| Author |
 Topic  |
|
|
PhoenixA
Starting Member
41 Posts |
 Posted - July 21 2004 : 09:19:39
|
Hi Guys,
We've had several customers recently email us asking about the security of our ssl checkout page as it is popping up a warning which says:
"You are about to be redirected to a connection that is not secure. The information you are sending to the current site might be transmitted to a nonsecure site. Do you wish to continue?"
This is a big problem for us and is costing us orders as customers don't understand about SSL and encryption and are put off by this warning. Does anyone know any way of getting around this? I suppose the ideal thing would be to have a separate database on the ssl server for saving the customers payment information but even if that was set up it would still need to post back to the cart so the cart would know to save the order or not?? Any suggestions would be greatly appreciated. Thanks
|
|
|
jonmadrid
VP-CART New User
USA
192 Posts |
Posted - July 21 2004 : 09:58:11
|
Hi Phoenix,
At what point (page name) is that error message coming up? That can happen as a result of several things but is often triggered when you are on https page and the form you are submitting is going to an http page.
Are all your related config settings set properly?... i.e. with just the page name or with the full https:// in the address where needed.
-xcheckout (just a page name, no http or www)
-xpaymenturl (just a page name, no http or www)
-xssl (https:// full address)
Hopefully we can figure this out.
All the best,
Jon Madrid
--------------------
Madrid Communications
Web Design, Development, and Hosting
www.madridcom.com
|
 |
|
|
PhoenixA
Starting Member
41 Posts |
Posted - July 21 2004 : 12:55:41
|
Hi Jon,
Thanks for your help. When the customer goes to checkout after entering their address etc and they go to https://www.mysecure serversite.com/sslshopcheckout.asp?oid=10000, they fill in their payment details and when they hit continue they get the security warning?? I've just used the ssl pages as supplied with VPASP which directs this page back to http://www.mysite.com/shopthanks.asp
Any help on this will be greatly appreciated as it is costing me a lot in missed orders.
Thanks
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - July 22 2004 : 20:37:06
|
Hi there,
This is generally caused by having a link to an image on the main site with a full url that is not secure.
Do a view source of your check out page and do a search on http://. If you find any paths like this make sure you change them so they are https and move your images to your ssl folder.
If this isn't the problem a possible solution would be to simply purchase your own SSL certificate.
You can obtain very affordable ones now from places like www.instantssl.com.
Cheers,
Cam
*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net
Build you own YourVirtualStore!!!
www.yourvirtualstore.net
************************************* |
|
|
|
PhoenixA
Starting Member
41 Posts |
Posted - July 26 2004 : 03:43:59
|
Hi Cam,
Thanks for your post, we just used the ssl pages that came with vpasp and didn't add any pics etc but i checked just to be sure and there are no urls on the page so no http or https. Presumably when the page is being redirected back to the "This order has been processed" page on our site the browser is picking up the http address as being non secure as the ssl checkout pages are on a shared ssl server not the server our site is on so would our own ssl cert fix that and if so how would that be set up as obviously we couldn't have the whole site secure so would it still not come up when it redirects back to the non secure part of the site or would the url being a local url with http fix this? Thanks again for your help.
|
|
|
|
williamj
VP-CART New User
Canada
77 Posts |
Posted - July 26 2004 : 12:04:26
|
I think this can be solved by using the sslshopcheckout.asp file instead of shopcheckout.asp
Just go to shop configuration and click on payments. Then in the xcheckout field replace shopcheckout.asp with sslshopcheckout.asp
I'm using version 4 but I suspect version 5 has a similar setting.
|
|
|
|
PhoenixA
Starting Member
41 Posts |
Posted - July 27 2004 : 07:49:23
|
Hi williamj, Thanks for the suggestion but i actually am using the sslshopcheckout.asp file on a shared secure server. I'm going to take cam's advice and buy an ssl cert from www.instantssl.com and hope this solves the problem. If anyone has any other suggestions do let me know though as a free shared ssl is still better than paying for one but I'm loosing more in sales than its worth as long as the security pop up keeps scaring customers away.
