1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

SSL - help a newbie :)

Discussion in 'Security' started by Philopoemen, Oct 4, 2008.

  1. #1
    Hey all,

    I'm a PHP programmer but I never had experience with eCommerce web-sites, thus no experience with credit card processing.

    Right now I need to make a small booking form which should be forwarded to a credit card processing gateway of a Bank (i have all the info).

    The thing is that I don't fully understand the way SSL works. Here is what I know: hosting provider should provide SSL 'access'. Through the cPanel I can generate a certificate using some key.

    What do I do next? How do I 'integrate' this thing with my current engine?

    P.S. Using PHP, hosted at HostGator.

    P.P.S. green rep to all helpers out there :)
     
    Philopoemen, Oct 4, 2008 IP
  2. royo

    royo Peon

    Messages:
    173
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #2
    You will need to buy an SSL certificate and attach it to your domain, which may require you to have a dedicated IP. Your host will generate a certificate signing request, which isn't really the SSL certificate.
     
    royo, Oct 4, 2008 IP
  3. Boulder

    Boulder Well-Known Member

    Messages:
    806
    Likes Received:
    46
    Best Answers:
    0
    Trophy Points:
    118
    #3
    Yes talk to your host about buying and setting up a SSL for that domain name.

    After the SSL is active on your host and for that domain name you will need to make a few edits to the path settings in two osCommerce configure.php files.

    Boulder
     
    Boulder, Oct 4, 2008 IP
  4. Philopoemen

    Philopoemen Peon

    Messages:
    704
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Thanks.

    @Boulder: i'm not using osCommerce, the website has an unique php engine (developed by me also).

    I have different products on the website, and a "booking form". I was just thinking what should I change in booking process so that the information can be securely passed onto the CC gateway on the bank's website...
     
    Philopoemen, Oct 4, 2008 IP
  5. kailash

    kailash Well-Known Member

    Messages:
    1,248
    Likes Received:
    42
    Best Answers:
    0
    Trophy Points:
    190
    #5
    Below are the steps to use SSL in your web site:

    [1] Generate CSR (Certificate Signin Request) form cPanel of your domain or you can ask you host to create on your behalf.
    [2] Once you generate the CSR, provide it to SSL provider from where you are willing to purchase SSL certificate.
    [3] Once you get the SSL certificate, provide it to your host. They will install it on your web site.

    Your site will need dedicated IP address to install the SSL certificate. Once you install SSL certificate on your domain. You should use https instead of http in order to send encrypted data.

    Kailash
     
    kailash, Oct 5, 2008 IP
  6. Philopoemen

    Philopoemen Peon

    Messages:
    704
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Hmmm... so let me get this straight. After my provider installs the SSL certificate, whenether I will try accessing ANY page on my site via HTTPs instead of just HTTP - it will automatically be encrypted via SSL? There is nothing else I should do on the pages itself, change any code and stuff like that? Simply access the pages via HTTPs?
     
    Philopoemen, Oct 5, 2008 IP
  7. C-Note

    C-Note Peon

    Messages:
    55
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #7
    also make sure on the page, any included files like css, images, etc are also secured, rather than http, otherwise you will get ssl popup warnings.

    if you are using relative urls, you should be fine
     
    C-Note, Oct 6, 2008 IP
    Philopoemen likes this.
  8. kailash

    kailash Well-Known Member

    Messages:
    1,248
    Likes Received:
    42
    Best Answers:
    0
    Trophy Points:
    190
    #8
    Yes, any data submitted over https will be transmit in encrypted format. You do not need to modify the code. Also as mentioned by C-Note, you should use https if you are using hyperlink, CSS to point to your site otherwise you will receive warning. But you are using file name directly then there is no issue. like:

    
    <a href = "home.htm">Home</a>
    Code (markup):
    Kailash
     
    kailash, Oct 6, 2008 IP
    Philopoemen likes this.
  9. Philopoemen

    Philopoemen Peon

    Messages:
    704
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Great guys, thanks to you both. You really helped me a lot!
     
    Philopoemen, Oct 7, 2008 IP
  10. kpatelseo

    kpatelseo Peon

    Messages:
    148
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Hi Philopoemen

    For Cheap SSL Certificate you can check http://www.rapidsslonline.com. The certificate can be purchased in minutes and installed in seconds, they have 24 x 7 x 365 great support too.
     
    kpatelseo, Oct 16, 2008 IP
  11. sparek

    sparek Peon

    Messages:
    68
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #11
    HTTPS will only encrypt the data as it passes over the wire. This is not to be confused with storing encrypted data.

    All a secure certificate will do is prevent someone from listening to your connection and reading the information as it passes from server to client.

    It does not store any data in an encrypted format.

    If you are storing credit card information you will want to use an encryption algorithm to encrypt the credit card information and store it some where (a database, a flat file, etc).

    SSL for HTTPS is still a basic requirement to be a reputable e-commerce site.
     
    sparek, Oct 16, 2008 IP
  12. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #12
    I'd just like to add my voice to sparek's. An SSL certificate is only one part of a secure e-commerce website but it is a necessary part. A self-signed certificate is adequate for the encryption side of things but it doesn't inspire any confidence in your customers. All certificate aiuthorities are essentially equal from your point of view so go for the cheapest/quickest one.

    If you store any credit card information you must make sure it is stored securely and this means encrypting it.

    Note that it is not adequate to simply encrypt the credit card numbers alone, even with a one-way algorithm like MD5. The CC numbers have so little entropy that MD5 encrypted CC numbers can be decrypted in a matter of days with a couple of decent machines. Quicker with a bigger cluster.

    When encrypting the CC numbers, make sure you add something to the number to make it more difficult to decrypt. The holder's name, issuing bank, expiry date, issue number and security code would be a good start.

    You should also have a policy one how long to keep the information for and how to securely store backups.
     
    Ladadadada, Oct 16, 2008 IP
    Philopoemen likes this.
  13. Philopoemen

    Philopoemen Peon

    Messages:
    704
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #13
    No, I will not store any sensitive data. I need the SSL just to pass the information to my bank's payment gateway, nothing more.

    But thanks for the help :)
     
    Philopoemen, Oct 17, 2008 IP
  14. macau2009

    macau2009 Well-Known Member

    Messages:
    294
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    125
    #14
    do you help people installing ssl. please pm me.
     
    macau2009, Jan 3, 2009 IP