AbanteCart Community

Shopping Cart Operations => Security => Topic started by: DavidLIR on November 19, 2013, 04:43:46 PM

Title: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on November 19, 2013, 04:43:46 PM
Do I need to have HTTPS activated on my domain?  It will cost me $30/ year with my hosting package.  I have PayPal standard account and I know that they process all the card information, however there is personal information on the personal account pages where individuals sign in for my store.  Is this information already secure or do I need to have https in order to have that be secure for my customers?

Can someone please enlighten me on this question?

Thank you,
Davd
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: abantecart on November 20, 2013, 08:23:02 PM
It is recommended to have HTTPS if you operate with customers personal information. You can find rapidssl certificate for about $10 per year
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on November 20, 2013, 11:10:37 PM
Abantecart,

Thank you for the reply.  I have tried to find the answer to this question...perhaps you know.  I have AbanteCart cart installed on an add-on domain.  would I install the ssl certificate on the main domain...and then it would apply to all the domains under it? Or, would it only apply to one domain...I believe if I do it through my domain hosting plan it applies to all the domains.

Thank you ,
I appreciate any help with this.\
David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: llegrand on November 21, 2013, 09:57:21 AM
Hi David LIR, 

Let me added my opinion to this and it does vary from Abantecart's.  But after more than a decade of running online sites for ecommerce, directories, blogs, and content management  I have developed from guidelines for my operation that seem to work.

In my opinion you only need a real SSL  when you are capturing and/or keeping credit card or bank account info on YOUR server.   If you are passing transactional information to PayPal or some other gateway BEFORE the customer has to input the credit card information  then you don't need to have SSL on your site.

If you are only storing your customers name/address/phone  these pieces of information are easily found in many, many places and don't require SSL in my opinion

In addition to the increased cost of having the SSL,  there is a cost in the delivery speed of your site pages also.
Here's a link to an good article that explains it better.

http://support.exware.com/ssl.html (http://)

You will need to check with your hosting -  but a shared SSL usually doesn't provide enough protection for running the PCI for the credit card processing. 

But I do often used the shared SSL (or a self-signed certificate) for the email portion of my sites.  In my experience shared ssl or self-signed certs do not show on your public links - that means they don't need the https for the URL.
 The shared SSL certificate is intended to be used in situations where you wish to have a secure connection to the server that is not typically seen by the general public.  For example, when logging into the administration area of your website.
 Shared SSL is not recommended for e-commerce sites, because customers expect to see your domain in the URL.  And if you attempt to use your domain name with the shared certificate, it is not guaranteed to work. Even if visitors can see your site, the shared SSL warnings  will make customers uncomfortable submitting their credit card information through your website
In summation -  if you determine you do need a SSL for your customers "peace of mind"  you will need to use a private SSL rather than a shared one.
Lee

Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on November 21, 2013, 05:05:25 PM
Very useful information, Lee, Thank you.  Looks like we would not need the ssl at this time because all the 'sensitive information' is being collected on PayPal Site....

David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on November 22, 2013, 09:14:10 PM
Lee,
After considering the information.  We feel it would be helpful for the customers peace of mind to have the ssl certificate...to show the little lock on the page when they are setting up an account on our website...

Is there a way to set up this so that it is only secured on the login, account, checkout, pages....but not on the general open pages?

Also I noticed that in the extensions there is a 'encryption_data_manager' extension...with a warning that it cannot be uninstalled once installed....I can get the ssl from the site abantecart suggested for $10.00 as he said...however I would like to have some info on what to do before starting with that....and do we use the above extension as part of this set up...

Thank you,

David   
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: llegrand on November 22, 2013, 11:34:04 PM
David,

First - I believe the encryption data manager from Abantecart is a standalone data encryption.  This note in the documentation is pretty straightforward.
NOTE: Do not confuse SSL data encryption with signed SSL certificates (HTTPS) used for browser access to sites

Next - things that you might not know:

An SSL Certificate is purchased for the entire domain name (be sure you're getting one that works for both www.  and no www on your domain as most sites work now either way or set up redirects to handle it.  But to a SSL cert www.mydomain.com and mydomain.com are two different names.  And if you are running in a subdomain  that is a standalone name, or you can buy a wildcard cert for mydomain.com and it will cover no www,  www, and all subdomains on mydomain.com

Also you must have a dedicated IP address for your domain - if you are on a hosted account,  you can usually obtain a dedicated IP address for a couple of bucks a month more.

