haggisv Posted July 27, 2006 Share Posted July 27, 2006 I have just signed up with Jumba, and I'm running OScommerce. I have been considering security issues before we go 'live'. Since we don't do any payments directly via our website (only use direct bank deposit/transfer paypal or money orders) we're wondering if it's worthwhile paying for a SSL certificate? What are the risks without an SSL certificate? Are there any other ways of protecting the website and database without the SLL certificate? Thanks a lot! Link to comment Share on other sites More sharing options...
cbp Posted July 27, 2006 Share Posted July 27, 2006 I would also like to know more about this. From what I know up to now, some contribs don't work well with ssl. Ohh and before going into a paid SSL use your server to generate a openSSL key and test it out. Its free and alows you to test and see how it all works Link to comment Share on other sites More sharing options...
haggisv Posted July 27, 2006 Author Share Posted July 27, 2006 I would also like to know more about this. From what I know up to now, some contribs don't work well with ssl. Ohh and before going into a paid SSL use your server to generate a openSSL key and test it out. Its free and alows you to test and see how it all works Thanks for the tip! I got the follwoing reply from Jumbo (hosting provider): In relation to your question, I'll explain it the best I can. An SSL certificate encrypts information which is passed from your customer's web browser to your website. Once it gets to your website, it's decrypted, and stored in the appropriate area of the database. The only information your database encrypts is usually passwords and sometimes credit card numbers. The rest of the information is stored in plain text. So, the information passed from the customer (their details, shopping carts, etc) are passed in plain text without an SSL. Now, for someone to be able to see this information, they would need to have spyware on the customers computer. Our servers are locked down tighter than anything, the MySQL port isn't even accessable from outside the machine, so it's virtually impossible for anyone to see information that way. Since I don't process any payment details on the website directly, and only store names and addresses in the database, I don't think it's worthwhile... Any comments very much appreciated! Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 27, 2006 Share Posted July 27, 2006 A lot of people won't shop at a site that is not protected with an ssl certificate. When you say you "only store names and addresses," how would you like it if your name was entered into such a site and that infomration was stolen and your name give to a few thousand email spammers? I sure wouldn't like it. The bottom line is that you are risking losing customers, even if it is just one customer, over $20/year. It doesn't sound like a good way to go to me. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
haggisv Posted July 28, 2006 Author Share Posted July 28, 2006 quote name='Jack_mcs' date='Jul 27 2006, 12:55 PM' post='904162'] A lot of people won't shop at a site that is not protected with an ssl certificate. When you say you "only store names and addresses," how would you like it if your name was entered into such a site and that infomration was stolen and your name give to a few thousand email spammers? I sure wouldn't like it. The bottom line is that you are risking losing customers, even if it is just one customer, over $20/year. It doesn't sound like a good way to go to me. Jack Yes that is true and that is a good point to consider. However if you use your Email regularly your name and address is already out there anyways... how many of us do NOT get spam these days... I would not be too worried myself about that... but payment details is a different story. Link to comment Share on other sites More sharing options...
Jack_mcs Posted July 29, 2006 Share Posted July 29, 2006 That's a separate point. A lot of web shoppers are still new to shopping online. They have been told that is a site is not secure to skip it. I can't imagine why anyone would want to risk losing a customer to save $20/year. If that is the case, then that shop owner should find another hobby. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Guest Posted July 29, 2006 Share Posted July 29, 2006 That's a separate point. A lot of web shoppers are still new to shopping online. They have been told that is a site is not secure to skip it. I can't imagine why anyone would want to risk losing a customer to save $20/year. If that is the case, then that shop owner should find another hobby. Jack Be aware that having a site running an SSL certificate has NOTHING to do with protecting your customers data once their order is placed. In a basic OScommerce store, credit card numbers, customers addresses and phone numbers are stored IN CLEAR in the database, and can be accesses by experienced hackers who could gain access to your server's root (not easy, but possible). Once you have access to the root, you have access to the database and can read everything in it. But online shoppers don't know that. Thaey only pay attention to this lock, that basically doesn't guarantee ANYTHING regarding the security of the data once it has been stored. It only gurantees that the data is encrypyed when it TRAVELS, that's it. If you don't encrypt AFTER the transit, you (and your customers) are still at risk. Compare it to sending a big armored truck full of money from the bank (the customer) to your house (your store) and leave your house door unlocked. Transit is safe, but after that...problems may occur :-) Of course, and SSL is worth it: people won't trust your site otherwise. but it's not enough. Consider installing a Credit Card encryption mod at least to protect the stored data and prevent anybody who may have access to your database to be able to read it without the proper decryption tools. Link to comment Share on other sites More sharing options...
stevel Posted July 30, 2006 Share Posted July 30, 2006 Even if you use a payment processor, the customer enters their credit card info into a form on your site. If that form is not submitted to an https link, the information can be intercepted in the clear. So yes, SSL should be considered required. Many hosts offer free shared SSL which you can use if you don't want to or can't install a certificate. Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.