Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Is SSL Necessary For Me?


timmle

Recommended Posts

First time i have ever contemplated putting SSL into the site because i just have never needed to before.

 

My transactions are going to be credit card and possibly paypal aswell. For Credit/Debit cards we are going to use a 3rd party such as Secpay? or something like that, still doing some research on this and paypal speaks for itself.

 

Do i need to install SSL on my site? I don't have the first clue about what it is to be honest, except it keep things safe obviously.

Link to comment
Share on other sites

I don't register or buy anyplace online that requires me to give personal info (name, address, etc.) if it doesn't use SSL.

 

Personally I think it's a "must have" for any ecommerce site, if only to give customers peace of mind that they're personal info is secure.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I don't register or buy anyplace online that requires me to give personal info (name, address, etc.) if it doesn't use SSL.

 

Personally I think it's a "must have" for any ecommerce site, if only to give customers peace of mind that they're personal info is secure.

I would second that. Identity theft is a growing concern.

Link to comment
Share on other sites

Is this something i have to purchase through my hosting company, and they install it for me on my whole site? Or is it something i have to add manually to by whole site?

Link to comment
Share on other sites

Is this something i have to purchase through my hosting company, and they install it for me on my whole site? Or is it something i have to add manually to by whole site?

You don't have to purchase through the hosting company, but they should install it gratis to save you the hassle.

Link to comment
Share on other sites

Just Google the term SSL certificate

 

Personally, I'd stay away from the really cheap ones.

 

I think the person I setup the osC site for got his for around $100.

 

The way it worked for us was this:

 

  • 1. In the Control Panel we had to generate a CSR (Certificate Signing Request).
     
  • 2. When you buy the SSL you send them the CSR. It's just a small text file.
     
  • 3. They take that data (and your money) and send you back some files.
     
  • 4. We took those files and installed the SSL certificate via the Control Panel.

If you have any questions or doubts at all about the procedure ASK YOUR HOST!!!

 

We actually used a "trial certificate" for a few months and I don't think I installed it correctly. It worked OK in IE, but Firefox was always complaining about it.

 

When we got the "real thing" I asked the Host for the correct procedure. They gave me some detailed instructions, fairly simple, and it worked like a charm.

 

Of course, the way your hosting company works may be different but that's how it worked for us.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

In many cases, the "really cheap ones" are the same cert selling for $100. You just get extra graphics to play with. Not worth it in my opinion.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

More about "really cheap" and "not so cheap" SSL:

 

Click Me

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Is this something i have to purchase through my hosting company, and they install it for me on my whole site? Or is it something i have to add manually to by whole site?

 

Hi, I asked my hosting company about one, they got it for me, installed it all for $60 - a good deal as far as I was concerned.

I run a few 'sub domains' off my main site and I have just checked over the last day or so and the hosting company say it covers all my sites.

 

Hope this helps.

Link to comment
Share on other sites

More about "really cheap" and "not so cheap" SSL:

 

Click Me

Are you referring to the ability to show it is a verified ssl? If so, that is one of the graphic options I was referring to. Yes, it has more meaning that a regualr graphic change but makes absolutely no difference to the opeeration of the cert, especially from the common web surfer. They look for https and the lock, sometimes just the lock. If it is there, nothing else matters to them. If having that option is important to a shop owner, then they have to pay three times as much as they should, or almost six times if the cert is purchased from a place like namecheap. I don't think it is worth it myself but some do and will pay, which is why such certs are available.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

The average e-shopper probably doesn't know (nor care) where the SSL cert. is from - Acme Certificate Shop down on the corner, or Verisign.

 

And maybe as long as the "lock" appears in the browser, it really makes no diff. at all.

 

A good decision is usually a product of all the facts available.

 

I was just adding more facts to consider.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

To clarify a few things for Tim, SSL protects your customer's information on its way from his or her computer to your host's or your webserver (just so you understand that it protects the data in transit only, and not once it is sitting on your host's server).

 

As Jack and Jim and Leslie and all agree, many potential customers want to see that you have SSL before they will enter any personal info on your site. It's worth it if you are serious about doing business.

 

Jim has outlined the steps he had to take - it will be similar for you. Your hosting service will help with the technical end, as will the company you purchase the SSL cert. from (many of them have detailed step-by-step instructions on their sites about generating your CSR, etc. - that's how I learned to do it. It's no biggee at all).

