Is SSL neccessary? Confused

[kgirl]

Hi, I am a newbie so please bear with me. I am confused about securing my website.

My host does not support SSL (shared or dedicated). I am debating on where its is nessessary to more to a host that offers SSL support, I know that shared SSL does not work very well with Prestashop, so therefore if I moved I would buy a certificate.

My question is : If my payments are set up to go through Paypal only, is it still nessessary to have SSL set up, to be used for account logging on, checking orders? and so on?

How much of a risk would it be to leave the user login unsecured? I'm sure the host has a firewall/security setup.
As for the credit card processing security, that will be covered under Paypal.. PCI regs.

The only other thing would be the non-secure error sent with emails that customers would get, is that because there is no SSL?

Please help, sorry for the silly question! Thank you in advance

[bovill]

Personally no i don't think its necessary at all, BUT i know a lot of customers especially from snobby countries for example would think that you must have it and would shy away from your site if it didn't have it. So from a business perspective, yes definitely need it anywhere you can get it.

[kgirl]

Thank you for your prompt response Bovill. I completely agree, it certainly would be better for increaing customer credibility and trust.

I was just trying to avoiding the whole move to a different host, just because the user account would indicate to the customer it was not secure.

The PHP should also have a degree of security too, i.e not like HTTP headers authentication and use of strip slashes, trim etc.. If that makes sense.

For the sake of the client, I will suggest moving host and buying a low budget SSL cert, just to cover account side.. the rest of it will be taken care by Paypal.

Have you had a chance to install a SSL cert? how did you find it? I know few people who have had problems.

Thanks again!

[bovill]

Actually installing the cert is easy and fine, but you just have to make sure your server is running its own IP for that certificate. I assume you use cpanel? Which is a breeze for installation.

[Paul C]

Laws and regulations regarding the protection of your customer's information will vary. I believe that a dedicated SSL certificate is indeed a sign that you are a legitimate, serious business -- so I believe that it's a small and worthwhile cost.

Installing the actual certificate on the server shouldn't present any problems at all, but you'll need to be careful with regards implementing in your store, and make sure that any additional scripts, images etc. that you use are properly referenced (i.e. if they are external to your site, then make sure they use https when they are presented on a secure page).

Good luck!

Paul

[maxmin]

If you use a 3rd party payment gateway such as PayPal or Google Checkout, it's not necessay to install SSL certificate on your own store site unless you want the payment gateway to feed back payment transaction info to your store site after the order has been completed because in this case the customer simply selects his/her product(s) at your store site and log in (or sign in) to check out and then is redirected to the 3rd party payment gateway to complete the purchase, all important financial info are processed in the cusotmer's payment gateway account. This is why PrestaShop team should implement the important feature - one page checkout that the customer can check out without login or sign-in - into the PrestaShop for this matter. The current version of PS is an way outdated pattern for online ecommerce in this respect.

However, in case you do want to process customers' financial info on your store site such as transactions' callback from the 3rd party payment gateway, then it is necessay to have an SSL cert installed on you site which usually requires to have a dedicated IP on your site. Many web hosting providers do ask you to pay for the dedicated IP for the SSL cert which costs extra to your hosting plan, so make sure you ask if this dedicated IP is included in your hosting plan before you sign up since this may sometimes double or triple the cost for your hosting plan. Of course, if the PrestaShop team in the future allows the shared SSL implemented on the PS, you don't need to purchase the dedicated IP for SSL and that will make life even much easier for many of us because many web hosting providers do offer free shared SSL with their hosting plans.

In summary, you can either have no SSL installed on your store site and leave all financial transactions processed in a 3rd party payment gateway such as Google Checkout or PayPal or have the dedicated SSL installed on your site if you do have customers' financial info kept on your site.

[Degsey]

If you use a 3rd party payment gateway such as PayPal or Google Checkout, it's not necessay to install SSL certificate .

Google checkout require SSL otherwise their gateway will not work, basicaly its only paypal that you are safe with not having a SSL cert on your website.

[maxmin]

If you use a 3rd party payment gateway such as PayPal or Google Checkout, it's not necessay to install SSL certificate .

Google checkout require SSL otherwise their gateway will not work, basicaly its only paypal that you are safe with not having a SSL cert on your website.

