinking that I can forward the www...... to the other in the c-panel....I will try that. 

They are also asking:          For third party SSL certificates please include if the CSR needs to be greater than 2048 in size.

I don't know the answer to this question.  what is the CSR size that we need for abantecart?

Once I have this set up then I will need help from abantecart to set this up for the shopping cart...

Thank you,
David
Love is Real....All Else is Illusion

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1365
  • Karma: +348/-2
    • View Profile
Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
« Reply #14 on: December 04, 2013, 02:00:44 AM »
Yes, the cert treats each as individual domains - with the www  is one,  without the www is another. Choose either one you want for your cert, you will be able to redirect or use rewrite to take make it transparent to your visitors.
 Clearly, you want visitors to be able to use an SSL connection whether they visit example.com or www.example.com. To enable this functionality, you can use Apache rewrite rules in a custom .htaccess file. 

 The following lines demonstrate how to redirect visitors who enter a domain name without the www prefix to a secure connection. With these settings enabled on your web site, visitors who go to example.com or www.example.com (where example.com represents your domain) both obtain an SSL connection:
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]


A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

The issuing entity will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. What is a CSR and private key good for if someone else can potentially read your communications? The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

As to the size - 2048 should be more than adequate - the size here is referring to the amount of encryption offered by the
SSL and therefore is your decision for the security level - here's some info: The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force methods. A key size of 512 bits is considered weak and could potentially be broken in a few months or less with enough computing power. If a private key is broken, all the connections initiated with it would be exposed to whomever had the key. A bit-length of 1024 is exponentially stronger, however, it is more and more likely to be broken as computing power increases. The Extended Validation guidelines that SSL certificate providers are required to follow require that all EV  certificates use a 2048-bit key size to ensure their security well into  the future. Because of this, most providers encourage 2048-bit keys on  all certificates whether they are EV or not.

Hope this helps.
Lee
« Last Edit: December 04, 2013, 08:19:00 AM by llegrand »