 

Once your hosting service has all the files they need, they install the lot on an SSL-enabled web server, and host your site there. Your URL will not change, nor will your upload procedure. The only difference will be that if you link to a page on your site with "https" instead of "http", your browser will now load an SSL-protected page, with the little lock and all that.

 

There is no need to protect all your pages with SSL - just the pages where customers enter info.

 

When SSL is available, osC is already configured to link to all its "checkout" pages with "https". The whole thing is a snap!

 

Happy designing,

~Wendy

Link to comment
Share on other sites

Thankyou very much for all your replies. I feel as if i understand it a lot better now. Thankyou Wendy for the run through of everything as well, it was all really helpful.

 

With what you were saying about the https prefix on your site - you say that Oscommerce is automatically configured when the SSL is on your site it will change these prefixes on the checkout pages etc. Does that mean once the hosting company has hosted my site on a SSL secured server i will not have to change a thing atall?

Link to comment
Share on other sites

SSL is not necessary as you will be using the SSL pages of your 3rd party processor. Unless you have a way to secure your database and files from intrusion, having SSL does little good anyway.

 

What SSL is good for, is a smokescreen. The smokescreen gives the illusion of security to Joe Bloggs on the street who doesn't understand how websites and webservers work.

 

Having said that, I'd advise having SSl rather than not having it. The cost is negligibale and if it only helps a handful of clients to buy something from you, then you have cleared the cost.

Link to comment
Share on other sites

Hi Tim!

 

Well, you probably will have to change a couple of things. When you went through the installation process for osC, you were probably asked if you wanted SSL enabled, and you probably said no, since you didn't have it. Unfortunately, there is no portal in the Admin panel through which you can change this later.

 

Soooo, once your hosting provider has your SSL ready to go, you will have to make a couple of changes in the PHP code of osC in order to make use of your SSL.

 

It's not hard ... here goes.

 

First, so that SSL will be enabled in your catalogue pages, go into /catalog/includes/configure.php, find the code below, and change it accordingly. Specifically, make sure that 'ENABLE SSL' is set to true, and that your domain name with https is listed as the 'HTTPS_SERVER'.

 

Note: During the purchase process for SSL, you will be asked what domain you want protected. You can protect either "www.mysite.com" or simply "mysite.com" with no www prefix. In the end, there will be no difference for the catalogue user (that I know of), but for you, if you register "mysite.com", then that is what will go under 'HTTPS_SERVER'. Myself, I went for the www prefix as it seemed simpler. I think most people do.

 

Here's the code snippet from /catalog/includes/configure.php, change accordingly:

 

...
// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://www.yoursite.co.uk'); // eg, http://localhost - should not be empty for productive servers
define('HTTPS_SERVER', 'https://www.yoursite.co.uk'); // eg, https://localhost - should not be empty for productive servers
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', 'www.yoursite.co.uk');
define('HTTPS_COOKIE_DOMAIN', 'www.yoursite.co.uk');

 

Second, so that your Admin panel will also be protected by SSL (which is a good idea), look for this similar snippet of code in /catalog/admin/includes/configure.php, and change accordingly:

 

...
// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
define('HTTP_SERVER', 'http://www.yoursite.co.uk'); // eg, http://localhost - should not be empty for productive servers
define('HTTP_CATALOG_SERVER', 'http://www.yoursite.co.uk');
define('HTTPS_CATALOG_SERVER', 'https://www.yoursite.co.uk');
define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

Good luck with the SSL! I don't know your level of experience, but if you need help with accessing and editing your PHP files, just put up a post.

 

~Wendy

Link to comment
Share on other sites

Thankyou for your kind reply Wendy.

 

I've been getting on quite well editing php as instructed and just reading up on php from the very beginning so i understand the changes i am making too.

 

So in the configure.php file...

 

1) Enable SSL using the true command

 

2) On this line *** define('HTTP_SERVER', 'http://localhost'); *** - I need to put e.g 'http://www.example.com';

 

3) And on this line *** define('HTTPS_SERVER', 'http://localhost'); *** - I need to put e.g. 'https://www.example.com'; IF i choose www.example.com for my hosting company to protect through ssl. OR 'https://example.com' if i choose for my hosting company to protect 'example.com'

 

Sorry if i repeated everything you instructed, its just my way of getting my head around it and everything.