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - August 02 2004 : 06:21:29
|
| I would actually advise everyone to take advantage of the cheaper ssl certs on offer now as you should only ever access your admin through the ssl path. |
|
|
|
GTM
VP-CART New User
USA
122 Posts |
Posted - August 02 2004 : 15:14:25
|
Comodo the ssl mentioned above is very affordable and reliable. The price your avoiding when problems arise from shared ssl.
www.instantssl.com
Greg
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 02 2004 : 20:51:58
|
quote:
I would actually advise everyone to take advantage of the cheaper ssl certs on offer now as you should only ever access your admin through the ssl path.
...
Certainly anyone accessing their admin pages should do so through SSL, but they don't have to purchase a SSL cert to do it. SSL certificates are meant to do two things: 1) encrypt data, and 2) authenticate that the recipient of the data is really who they say they are. If a shop administrator doesn't need SSL for his customers (perhaps they don't have customers enter sensitive info such as credit cards because they use another service for that?), then the administrator only needs data encryption, which can be done for free.
The normal full process of getting a SSL cert entails making a public and private key and then getting the certificate "signed" by a signing authority such as Verisign, Thawte, Commodo, etc. It is the signing of the certificate that normally costs you money, and it is the signing that certifies to your customers (via browser recognition of the signing authority) that you are who you say you are.
However, if you are only using the SSL for your own secure access to your own store, then you already know that you are who you say you are. You only need the encryption part of the package, which you get for free when you make the public and private keys yourself. If you make the keys and install them on your server, but don't pay to get them "signed," then anyone connecting to your site through SSL will get a warning from the browser saying the signing authority is not recognized by the browser. That would scare customers away if you tried to have them use your secure pages, but the premise to this discussion was that you didn't need secure pages for customers. If you are a store owner who is just using SSL for your own secure admin login, then you can live with the browser warning.
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
|
|
GTM
VP-CART New User
USA
122 Posts |
Posted - August 03 2004 : 04:32:31
|
The secure server certificate confirms to a visitor's browser that the company represented by your domain is, in fact, the company listed in the certificate.
If you are encrypting the admin area of your site you can use a free ssl certificate. But, a secure web page to accept sensitive information such as the credit card number is a standard on the internet. Without the SSL certificate to make your web page secure, you are turning away potential buyers from purchasing products/services from your web site.
Greg
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - August 03 2004 : 05:28:30
|
I realise that. What I was wondering was how you set up the free one you mentioned for viewing your own admin.
I thought you could only do something like that is you had your own server. If you could set this up with your host I am sure that would be a handy trick if you wanted to save $100.00.
Personally I would still stick with the paid and certified one but for those getting started this may help.
Cheers,
Cam
*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net
Build you own YourVirtualStore!!!
www.yourvirtualstore.net
************************************* |
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 03 2004 : 05:47:25
|
Cam-
I'm talking about when you are running on a remote web host...in other words: the public version of your site.
On the public version of your site, if you aren't using SSL for your customers, you don't need a signed certificate and therefore don't need to pay for a signing service such as Comodo, Thawte, Verisign, GeoTrust, or even FreeSSL (which isn't really free). For 7 months I connected to the admin sections of my publicly hosted store securely before I purchased a certificate for my customers. At the time, I was taking credit card info over the phone, so I didn't need SSL for customers.
GTM did a better job of saying "The secure server certificate confirms to a visitor's browser that the company represented by your domain is, in fact, the company listed in the certificate." This is what I meant when I said that the signed certificate confirms "the recipient of the data is who they say they are." It tells your customers that your site truly represents your store and is not spoofed.
Certificate Authority companies such as Verisign and Thawte that use human effort to verify your information are more thorough in verifying your company documents to confirm that your company really exists and that authorized company representatives have requested the certificate for that specific domain. The cheaper automated certificates only confirm that you are the rightful owner of the domain, so they somewhat dilute the full purpose of the certificate. However, most customers won't know the difference because they aren't yet very savvy to spoofing. Until customers do understand the difference and demand better authentication to prevent spoofing, then merchants won't see a need to pay for it.
|
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 03 2004 : 05:50:36
|
GTM-
I completely agree that stores are expected to have SSL nowadays, and you may be turning away customers if you don't have it. However, if you aren't taking credit card or other sensitive financial information directly on your site, then you may not need it. Examples include:
-Credit card through a secure page hosted by your Merchant account gateway
-PayPal
-Credit card over the phone (similar to mail order)
-Check
-Money Order
|
|
|
|
Topic |
|
All Forums
SSL Security Warning on Checkout Page?
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
