Shopping Cart Operations > Security
What is the need for HTTPS? I have PayPal Standard acct but may add others
DavidLIR:
Lee,
After considering the information. We feel it would be helpful for the customers peace of mind to have the ssl certificate...to show the little lock on the page when they are setting up an account on our website...
Is there a way to set up this so that it is only secured on the login, account, checkout, pages....but not on the general open pages?
Also I noticed that in the extensions there is a 'encryption_data_manager' extension...with a warning that it cannot be uninstalled once installed....I can get the ssl from the site abantecart suggested for $10.00 as he said...however I would like to have some info on what to do before starting with that....and do we use the above extension as part of this set up...
Thank you,
David
llegrand:
David,
First - I believe the encryption data manager from Abantecart is a standalone data encryption. This note in the documentation is pretty straightforward.
NOTE: Do not confuse SSL data encryption with signed SSL certificates (HTTPS) used for browser access to sites
Next - things that you might not know:
An SSL Certificate is purchased for the entire domain name (be sure you're getting one that works for both www. and no www on your domain as most sites work now either way or set up redirects to handle it. But to a SSL cert www.mydomain.com and mydomain.com are two different names. And if you are running in a subdomain that is a standalone name, or you can buy a wildcard cert for mydomain.com and it will cover no www, www, and all subdomains on mydomain.com
Also you must have a dedicated IP address for your domain - if you are on a hosted account, you can usually obtain a dedicated IP address for a couple of bucks a month more.
Next, in most cases you can control the pages or sections of your site having some under http:// and others under https://. This is usually done via .htaccess and rewrites. I am unsure how this would need to be engaged within Abantecart as I haven't done it.
Unless you are quite comfortable with adding things and solving any server setup issue - I would suggest to see what your hosting provider is offering for SSL, and most importantly if they will install it. The other question is to see what they will charge to install a cert they didn't sell, or if they will do that.
I don't like doing things to my server personally so I either use a managed server box (which is what I am testing Abantecart on), or on self-managed servers I use a server admin service. In either configuration I just let those guys install my certs and attend to my annual renewal updates. My feeling is they know the server side and I don't, so I let them attend to it.
The certificate cost is an annual fee, not a one-time fee and most certs issue a new key when you renew - that key has to be changed in your server information for your cert to continue to work correctly. It's just maintenance, not hard, but has to be done or customers get scary warnings when things are out of sync. Since it is once a year, it sometimes get overlooked, or you can purchase for extended periods of time (multiple years).
For me since the setup of the keys, is critical and it comes so infrequently I always have someone else do it for me. As I tend to forget some important step when it comes up. Once you get the rewrites setup - and Abantecart can direct you there, that won't need attention.
I hope this provided a bit more clarity rather than a bit more confusion.
Lee
abantecart:
Thanks llegrand for your detailed explanation
DavidLIR:
Lee, and Abantecart,
Thanks for the great information. It sounds like you may be saying that it would be better or at least easier to just have the hosting provider do the ssl install....I checked and they said it would be for the entire domain I have which if I understand correctly would include the add-on domains..since they are under the main domain in the directory...I have webhostingpad for my hosting... I am asking about the dedicated IP...perhaps that is already a part of what they do...I have found them to be a reliable hosting company so far...
Still not sure I understand the need of the data encryption manager that is on abantecart, vs/ and/or the ssl package that I would get say from my hosting company...do I need both??? Or for the basics that I am doing will the ssl cover what I need?
Thanks again,
You both have been so helpful
David
I would need help with how to do .htaccess and rewrites...
llegrand:
This is going to be a longer answer than you expected - but I believe knowledge is power - at least a path to understanding to help make a good decision. 8)
Encryption manager that is on Abantecart is server side encryption. The data on the server is encrypted, not the transmission of the data. I have not explored the functionality of Abantecart Data encryption. Encrypting the data is not a level of security that I think I need in my cart operations as I pass communication of critical info to the payment gateway servers.
SSL is client side encryption – the data is transmitted over an encrypted connection.
This will be a very simplistic explanation but I think it will help clarify the process for you hopefully. Hope you’re familiar with the old Buck Rogers decoder ring – encryption is like that. Both ends of a message have the same set of instructions. If you’re not privy to the specific set of instructions understanding the message won’t be easy (not impossible).
Now think of a cord being plugged into a receptacle – one must align prongs with the holes in order to obtain connection – that’s the SL (socket layer) of SSL. The first S is for Secure and that’s the encryption part.
So the SSL (secure socket layer) means that a user someplace is connecting to your server over a “cord” that is aligned (plugged in) and both ends has the decoder ring instructions. The intent is to make it more difficult for someone “listening in” to understand the conversation because they don’t have the decoder ring instructions. Now there are various levels of encryptions – I am sure you’ve seen 256 and 428 expressed. That refers to the bits of encryption level sand the more levels, more difficult to “break the code” More difficult not impossible.
That’s SSL in a very basic description. Remember SSL is a conversation that takes place to your server and the files are placed in a directory on your server in a location that requires the decoder key.
I would not think that a standard cart would ever need both of these. Of the two SSL makes more sense in that you are concerned about customer perceptions of security.
I think the question is not to ask how 100% security would look like (it would unusable and still not 100%) but how much the data is worth to protect and how much damage could be done if the data is exposed. Depending on that analysis you should check how much effort you can afford and what the most likely attack vectors are. For most of us small-medium size ecommerce vendors not storing credit card information it is usually pretty low.
Hopefully this makes it a bit clearer.
I would just suggest that you ask specially of your hosting if the SSL cert will cover whatever you cart requirements are.
Let's say you have mymaindomain.com and you have it setup to enable a customer to type in www.mymaindomain.com or mymaindomain.com and they both end up in the same place (note most setups already so this) Now if you have your cart setup in a subdomain - store.mymandomain.com if you get a cert that covers all of these names you'll be good to go. There are other solutions, but that's the easiest to handle.
Just ask you host in specifics if the cert covers all of these names - and give them the names.
The rewrites are difficult - once you get your SSL figured out, you can ask Abantecart specifically what to do - it's just a couple of lines of code.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version