Next, in most cases you can control the pages or sections of your site having some under http://  and others under https://.  This is usually done via .htaccess and rewrites.  I am unsure how this would need to be engaged within Abantecart as I haven't done it. 

Unless you are quite comfortable with adding things and solving any server setup issue -  I would suggest to see what your hosting provider is offering for SSL, and most importantly if they will install it.  The other question is to see what they will charge to install a cert they didn't sell,  or if they will do that.

I don't like doing things to my server personally so I either use a managed server box (which is what I am testing Abantecart on),  or on self-managed servers I use a server admin service.  In either configuration  I just let those guys install my certs and attend to my annual renewal updates. My feeling is they know the server side and I don't,  so I let them attend to it. 

The certificate cost is an annual fee,  not a one-time fee  and most certs issue a new key when you renew -  that key has to be changed in your server information for your cert to continue to work correctly.  It's just maintenance,  not hard,  but has to be done or customers get scary warnings when things are out of sync.  Since it is once a year,  it sometimes get overlooked, or you can purchase for extended periods of time (multiple years).

For me since the setup of the keys, is critical and it comes so infrequently  I always have someone else do it for me. As I tend to forget some important step when it comes up.  Once you get the rewrites setup - and Abantecart can direct you there,  that won't need attention.

I hope this provided a bit more clarity rather than a bit more confusion.

Lee












Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: abantecart on November 23, 2013, 10:07:05 AM
Thanks llegrand for your detailed explanation 
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on November 23, 2013, 01:36:29 PM
Lee, and Abantecart,

Thanks for the great information.  It sounds like you may be saying that it would be better or at least easier to just have the hosting provider do the ssl install....I checked and they said it would be for the entire domain I have which if I understand correctly would include the add-on domains..since they are under the main domain in the directory...I have webhostingpad for my hosting...  I am asking about the dedicated IP...perhaps that is already a part of what they do...I have found them to be a reliable hosting company so far...

Still not sure I understand the need of  the data encryption manager that is on abantecart, vs/ and/or the ssl package that I would get say from my hosting company...do I need both???   Or for the basics that I am doing will the ssl cover what I need?

Thanks again,
You both have been so helpful

David

I would need help with how to do .htaccess and rewrites...
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: llegrand on November 23, 2013, 04:33:44 PM
This is going to be a longer answer than you expected -  but I believe knowledge is power -  at least a path to understanding to help make a good decision. 8)

 Encryption manager that is on Abantecart is server side encryption.  The data on the server is encrypted, not the transmission of the data.  I have not explored the functionality of Abantecart Data encryption.  Encrypting the data is not a level of security that I think I need in my cart operations as I pass communication of critical info to the payment gateway servers. 
SSL is client side encryption – the data is transmitted over an encrypted connection.
This will be a very simplistic explanation but I think it will help clarify the process for you hopefully. Hope you’re familiar with the old Buck Rogers decoder ring – encryption is like that.  Both ends of a message have the same set of instructions.  If you’re not privy to the specific set of instructions understanding the message won’t be easy (not impossible).
Now think of a cord being plugged into a receptacle – one must align prongs with the holes in order to obtain connection – that’s the SL (socket layer) of SSL.  The first S is for Secure and that’s the encryption part.
So the SSL (secure socket layer) means that a user someplace is connecting to your server over a “cord” that is aligned (plugged in) and both ends has the decoder ring instructions.  The intent is to make it more difficult for someone “listening in” to understand the conversation because they don’t have the decoder ring instructions.  Now there are various levels of encryptions – I am sure you’ve seen 256 and 428 expressed.  That refers to the bits of encryption level sand the more levels, more difficult to “break the code” More difficult not impossible.
That’s SSL in a very basic description.   Remember SSL is a conversation that takes place to your server and the files are placed in a directory on your server in a location that requires the decoder key. 
I would not think that a standard cart would ever need both of these.  Of the two SSL makes more sense in that you are concerned about customer perceptions of security.
I think the question is not to ask how 100% security would look like (it would unusable and still not 100%) but how much the data is worth to protect and how much damage could be done if the data is exposed. Depending on that analysis you should check how much effort you can afford and what the most likely attack vectors are.  For most of us small-medium size ecommerce vendors not storing credit card information it is usually pretty low.
Hopefully this makes it a bit clearer. 

I would just suggest that you ask specially of your hosting if the SSL cert will cover whatever you cart requirements are. 

Let's say you have mymaindomain.com   and you have it setup to enable a customer to type in www.mymaindomain.com or mymaindomain.com  and they both end up in the same place  (note most setups already so this)   Now if you have your cart setup in a subdomain -  store.mymandomain.com  if you get a cert that covers all of these names you'll be good to go.  There are other solutions,  but that's the easiest to handle.
Just ask you host in specifics if the cert covers all of these names - and give them the names.   
The rewrites are difficult - once you get your SSL figured out,  you can ask Abantecart specifically what to do - it's just a couple of lines of code.
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on November 24, 2013, 04:50:18 PM
Lee and Abantecart,

Again very helpful and detailed infromation.  This is the kind of info that would be great to be right in the installation manuals or tutorials.  Being a novice at this I am pleased with the things I have been able to do, and look forward to learning more and more as time goes...

I checked and my hosting company provides ssl that will cover one domain.  I had not considered to do an add on (example.mydomain.com) I have set it up as (mydomain.com/store)..so I am sure that this will be covered by the one domain.

Thanks again,
David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: michael m on December 03, 2013, 04:11:10 PM
Thanks for the education. We are hosted by Arvixe whose SSL = $25 but also requires a dedicated server $2.00/mo. The info here seems to encourage signing up for it but I still wonder a bit.

I turned SSL (shared) on and entered the address Arvixe supplied. Checkout pages function normally but:

1) the url looks a bit scary, because our name is not part of it, though it does have the lock. Also our logo image (located in an AbanteCart image folder in the http section) disappeared, and I've been unable to configure a url that could make it show in its block even when I put the gif in the same default folder with the credit cards that do show (payment.gif) and used the same path to it.

I solved those problems for the time being by putting in a teal colored block with "Images and Things Secure Arvixe Cheetah Server" in it that ties our name to the cheetah.Arvixe ssl url and imparts an impression of security. Also, our charges are being processed by Authorize.net and PayPal whose logos will be on the Select Payment page.

2) If you delete the purchases in your cart and you are returned to the "Your shopping cart is empty!" page, the Continue button sends you to our home page, but does it using the base shared ssl url of that page instead of our domain url. That results in just the framework of our homepage showing without any images or css formatting.

Is there a way to get an image into protected pages from outside them or would there be a particular folder AbanteCart will be able to identify in which I would put  images that would be accessible from protected pages?

3) My main concern is whether or not a certificate warning is thrown up on entering our cart when shared SSL is operative. It does not appear when we go in. Does it appear when you click Add to Cart?

At this point, the thought of solving all these problems is making $49/year extra for a dedicated server and an SSL cert attractive!
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: llegrand on December 03, 2013, 05:26:46 PM
In reply to #3 -  I did not receive any cert notification when going to your site  on Firefox, Chrome or IE.  So you're probably okay there.

I will tell you that I found your teal colored block more "scary" than a change in the url.  That may just be me.  It didn't make enough sense to me, and I thought - what's the deal here with that notification of a secure server?"  Again just my reaction.  Truthfully,  I didn't even notice the change in url  :-[

IMO,  I would suggest one of three actions:
1.  Bite the bullet and go for the $49/yr if you want to put forth the most professional solution.
2.  Leave it the way you have it with the shared SSL, and change your teal box to something a bit more informative like "All your purchase activity is on our secure server"  or something like that.
3.  If your Authorize.net is handling the security (that means you are transferred to their site prior to entering the card number) and you don't want to do suggestion 1 or 2,  it would remove the SSL

Again,  this is just my opinion -

PS,  The $2.00 a month is not for a dedicated server but for a dedicated IP address. 

Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on December 04, 2013, 12:50:27 AM

  I am finally getting some movement on the SSL setup...they sent me a form to fill out.  I am thinking that I would set it up for https://yourdomainname.com rather than https://www.yourdomainname.com they are saying that I have to choose one or the other for the ssl setup.  I am thinking that I can forward the www...... to the other in the c-panel....I will try that. 

They are also asking:          For third party SSL certificates please include if the CSR needs to be greater than 2048 in size.

I don't know the answer to this question.  what is the CSR size that we need for abantecart?

Once I have this set up then I will need help from abantecart to set this up for the shopping cart...

Thank you,
David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: llegrand on December 04, 2013, 02:00:44 AM
Yes, the cert treats each as individual domains - with the www  is one,  without the www is another. Choose either one you want for your cert, you will be able to redirect or use rewrite to take make it transparent to your visitors.
 Clearly, you want visitors to be able to use an SSL connection whether they visit example.com or www.example.com (http://www.example.com). To enable this functionality, you can use Apache rewrite rules in a custom .htaccess file. 

 The following lines demonstrate how to redirect visitors who enter a domain name without the www prefix to a secure connection. With these settings enabled on your web site, visitors who go to example.com or www.example.com (http://www.example.com) (where example.com represents your domain) both obtain an SSL connection:
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www (https://www).%{HTTP_HOST}/$1 [R=301,L]


A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

The issuing entity will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. What is a CSR and private key good for if someone else can potentially read your communications? The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

As to the size - 2048 should be more than adequate - the size here is referring to the amount of encryption offered by the
SSL and therefore is your decision for the security level - here's some info: The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force methods. A key size of 512 bits is considered weak and could potentially be broken in a few months or less with enough computing power. If a private key is broken, all the connections initiated with it would be exposed to whomever had the key. A bit-length of 1024 is exponentially stronger, however, it is more and more likely to be broken as computing power increases. The Extended Validation guidelines that SSL certificate providers are required to follow require that all EV  certificates use a 2048-bit key size to ensure their security well into  the future. Because of this, most providers encourage 2048-bit keys on  all certificates whether they are EV or not.

Hope this helps.
Lee
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on December 08, 2013, 04:14:37 PM
abantecart or anyone!,

I am still having problems with the ssl set up on my site..

I have had several posts up about it...but no resolution yet... :'(

It may be something simple so I thought i would start with a couple questions.

  1)    In the System/settings/details page there are two spots to put the store url
Store url:     and Secure Store url:

when using the ssl should both of those have the https://mysite.com....or does the first one have http://...  ???
I have changed them to both https://.... and I believe it works better...but I don't know what it should be set to...

  2)   the .htaccess file for setting up the forwards....I want to set up the site so that customers could get to the store with any of the possible ways of typing in the name(my store is located at loveisreal-beleive.com/store)....ie.. loveisreal-believe.com; www.loveisreal-believe.com; http://loveisreal-believe.com; Sooooo do I need to have rewrites for this in the .htaccess that is under /store...Or do I need rewrites that are directly under the loveisreal-believe htaccess?

  3)   and just to add another question...perhaps there is another way to set up the ssl entirely???  It occurs to me that perhaps I could set up the ssl certs directly on the loveisreal-believe.com/store...then I could forward the root domain to the store? perhaps this would solve the problem I am having...

here is the problem...when I try to reach the website/store I get an error of not found....even though others say they are getting in...If I am having problems then others may as well...I have cleared the cache on abantecart...and on my browser...still problem getting in...my webhosting found a problem with the ip having one for my account and one for the ssl...so they supposedly fixed this...still not getting in....unless I type the whole thing....https://loveisreal-believe....etc.

obviously something is not set up right...I would sure appreciate some help with this...or any part of it...

Thanks all,
David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: buddahboy on December 08, 2013, 06:46:08 PM
Hello David - I went to your site http://www.loveisreal-believe.com/store/ and also http://loveisreal-believe.com/store/ accessed it fine.  Went to login and then create account and it switched over to https as intended to.  As you explain there is not anything in root of that domain.  I am not well versed in the use of .htaccess so what I've done is put an index.html in root with a meta refresh forwarding tag set to 0 or 1 seconds and forward it to the store directory. 

I attach a screenshot of how I set up the URLs as described in the instructions near the input fields

Is your shop populated with products?  I click on the gift certificate image and I get to that category but when clicking on any of the images there for certs I get a 404 - also get 404 on almost all of the links located in the side menu so don't know if that is because those pages don't exist or some other issue. 

Looks like the ssl is doing what it's supposed to though.  Sorry if this doesn't help you much but it's all I got my friend. 

All the best
Ron
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on December 08, 2013, 07:23:39 PM
Ron,
Thanks,
Yes everything was working perfectly until I set up the ssl...now it just does all kinds of crazy things....I personally can only get in with firefox...but IE or chrome no go...

I'm about ready to give up on the ssl...but I'm sure customers will appreciate it...

by the way, I checked out your site.  very nice...  Now, your site is working exactly how I want mine to work...the main site is just http and the cart changes to https.

can you tell me how you have your website configured....It seems like there is something that is set up wrong....Now, when you went into my site...it goes directlly to the ssl doesn't it? showing https:// because that is how I get it...

Thanks for your help...

David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: buddahboy on December 08, 2013, 08:01:37 PM
Hi David - when I went to your site I used the http:// protocol with and without the www and I got your store but not with an https://  -  that only came on when I went to create an account, as it should.  Did you install the cert on the root domain? 

So you say that your store was populated and now can't get to products?  If so maybe try turning off SEO URLs - system > system > settings   and see if that is the problem. 

I accessed your site with Chrome and Firefox using the same methods described above.  When I clicked on "Login" then under "I am a new customer" clicked "continue" and at that point the SSL began functioning so it seems to be okay - think you may have a different problem as the pages with SEO names, like About Us for example, get 404s - I don't know how the htaccess you have in the directory is written you may want to rename it to something not relevant and test it with and without SEO URLs

Thanks for the compliment on the shop, I was fortunate to find AbanteCart through my Softolicious and I really love it.  The default color was actually what I was going to use anyway, how cool is that.  I find the shop very user friendly, elegant and well developed and I am very happy with it. 

Good luck with your issue, I'm sure it is something simple - it is always some small thing, right? 

All the best David
Ron
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: abolabo on December 10, 2013, 05:33:59 AM
Ron,
Thanks,
Yes everything was working perfectly until I set up the ssl...now it just does all kinds of crazy things....I personally can only get in with firefox...but IE or chrome no go...

I'm about ready to give up on the ssl...but I'm sure customers will appreciate it...

by the way, I checked out your site.  very nice...  Now, your site is working exactly how I want mine to work...the main site is just http and the cart changes to https.

can you tell me how you have your website configured....It seems like there is something that is set up wrong....Now, when you went into my site...it goes directlly to the ssl doesn't it? showing https:// because that is how I get it...

Thanks for your help...

David

when i try to open your site via ssl in Firefox i got warning:  ssl_error_bad_cert_domain
I think you should to ask domain registrar tech support.
It's not AbanteCart related issue.


Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: junkyard on December 10, 2013, 12:12:24 PM
We do see your GeoTrust cert in blue alright (Firefox), if we enter it as https://domain.com   and   https://domain.com/store
But like Abolabo said,  if we do it with WWW. - https://www.domain.com - we get invalid security certificate error
because your certificate was purchased only for domain.com, not for www.domain.com   (screenshot)  which is a different domain name.

