Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL Really Needed?


mme

Recommended Posts

Posted

I have seen some successful stores that dont use SSL however they only accept bank deposits and cheque's. So is it really necessary to have SSL when just using bank deposit and cheque ?

 

Thanks

Posted
I have seen some successful stores that dont use SSL however they only accept bank deposits and cheque's. So is it really necessary to have SSL when just using bank deposit and cheque ?

 

Thanks

 

 

You can run a successful shop without ssl providing you use payment metodes where the customer do not have to input sensitive payment information on your website.

 

Which also goes for using payment services like PayPal and 2checkout where the customer is sent to the payment processors website to complete the payment on their ssl secured servers.

 

But that said you might also loose out on some customers too simply because your site do not have ssl on the checkout since there are shoppers who will not input their contact and address details unless the site is ssl secured.

Posted
But that said you might also loose out on some customers too simply because your site do not have ssl on the checkout since there are shoppers who will not input their contact and address details unless the site is ssl secured.

This is true. I would not input any personal info unless the page is ssl.

Posted

I would never enter my personal info or purchase anything from a site that did not have SSL. If the owner can't be bothered to secure my info I can't be bothered to spend my money. You can get an SSL cert for as low as $12 a year.

Posted

Gee whillikers, if the SSL cert. only costs $12/year, how thorough can the issuer be in establishing the applicant's identity? I thought the point of SSL certification (and the reason it can be a bit pricey) was that, as a third party, the issuer certifies the applicant's identity by doing a little checking and asking for documentation such as business registration documents, etc. The reputation of the issuer then rests on how reliable and thorough they have been. I don't think you can get that for $12 a year. For $12 a year (which could only possibly support a rubber-stamp approach) a lot of fraudulent applicants will assumably get through, get their SSL certs., run off with people's money (which was transmitted to them securely, of course), and destroy consumer confidence in the whole system. Then we'll have to buy something even more expensive to assuage customers' doubts. :ph34r:

 

So I'd think twice about bargain-basement certs.

 

Just my two cents, but it's late so I'm probably getting a little kooky. I have to get an SSL cert. next week, so I've been pondering these matters.

Posted
Gee whillikers, if the SSL cert. only costs $12/year, how thorough can the issuer be in establishing the applicant's identity? I thought the point of SSL certification (and the reason it can be a bit pricey) was that, as a third party, the issuer certifies the applicant's identity by doing a little checking and asking for documentation such as business registration documents, etc. The reputation of the issuer then rests on how reliable and thorough they have been. I don't think you can get that for $12 a year. For $12 a year (which could only possibly support a rubber-stamp approach) a lot of fraudulent applicants will assumably get through, get their SSL certs., run off with people's money (which was transmitted to them securely, of course), and destroy consumer confidence in the whole system. Then we'll have to buy something even more expensive to assuage customers' doubts. :ph34r:

 

So I'd think twice about bargain-basement certs.

 

Just my two cents, but it's late so I'm probably getting a little kooky. I have to get an SSL cert. next week, so I've been pondering these matters.

What does having an ssl certificate do with shop owners running off with people's money?

Posted
Gee whillikers, if the SSL cert. only costs $12/year, how thorough can the issuer be in establishing the applicant's identity? I thought the point of SSL certification (and the reason it can be a bit pricey) was that, as a third party, the issuer certifies the applicant's identity by doing a little checking and asking for documentation such as business registration documents, etc. The reputation of the issuer then rests on how reliable and thorough they have been. I don't think you can get that for $12 a year. For $12 a year (which could only possibly support a rubber-stamp approach) a lot of fraudulent applicants will assumably get through, get their SSL certs., run off with people's money (which was transmitted to them securely, of course), and destroy consumer confidence in the whole system. Then we'll have to buy something even more expensive to assuage customers' doubts. :ph34r:

 

So I'd think twice about bargain-basement certs.

 

Just my two cents, but it's late so I'm probably getting a little kooky. I have to get an SSL cert. next week, so I've been pondering these matters.

 

BLACK SABBATH 1972 PARANOID

C'mon Now. It doesnt matter how much the cert cost, you can actualy get them for free. Its if its installed properly and therefore encrypts your information from the eyes of third parties. NOW, who gives out more of your private information recieved on SSL links? The lil guy starting with osCommerce

? Or the big wal-target-depot that knows how to sell your info? But rest assured, they wont sell or trade your info to 3RD parties, they'll just give it too their 3RD division.

Follow the community build:

BS3 to osCommerce Responsive from the Get Go!

Check out the new construction:

Admin Gone to Total BS!

Posted

There are basically 3 levels of ssl certificates.

 

1. Low level assurance. This is the cheap ones , they only validate the url. Basically can be gotten from 12 usd and up..typically between 20 to 30 usd. (examples are Rapidssl and Turbossl)

 

2. High Level Assurance. This validates the url, business name and location. Can be gotten from about 50 usd and up..typically between 70 to 150 usd. (examples are Comodo instantssl and Geotrust)

 

(But if you want it from a high profile name like verisign its more expensive)

 

3. Extended Validation. This one validates url, business name and location after much stricter defined rules and requires quite a bit of documentation.

 

This one usually starts at 500 usd and up.

 

Now there has been some concern about the the easy of issue and lack of validation for the first level and newer browser versions and browser add-ons are starting to show more clearly which grade of validation the ssl are.

 

Currently the address bar in IE7 will change to green color when you are on an EV SSL site , Mozilla and the others are following this trend in their upcomming browser version. (Although how it will be highlighted will differ)

 

Other browser addons which can be installed to improve security and to warn you of phishing web sites when surfing are even more strict and will throw up a "be aware of low assurance" for low level assurance ssl certificates. (example of such an add-on is vengine)

Posted

Thanks for all the info and viewpoints!

