SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2000
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question about SSL

    Hello, shortly I would like to start selling membership to my forums for extra features. I know that in order to process credit cards on my site , that I need to have a secure certificate installed. Now this really is a newbie question, and frankly I'm embarassed to ask but what the heck. If I get a secure cert the the url would look something like https:// does the cert secure the whole site, or does it secure just one page? So say my domain name is http://www.domain.com, and I have a signup page located at http://www.domain.com/signup.php . Would my whole site be secure due to the cert if I told the user to go to https://www.domain.com , or would I only secure the /signup.php page?

    Basically does a secure cert secure 1 page, or can it secure a whole site?

    Thanks
    Have you ever been ripped off, lied to or cheated? If so, check out
    Baddealings.com

  2. #2
    SitePoint Enthusiast
    Join Date
    May 2001
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The cert will be valid for any URL on that host. You usually get a cert for a specific host in a domain, unless you get a wildcard cert that covers any host in the domain (more expensive).

    So, if you get a cert for www.domain.com, then any URL that starts with https://www.domain.com will work with your cert. You just wouldn't be able to use a different host with that domain, like https://forum.domain.com, but it sounds like you do not care about that.

    Does that clear it up?
    "Best viewed on webmaster's machine."
    Alertra Site Monitor: www.alertra.com

  3. #3
    SitePoint Enthusiast
    Join Date
    Sep 2000
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    nitecoder-
    Thanks for your reply, as it clears it up a little more. So I have a site http://www.baddealings.com , and I want to have a signup page , http://www.baddealings.com/signup.php . I know that could secure the signup.php page, but could I secure http://www.baddealings.com/forums/index.php for example? So is it just as long as the syntax is http://www.baddealings.com/ and not any subdomains or anything. Correct
    Have you ever been ripped off, lied to or cheated? If so, check out
    Baddealings.com

  4. #4
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Steven,

    There's no need to secure your whole site, but rather just the "action" field in the mailto form area that's located "behind the scenes" of the order page. A secure action field link example is below:

    <form action="https://www.processcard.com/cgi-bin/authorize.pl" method="POST">

    The "s" is a must on the "http" in order for the securness to take effect. Many people also secure their order page which is a good idea. In this case I believe you'd need to purchase your own secure certificate from either Thawte (http://www.thawte.com) or VeriSign (http://www.verisign.com). Securing the order page in addition to the "action" field gives your customers a sense of security, knowing you've taken the necessary steps to keep their vital information from falling into the wrong hands.

    Any page that is secured always takes an extra second or two to load.

    Of all the Merchant Account Providers I'm familiar with their real-time solution comes with its own secure certificate to ensure transactions from your site to the processors are secure. This eliminates the need for you to purchase your own secure certificate. However it just secures the order transaction itself (through the "action" field)... not the order page. But it's the order contents that is the important part that MUST be secured. However you run into the issue of if your order page isn't secure when customers click to it will they believe their transaction is secure once they hit that "Order Now" button and the transaction does go through and they get sent to an order confirmation page? I wrestle with this one. Perhaps someone else has some insight. Personally I think it's important to make sure both the order page AND "action" link field is secured.

    To your success,

    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance.
    Visit us at http://www.merchantseek.com
    Last edited by jconley2; Jun 15, 2001 at 21:02.

  5. #5
    SitePoint Enthusiast
    Join Date
    May 2001
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Steven: Exactly. The typical cert is for the host in the domain, in your case you'll tell your certificate authority (the place you're buying the cert from) that you want a cert for: www.baddealings.com

    Once you have that, the specific URLs don't matter. In other words, you can't (that I know of) get a cert that covers only a specific page or URL.

    That doesn't mean you *have* to let people access other URLs through the encrypted connection - a lot of people set it up so the sign up page is the only one with the https in the URL so that the other pages on their site won't be needlessly slowed down by the overhead of encryption.

    So, on your home page you can have a link to your signup page with the URL https://www.baddealings.com/signup.php, and make all of your other URLs http://www.baddealings.com/whatever to take care of that.

    The cert covers your whole site, *you* control which pages are actually secure by the URL.

    One thing to make sure of is that people can't get to your sign up page by typing an insecure URL into their browser, bypassing your https URL. You can get PHP to redirect to the secure URL when it sees someone accessing the page directly. But then that's a whole lot of stuff you didn't ask about - just trying to be helpful.
    Last edited by nitecoder; Jun 15, 2001 at 20:57.
    "Best viewed on webmaster's machine."
    Alertra Site Monitor: www.alertra.com

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2001
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by jconley2
    ...However you run into the issue of if your order page isn't secure when customers click to it will they believe their transaction is secure once they hit that "Order Now" button and the transaction does go through and they get sent to an order confirmation page? I wrestle with this one. Perhaps someone else has some insight. Personally I think it's important to make sure both the order page AND "action" link field is secured.
    Jim: I may be misunderstanding the question you raise, but why would you *not* secure the order page? If you don't, the info isn't secure. It can be sniffed on its way to https://www.processcard.com/cgi-bin/authorize.pl
    "Best viewed on webmaster's machine."
    Alertra Site Monitor: www.alertra.com

  7. #7
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not at a full understanding of SSL details, however I do know that the "action" tag needs to be secured or else the information will have the potential to be seen, but the order page itself? I don't think that has to be secured, making sure the "action" tag is secure is vitally important to keeping the information being transected secured. But securing the order page itself and the confirmation page, but NOT the "action" tag I don't think would secure the transacted contents at all. In fact, I know it wouldn't secure it. Instead, it's just sending the customer a false sense of security I would think.

    However, going back to what I said in my previous post. If you use a Real-Time solution the processor will give you the link to place in the "action" tag and you can be sure that link will be secure.

