| Author |
 Topic  |
|
|
Cam
VP-CART Super User
Australia
361 Posts |
 Posted - August 03 2004 : 06:52:38
|
I actually missed the reply was from someone else. Sorry about that guys.
What I am curious about is how to create this free certificate to access the admin.
You are correct in that if you are not taking credit cards on your site you possibly don't need one. I may have been a bit sweeping in my comment about requiring one in all instances. Most but not all.
Lots of good points raised though.
Cheers,
Cam
*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net
Build you own YourVirtualStore!!!
www.yourvirtualstore.net
************************************* |
 |
|
|
GTM
VP-CART New User
USA
122 Posts |
Posted - August 03 2004 : 16:55:15
|
Greatphoto you have a very valid point if there is no sensitive information being passed then in most cases an ssl cert is not needed and from the forms of payment and methods you listed I understand your reasoning.
Another great point is "Until customers do understand the difference and demand better authentication to prevent spoofing, then merchants won't see a need to pay for it." in which SSL establishes a trusted channel between the browser and server.
Cam there are companies that offer free ssl digital certificates. I have purchased all of mine as far as the free ssl I would check that it enables you to secure your Website and to keep information confidential.
free sourcecode
Bitflux free ssl
About internet ssl security
Greg
Edited by - GTM on August 03 2004 18:05:09 |
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - August 03 2004 : 20:11:59
|
Nice one. Thanks for that.
As I said we wont be using a free one ourselves but it may be something other merchants may want to consider.
I thought by what was said that you could generate and install it yourself somehow and was very curious as to how this could be done.
Cheers,
Cam
*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net
Build you own YourVirtualStore!!!
www.yourvirtualstore.net
************************************* |
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 03 2004 : 22:16:23
|
Hi Cam-
Sorry it took me a while to get back on here to give the answer, but I had to handle my day job first. :-)
Its actually really simple: You just use your web server software to create the certificate. The interface for the software varies according to the server, and you may have to ask your ISP support how to access it if you aren't hosting the server yourself. I provide a link at the end of this post for more details on many standard web servers.
The software prompts you for some basic information including your domain, email address, etc. Most or all of this becomes part of the certificate and will be visible to anyone who visits your site securely and inspects your certificate. The software generates a Private Key, Public Key (also known as a CSR or Certificate Signing Request), and a self-signed certificate (also sometimes known as a temporary certificate).
All three of these are stored in your web server and are used to enable the SSL connection. When someone visits your site and requests a secure connection via https, your server shares your Public key with their browser. Their browser uses this to encrypt the data to be sent back to your server. The process is called a "one-way hash" because the public key can only be used to encrypt the data - not decrypt it. Once it is encrypted, the data can only be decrypted using the Private Key which your server keeps secret and does not share with anyone.
The certificate is the part that validates to your visitor that your site is really owned by your company and is not being spoofed. Since anyone can create a self-signed certificate claiming to represent your site just as you did, the self-signed certificate is pretty meaningless. The only certificates that have value are the ones provided by a Certificate signing Authority (CA) after they verify that the information in the certificate is correct. However, if you are a store owner just looking for a secure way to connect to your own public server, you don't care who signed the certificate. You created the site and certificate yourself, and you likely trust yourself! ;-) So, you can just leave the temporary certificate in place on your server. When you connect securely to your server, you'll get a warning from your browser that the Certificate Authority isn't recognized by the browser, but you don't care since all you're after is data encryption.
After a while, your site might grow enough that you feel you do need a signed SSL certificate for your customers. At that point, you can apply with a Certificate Authority and give them your Public Key. In the context of applying for a signed certificate, your Public Key is known as a CSR or Certificate Signing Request. There are very specific guidelines on how to specify the domain name, so you may find that you need to rerun your web server's key generation software to get it just right, but that's no big deal as long as you update the public and private keys in the server.
Comodo has a page on generating keys that shows how to do it in a lot of different web servers. Check out this link:
http://www.enterprisessl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html?currency=USD®ion=North%20America&country=US
|
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 03 2004 : 22:18:02
|
The one caveat to this is that I'm not certain that all web server software provides you with the self-signed certificate when it creates the keys. I know the HSphere control panel and Apache do it. If it turns out that your specific server software won't do it, then you can always download a free copy of Apache to create your keys and self-signed certificate.
|
|
|
|
GTM
VP-CART New User
USA
122 Posts |
Posted - August 04 2004 : 03:27:02
|
Greatphoto thank you for taking the time to explain about the certificates one of the most important points is that you can generate your own certificate (called a "self-signed" certificate) or you can get a certificate from a Certificate Authority or CA. A certificate from a reputable CA guarantees that a website is associated with a particular company or organization.
Greg
|
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 04 2004 : 05:44:02
|
Ah. It suddenly dawns on me that you already know most of this and that the only reason you don't know about being able to create a self-signed certificate is that its a separate step on some servers like Apache. The Certificate Authorities don't go out of their way to tell you that part because it just reveals you don't always need them.
I just discovered this web site from RedHat documentation that explains it well: http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/s1-installation-certs.html
It would have saved me a lot of typing if I had found it sooner. I hope I didn't go too overboard in my answer. Hopefully, it will help others who are new to SSL...if the good points aren't lost. ;-) Thanks for bringing them out, Greg.
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
|
|
keng
VP-CART New User
152 Posts |
Posted - August 05 2004 : 12:23:45
|
quote:
I completely agree that stores are expected to have SSL nowadays, and you may be turning away customers if you don't have it. However, if you aren't taking credit card or other sensitive financial information directly on your site, then you may not need it. Examples include:
-Credit card through a secure page hosted by your Merchant account gateway
-PayPal
-Credit card over the phone (similar to mail order)
-Check
-Money Order
Hi Greatphoto,
What do you suggest about my case? How do I secure/encrypt this pages using shared ssl? Does anybody know how or have any suggestions?
-I want to secure: shopcustregister.asp & shopcustomer.asp (pages where they register and put their name and address)
-my admin login page
I use Paypal as payment processor so I don't need to get SSL cert. But how do I protect those pages above? My hosting company provides me shared ssl. Thank you all!
|
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 10 2004 : 20:14:26
|
Hi Keng-
For your "admin login page," it would be sufficient to make a self-signed certificate as I described above. I don't really feel its critical to protect "shopcustregister.asp & shopcustomer.asp (pages where they register and put their name and address)," since address and phone info really aren't that sensitive. They get sent in clear text in emails all the time. However, you may very well get some customers who do care, and its a nice touch to protect those pages.
I'm not very familiar with shared SSL, except that I know its often implemented differently with different hosting providers. I also know that the shared SSL certificate won't have your company name on it. Rather it will show the name of the Hosting company you are using. To me, this could do more detriment than good for your situation. I think many customers that might not even care whether their name and address are encrypted will be confused and concerned with a certificate that appears to indicate you are different company. It seems to me that shared SSL is a bit more complex to set up, but that may be dependent on the provider.
Anyway, if you are wanting SSL on the cheap, or almost free, I think you'd do well with http://www.freessl.com/starterssl/starterssl.html
At $39, its hard to beat. I think there are cheaper certs available, but you'll need to check up on their browser recognician, etc.
I'm thinking about posting a general guide on important considerations for merchants in choosing a SSL certificate later.
|
|
|
|
Topic |
|
All Forums
SSL Security Warning on Checkout Page?
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