 

I guess I was blending two issues in my post:

 

1) SSL technology (which is great, preventing interception of customer data en route to the shopowner)

 

2) The role SSL certificate issuers have taken on, of investigating and certifying an applicant's (shopowner's) identity before the cert. is issued.

 

I didn't clarify that these are two completely separate matters. :blink:

 

It's (2) I was concerned about. When I heard about the bargain certs., I thought, gee, the buying public has (through a miracle of public awareness, IMO) come to associate SSL with a reduced incidence of fraud (woohoo for us honest shop owners! ), but if anyone can now buy an SSL cert. off the shelf for $12, more fraud at the shopowner end will be bound to happen, which will quickly erode buyer confidence in dealing online. SSL has no role in causing this type of fraud - it's just that the identity-verification procedures of the SSL issuers was tending to discourage it, I thought.

 

However, the open market will trundle on, and I'm not in favour of a whole lot of regulation either, so we'll hope for the best! :D

 

PS: I plan to get a High Level Assurance cert., as defined in Nick's post above.

Posted
Thanks for all the info and viewpoints!

 

I guess I was blending two issues in my post:

 

1) SSL technology (which is great, preventing interception of customer data en route to the shopowner)

 

2) The role SSL certificate issuers have taken on, of investigating and certifying an applicant's (shopowner's) identity before the cert. is issued.

 

I didn't clarify that these are two completely separate matters. :blink:

 

It's (2) I was concerned about. When I heard about the bargain certs., I thought, gee, the buying public has (through a miracle of public awareness, IMO) come to associate SSL with a reduced incidence of fraud (woohoo for us honest shop owners! ), but if anyone can now buy an SSL cert. off the shelf for $12, more fraud at the shopowner end will be bound to happen, which will quickly erode buyer confidence in dealing online. SSL has no role in causing this type of fraud - it's just that the identity-verification procedures of the SSL issuers was tending to discourage it, I thought.

 

However, the open market will trundle on, and I'm not in favour of a whole lot of regulation either, so we'll hope for the best! :D

 

PS: I plan to get a High Level Assurance cert., as defined in Nick's post above.

Actually, a medium level cert is one that has 128 bit encryption and medium level certs start at $12. There are only a handful of web authorities that can actually produce the certs. They sell them to places you and I would purchase them from. So you may pay $50 for the same cert I would pay $12 for and not get anything more out of it. If you order from a place like Comodo, they have fancy graphics and such. If that is worth the extra $80 or so then you should go with that but it is still just a 128 bit cert - no safer than the $12 one. All most web surfers look for is https and the lock. Once you have that, the rest is just show.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Posted
Actually, a medium level cert is one that has 128 bit encryption and medium level certs start at $12. There are only a handful of web authorities that can actually produce the certs. They sell them to places you and I would purchase them from. So you may pay $50 for the same cert I would pay $12 for and not get anything more out of it. If you order from a place like Comodo, they have fancy graphics and such. If that is worth the extra $80 or so then you should go with that but it is still just a 128 bit cert - no safer than the $12 one. All most web surfers look for is https and the lock. Once you have that, the rest is just show.

 

Jack

 

low, high, ev assurance levels are not related to how many bits encryption is used, the assurance rating is related to how much of the web sites legitimacy has been verified.

 

The cheap certificates are all low assurance as far as i know, ie. they only validates your url. (Thats also why the can be issued more or less imideately and without any further documentation provided hence also the cheap price)

 

For those who wish to see a bit of the future, download and install vengine on your pc and then navigate to a site which have a low assurance ssl (again low assurance certificates can be 128 bit too).

 

The vengine (just google for vengine to find it) , will give you a security warning on the low assurance certs that only the url has been validated and that the owner behind the website has not been verified.

 

Its also in the cards that such "warnings" might be part of the new and upcoming browser versions out there to help reduce online fraud.

Posted

Thanks for all the info, Jack and Nick. Encryption levels, assurance levels ... hoo boy. My main concern is how the typical consumer will perceive things, and as Jack said, most folks just look for the https: or the little lock. They know they're supposed to look for these, and when they see them it makes them happy and they buy things. I'd hate for that to change. But Nick's info about such utilities as vengine, and about future browser developments, has reassured me. :)

Posted

A typical buyer doesn't care about what SSL is installed. When they see the lock graphic and the https: that is good enough.

Posted
A typical buyer doesn't care about what SSL is installed. When they see the lock graphic and the https: that is good enough.

so true. the sites I've done for people their concern is ..."will it have that lock-ie thing picture on it?"

Posted

SSL certificates are all about 'The Web of Trust'. By using any particular browser, you are trusting that the accepted certificate authorities distributed with it are worthy of your trust. Does this seem a little stretching it? When was the last time that you blindly trusted a corporation?

 

Paying for an SSL certificate from a recognized authority is little more than supporting their ability to market themselves. Sure, some do some actual fact checking and vetting, though more often than not you simply fill out a form at your hosting service and a few hours later get a request for confirmation in an email.

 

SSL is a some two decade old technology that was originally used only by in person transfer of public keys - still the most secure form. Anybody can issue their own certificates and keys with the proper software, http://openssl.org . If I apply my own certificate to a site, you will be asked if you trust the certificate issuer, an unknown 'authority'. By contacting me directly, I can confirm that the key signature that you have is indeed correct. But who knows enough to do this, or is even to be bothered with the extra few steps?

 

And in a world where all digital communication is susceptible to interception, this entire process is a moot point, encrypted or not.

 

Alas, it is an illusion of security.

For ALL problems, please review this link first -> osCommerce Knowledge Base

  • 1 month later...
Posted

I now have shared SSL for my shops (its free in most cases from your provider).

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...