    An example of where you might find that the "action" tag isn't secured is where you might be completing an application for a mortgage (credit card, loan, etc.) and the company thinking that securing the application page alone would do the trick, but end up *not* securing the "action" tag. As a result, the contents isn't secured after all.

    To your success,

    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance.
    Visit us at http://www.merchantseek.com
    Last edited by jconley2; Jun 15, 2001 at 21:29.

  8. #8
    SitePoint Enthusiast
    Join Date
    Sep 2000
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    jim and nitecoder-
    Thank you guys for helping me get a better understanding of ssl. Jim I must say that I love your site, and found it extremely helpful in the area of ecommerce. I was going to ICQ you a while ago, but I had to watch the basketball game. Anyways Jim, I'm looking to go with echo-inc.com as my merchant provider and I know that you highly recommend them. I was wondering how hard it was to setup the account with echo-inc and is there a script that will allow me to access their gateway? Thanks again
    Have you ever been ripped off, lied to or cheated? If so, check out
    Baddealings.com

  9. #9
    SitePoint Enthusiast
    Join Date
    May 2001
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You don't have any choice but to use an https link to the offsite processor (in the "action" tag) because their server isn't going to accept the connection without it.

    The order page has to be secure, otherwise the transaction is not secure. The only way to avoid having to buy the cert, is if you use a service whereby the entire order is taken on a page located on the processor's secure server.

    In any event, Steven just wants to know if his cert will allow him to secure other pages besides his sign up page, and the answer is yes - once he has the cert, he can secure any page on his site that he desires.
    "Best viewed on webmaster's machine."
    Alertra Site Monitor: www.alertra.com

  10. #10
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Steven,

    ECHO is a good company. They are their own gateway also which is nice in a way, but they seem to lack in the area of having compatible shopping carts to work with their gateway. I know they are talking with the Miva folks. They also have their own shopping cart coming out that will come with the merchant account at no extra charge (so I've been told).

    I would still look into their offerings and give them a call and hear what they have to say. They've got excellent rates and fees.

    Other companies to check out can be found on my "Featured Merchant Account Providers" page for Real-Time Internet processing: http://www.merchantseek.com/featured/real-time.htm

    I know the owner of Merchant Processing Services (one of the providers featured) real well and I know he could give you an excellent rate also. He offers the AuthorizeNet gateway for Real-Time credit card processing.

    Thanks for your compliments on MerchantSeek. Glad to be of help. I keep adding in informative content often.

    If you have anymore questions Steven let me know either here, via ICQ or through any of the other Instant Messengers.

    To your success,

    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance.
    Visit us at http://www.merchantseek.com

  11. #11
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by nitecoder
    You don't have any choice but to use an https link to the offsite processor (in the "action" tag) because their server isn't going to accept the connection without it.
    Right, of course... wouldn't be logical to allow the connection to be insecure.

    The order page has to be secure, otherwise the transaction is not secure. The only way to avoid having to buy the cert, is if you use a service whereby the entire order is taken on a page located on the processor's secure server.
    Thanks for clearing that up. Yeah, many of your 3rd party processors require the order page to be on their servers (or else it'd be considering "factoring" which is illegal).

    In any event, Steven just wants to know if his cert will allow him to secure other pages besides his sign up page, and the answer is yes - once he has the cert, he can secure any page on his site that he desires.
    But of course! After spending that much on a certificate you better believe you can secure any page. It's also important to make sure on your order page that your confirmation page is also secured or else customers will get an error window saying they are being redirected to an unsecure page, do you wish to continue (or something to that likening).

    Thanks again nitecoder!

    To your success,

    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance.
    Visit us at http://www.merchantseek.com

  12. #12
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Now that I think about it, if your order page didn't need to be secured then your secure certificate issuing companies probably wouldn't be around. Nor would it be essential to make sure your confirmation page (or whatever page you're redirected to after an the order goes through) is secured.

    Wasn't thinking right... oh well... I'm back on track now.

    To your success,

    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance.
    Visit us at http://www.merchantseek.com

  13. #13
    SitePoint Enthusiast
    Join Date
    May 2001
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess processing companies would still need certificates, so the CAs would still be around, but their market would be much smaller. :-)

    On a more serious note, you mentioned Verisign and Thawte (which is owned by Versign), I would also consider www.equifax.com as their certs are much cheaper and they claim wide browser compatibility.
    "Best viewed on webmaster's machine."
    Alertra Site Monitor: www.alertra.com

  14. #14
    Payment Acceptance Expert jconley2's Avatar
    Join Date
    Aug 2000
    Location
    Charleston, SC
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I checked out the details. Looks good on brower compatibility and only costs a cool $99 compared to the $349 that VeriSign charges. I'll have to add them in on my SSL section.

    Thanks for posting EquiFax, nitecoder! Anyone interested in EquiFax's Digital Secure Certificates can find the page on them at:

    http://www.equifaxsecure.com/digital...bservcert.html

    To your success,

    Jim Conley II
    CEO/Founder - MerchantSeek
    Search FREE for a Merchant Account Provider based on your business needs and budget. We're your one stop information source on payment acceptance.
    Visit us at http://www.merchantseek.com

  15. #15
    SitePoint Enthusiast
    Join Date
    Sep 2001
    Location
    Michigan, USA
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by nitecoder
    ...One thing to make sure of is that people can't get to your sign up page by typing an insecure URL into their browser, bypassing your https URL. You can get PHP to redirect to the secure URL when it sees someone accessing the page directly. But then that's a whole lot of stuff you didn't ask about - just trying to be helpful.
    Nitecoder,

    Can you throw me a bone on how to use PHP to make sure that it's using https? I searched the manual for something related to that and didn't see it. Maybe you have a snippet of code?

    Thanks,
    Dave


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •