Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

What security do I need?


derbytrader

Recommended Posts

Right I've installed osC after a bit of wrestling, but now need amongst other things to setup security. What follows may sound dumb.

 

1) Do I need SSL to provide security for my admin section and if so, what security does it provide - presumably stops folks getting password I guess?

 

2) Assuming I install SSL for 1, does this also provide security to customers of my site. I'm planning on using PayPal to take payments. Does PayPal come already secure?

Link to comment
Share on other sites

Right I've installed osC after a bit of wrestling, but now need amongst other things to setup security. What follows may sound dumb.

 

1) Do I need SSL to provide security for my admin section and if so, what security does it provide - presumably stops folks getting password I guess?

 

2) Assuming I install SSL for 1, does this also provide security to customers of my site. I'm planning on using PayPal to take payments. Does PayPal come already secure?

 

Hiya

1) Admin can be protected by .htaccess not SSL

SSL encrypts the data not, protects it as in needing a password to access it.

2) You do not need SSL at all, lots of customers will not shop with you if you do not protect their data from any security risk, even names and addresses can be used against the individual.

No afraid not, pay pal does not come with SSL on your site, it does on their own though.

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

Hiya

1) Admin can be protected by .htaccess not SSL

SSL encrypts the data not, protects it as in needing a password to access it.

2) You do not need SSL at all, lots of customers will not shop with you if you do not protect their data from any security risk, even names and addresses can be used against the individual.

No afraid not, pay pal does not come with SSL on your site, it does on their own though.

 

Thanks Fimble, though pardon me I'm probably being slow.

Let me get this clear.

1) I don't need SSL to protect admin or the admin password

2) You state that "You do not need SSL at all" but then go on to say customers will not shop with me if I don't which would suggest I do need it.

3) What do you mean PayPal does come with SSL on its own but not on my site

Apologies if I'm appearing a little dumb, it's only because I am

Link to comment
Share on other sites

Thanks Fimble, though pardon me I'm probably being slow.

Let me get this clear.

1) I don't need SSL to protect admin or the admin password

2) You state that "You do not need SSL at all" but then go on to say customers will not shop with me if I don't which would suggest I do need it.

3) What do you mean PayPal does come with SSL on its own but not on my site

Apologies if I'm appearing a little dumb, it's only because I am

 

No, you’re not dumb; you just don’t know that’s all!

1) your admin password is stored in a file called .htpasswd and is called from a file called .htaccess when someone tries to enter your admin area (Providing you have it protected at all [OSC does not come with automatic protection you need to add this manually]) the browser reads the .htaccess file and learns that it is protected by a password the password is stored in the .htpasswd file. So when you enter your user name and password, it has to match the one stored in this .htpasswd file. If it does then in you go if not you are told so.

SSL on the other hand is a way of simply encoding your information so that if this info is grabbed by anyone else it cannot be read, it is denoted by the padlock you see on your browser, so sensitive information like personal information or payment card info is protected.

Each site has to have its own SSL, so if your customer buys from you, the info they enter into your site, like name, address etc if you do not have SSL will be unprotected. PAYPAL will have SSL in place so when your customer gets there it is protected.

I suppose an easier way of putting it is

.HTACCESS protects entry to your pages

SSL protects Data

SSL active is shown as a padlock on the web browser, many customers will not buy if they cannot see it when they ought to.

I hope this explains it!!!!!

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

This is the only thing you need to know - if the data is sensitive encrypt it. If you don't know all ready, unencrypted data is sent via clear text over the internet. This means anyone who has some knowledge about sniffing out data can get it - and it's pretty easy too.

 

If you need to encrypt you have to install an SSL certificate.

 

Protect everything you feel is necessary. You can ssl the whole site if you want, or just portions of it. you access SLL through the https:// protocol

 

I leave the main catalog, contact, cart and wishlist unsecured, and SSL everything else. OSC controls most of it for you automatically.

 

Admin, Customer Login, Payment process, anything I need to protect the data with is SSL.

 

htaccess I use to keep people out of unwanted areas, or to redirect if they try and get into the guts of my site. This is how you make it so you have to log in to the admin site, or if you try and spy on my files, I take you back to the index of my site, or an error. or I ban your IP.

 

Pay Pal - when you make a transaction through paypal, you are using their secure servers - however, this does not encrypt you site.

 

Every web site should have SSL if they are handling sensitive data.

Nothing unreal exists

Link to comment
Share on other sites

Thanks Fimble and Kirikintha,

 

just had a nosey around and this SSL is quite expensive.

 

Do I need to get some such as Verisign or Thawte or are there more reasonable alternatives that are equally safe?

Link to comment
Share on other sites

Verisign, GeoTrust...

 

Those two most popular to get SSL, as for alternative, i have no ideas...

 

 

You can create yourown certificate with OpenSSL - but that is really not a good idea - you get a lot of errors with it.

 

Stick with the majors, especially cause Internet Explorer will error out most certificates, unless they are generated by the majors.

Nothing unreal exists

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...