 

Thankyou very much once again Wendy.

Link to comment
Share on other sites

As I am experiencing some difficulty with the SSL Cert etc, could I please ask this query.

 

In catalog/includes/configure.php - I have no problem - file is there - apart from I can not upload the file as when I try I a warning come up as follows:

An FTP error occurred - cannot put configure.php. Access Denied. The file may not exist or there could be a permission problem.

 

In catalog/admin/includes/configure.php the only difference I can make out is that in the other php file I have : define('ENABLE_SSL', false);

In this admin file I have : define('ENABLE_SSL_CATALOG', 'false');

 

I could change the one in 'admin' to read 'true' and upload it BUT the one in catalog/includes, it won't let me.

 

Any ideas?

 

Regards

 

P.S. All other files to anywhere I can upload OK, just this one.

Link to comment
Share on other sites

Please forget last message = I have it sorted.

It was a permission problem.

The file permission was set to 444, just changed it to 644 and now everything works OK.

 

Kind regards

John

Link to comment
Share on other sites

I don't register or buy anyplace online that requires me to give personal info (name, address, etc.) if it doesn't use SSL.

 

Personally I think it's a "must have" for any ecommerce site, if only to give customers peace of mind that they're personal info is secure.

 

 

Same as question with tim, but one things different my question...

is SSL necessary when my online shop just keep with paypal verified,

is that already give the our customer secure and peace of mind ? probably ? is it not enough security?

Please kindly your advise....

 

Regard

wibisono

Link to comment
Share on other sites

Well how i see it, because Paypal is a 3rd party site, you need to make sure customer knows that their information is secure in delivery to Paypal from your site. So i imagine having SSL on your site will give htem peace of mind that any information inputted into your site atall is going to be kept safe until it reaches Paypal and then it's Paypal's responsibility to keep that information secure.

 

As far as this is concerned i think being paypal verified isn't enough security.

Link to comment
Share on other sites

Well how i see it, because Paypal is a 3rd party site, you need to make sure customer knows that their information is secure in delivery to Paypal from your site. So i imagine having SSL on your site will give htem peace of mind that any information inputted into your site atall is going to be kept safe until it reaches Paypal and then it's Paypal's responsibility to keep that information secure.

 

As far as this is concerned i think being paypal verified isn't enough security.

 

thank you for your reply tim.....

When i understand it in the process to checkout for billing, the customer will be take on the page of paypal ( of course they will be must set up with paypal also)that all information absolutely store in paypal security ( in this case about they credit card information )and all we know paypal great with SSL.

so we not have manage that information, so is it wise to pay SSL again ? remind we not handle the credit card customer directly....

 

but, i'am agree...

except when we also try to manage directly the credit card customer of course we need ensure it to do SSL....

 

Anyway that my knowledge, is it any information to correction my opinion????

So plese..please give me the right direction...!!!

I need the safety way for customer future.....

 

Thank you in advance, buddy!!

wibisono

Link to comment
Share on other sites

Same as question with tim, but one things different my question...

is SSL necessary when my online shop just keep with paypal verified,

is that already give the our customer secure and peace of mind ? probably ? is it not enough security?

Please kindly your advise....

 

Regard

wibisono

 

Hi wibisono,

 

Some say yes, some say no. You can always try it without your own SSL (I assume the customer information is input to Paypal's paypage), and see if sales are OK. If they seem slow, or if customers inquire about the lack of SSL, you can always get it later.

 

My opinion is that it is helpful to sales if you have SSL. That way, customers feel secure from the very beginning, and start thinking about buying something... B)

 

~Wendy

Link to comment
Share on other sites

Hi wibisono,

 

Some say yes, some say no. You can always try it without your own SSL (I assume the customer information is input to Paypal's paypage), and see if sales are OK. If they seem slow, or if customers inquire about the lack of SSL, you can always get it later.

 

My opinion is that it is helpful to sales if you have SSL. That way, customers feel secure from the very beginning, and start thinking about buying something... B)

 

~Wendy

 

Hi wendy,

i am really appreciate for kindly advise,

i will note it.

Again thank you buddy!!

 

Regard wibisono.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...