Since WWW. part  in the certs is checked by the Browser's side (FF being more liberal, IE and Chrome are worse), you will continue to have this error,
unless:

1. you get in touch with Geotrust and request to include the WWW. part. Geotrust was known to have been bundling the www. with non www. versions of their RapidSSLs since long:   http://www.webhostingtalk.com/showthread.php?t=937549

2. or, you may try redirecting all https://www.domain.com to https://domain.com  (instead of just using CNAME dns record) -- by using the standard Redirect
functionality in your cpanel. There you may even add HTTP->HTTPS default redirect for the whole domain, because currently users can also access it as http://domain.com

Messing around the .htaccess may bring all kinds of issues so is not recommended, unless you yourself are comfortable with it.
But to be blunt about it,  the SSL  (with all the hype around it)  isn't worth the trouble you are going through.
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on December 11, 2013, 11:57:08 AM
Abolabo, Junkyard,

I appreciate your helpful suggestions...Could you check again and see if you are still finding errors?  I believe things are fixed now as there were some errors on the hosting side...I am not getting the error on firefox that you mentioned (junkyard) I believe I have solved that by forwarding both site and www.site to site/store. 

I am mainly concerned that customers can get to the store by way of loveisreal-believe.com ,   they should see http:// for the main store and when they go to cart or set up account they will see https://

Great site, I appreciate all you folks do!

David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: abolabo on December 11, 2013, 01:59:24 PM
Abolabo, Junkyard,

I appreciate your helpful suggestions...Could you check again and see if you are still finding errors?  I believe things are fixed now as there were some errors on the hosting side...I am not getting the error on firefox that you mentioned (junkyard) I believe I have solved that by forwarding both site and www.site to site/store. 

I am mainly concerned that customers can get to the store by way of loveisreal-believe.com ,   they should see http:// for the main store and when they go to cart or set up account they will see https://

Great site, I appreciate all you folks do!

David


nope... still ssl warning for url https://www.loveisreal-believe.com/
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on December 11, 2013, 02:41:19 PM
Abolabo,
Ok,  but the only way you get to this warning is if you type out the full ssl address with www.

https://www.loveisreal-believe.com/

Am I correct? I can find out if there is a way to forward the https to http...my c-panel does not allow to add the s after the http of the domain to be forwarded..I can only add it to the fwd to domain.  I just want to be sure that it doesn't create a loop with what is already there as it is finally working the way it is supposed to for the store...Is there any reason the average customer would receive an alert of bad domain?  if you put in www.loveisreal-believe.com it forwards to the correct site.  Appreciate your thoughts on this.

Thank you,
David

Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: abolabo on December 12, 2013, 05:02:40 AM
can you regenerate ssl-certificate with CN (common name) www.loveisreal-believe.com instead loveisreal-believe.com?
Did you tried?
i think CN with www will cover domain.
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on December 12, 2013, 10:12:18 AM
Abolabo,

My hosting is providing the ssl cert which I have already paid for...it covers only with www. or without- not both
my perception is the folks on the internet are moving to without www. domains... for easier access, so I set it up for without www. for the ssl cert...

perhaps the other question I just pm you will cover this as well.

David
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: abolabo on December 12, 2013, 11:23:22 AM
it's very strange situation...
if you have wildcard certificate and CN without www  your certificate must to cover all your subdomains (incl. www.).
Try to ask your hosting provider support. May be you should to add point as prefix to CN. who knows :-\
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: DavidLIR on December 12, 2013, 11:28:50 AM
the cert is not supposed to be wildcard cert...but they have set up a wildcard in forward...is this what you refer to?
Title: Re: What is the need for HTTPS? I have PayPal Standard acct but may add others
Post by: llegrand on December 12, 2013, 11:54:08 AM
David,

Most certs come with a 30 day money back guarantee.  You might check and see if yours did.  I know RapidSSL do.

As an additional thought - Abantecart can he turn of the SSL switch within the cart without further conflicts?  That way he could get the redirects in sync and test for the the home tab issue.

My thoughts are there are too many pieces here that aren't set up correctly yet, and stepping back to a basic setup and getting that working would be a good thing.

Lee