You're absolutely wrong on this. PrestaShop currently has 3 payment gateway modules: PayPal, PayPal API and Google Checkout. The PayPal API module requires the store site to have SSL setup otherwise it doesn't work. On the other hand, PayPal and Google Checkout modules don't require SSL certificates installed on your store site unless you set up a callback to your store site in the gateway account, e.g. if you set up the XML callback link in the Google Checkout account but don't have SSL cert installed on your store site, you'll get error messages about callback failings once the Google Checkout has processed an order and sent back the transactions to your store site. You simply can leave the filling box blank for the XML callback link, i.e. don't require the Google Checkout to send back transaction info to your store site but leave all transactions on the Google Checkout account where has everything you can do for the order transactions, including sending shipping info to the customer, archive transactions, etc. In this case, your store site is simply acted as a product display site where costomers select products to proceed for purchase but all purchases are completed in the payment gateway account. My current PS site is set up just in this way without dedicated SSL installed and everything works fine because customers don't need to input any important financial info on my store site. For this matter, one-page checkout and shared SSL features allowed in the future PS version are very handy and convenient for me to have the callback function enabled in the Google Checkout and for a lot of PS users who set up their stores in this way, so I hope the PS team can implement these 2 imporntat features in the near future version because my web hosting provider does offer free shared SSL.

[Degsey]

Lets put this way I would strongly recommend anybody who is considering google checkout to do it properly.

It is in googles terms and conditions that you have to have a SSL cert no less than 128-bit encyrption.

'(A) Handling of Data. Your Checkout Integration must be designed to store, handle, and transmit Checkout Data securely. In general, the Checkout Integration must only transmit data with a protocol no less than 128-bit SSL encryption. As to the transmission of Checkout Data directly to the Google Checkout servers, the transmission must be done in a manner at least as secure as the protocol being accepted by the Google Checkout servers. "Checkout Data" means data that is transmitted between the Checkout Integration and the Google Checkout servers in connection with the Checkout API, including without limitation Google Checkout transaction data.'

Google does check new merchants to see if they conform to their T & C's

Secondly if you do not have the call back to the website how can you keep acurate records of stock control and client records.

When I mentioned paypal not needing a SSL cert I was not including paypal api or I would have included in it the thread.

[geiri]

I am thinking of using the Credit Card v2.05 offline module, Bank Wire module and the Cash on delivery COD module

My plan is to buy a certificate but for this modules is it necessary?

Any advice would be greatly appreciated

[Degsey]

I am thinking of using the Credit Card v2.05 offline module, Bank Wire module and the Cash on delivery COD module

My plan is to buy a certificate but for this modules is it necessary?

Any advice would be greatly appreciated

It would be very wise and very necessary to do it for this module otherwise the information to your server could be compromised and that would be a disaster for you also.

[geiri]

I would like to add to this discussion and ask where you buy SSL certificates and If you have looked into Self signed certificates?

I found this site
http://www.sslshopper.com/ssl-certificate-wizard.html

And this with tutorial on Self signed certificates for IIS
http://www.somacon.com/p42.php

[Degsey]

Comodo do a range of SSL certs see here http://www.instantssl.com/

I would not do self signed certificates for card card transactions, one of the reasons is that the certificate will probaly not be recognised by the browser and be off putting to the buyer.

Normaly your ISP will provide SSL certs of good quality and affordable.

The other solution that you have not mentioned is shared SSL and again for credt card transactions I would not use this method also sometimes its hard to implement into a shopping cart, I have not tried it in prestashop.

Also you will need a permanent IP address for your website to implement a SSL cert and you have to pay your ISP for that as well.

[taoreflex]

Update on shared SSL.

As far as I am aware Shared SSL is no longer PCI compliant. Security Metrics told me that it would be disappearing and I presume that has now happened as I have a site which uses shared SSL and it is now failing PCI compliance tests.

[Degsey]

Yup shared ssl is not PCI compliant and as I said before will fail most browsers being flaged as an unrealiable website and SSL certs are so cheap now its not worth the bother nowadays.

[Degsey]

I don't register or buy anyplace online that requires me to give personal info (name, address, etc.) if it doesn't use SSL.

Personally I think it's a "must have" for any ecommerce site, if only to give customers peace of mind that they're personal info is secure.

I agree

[Degsey]

Personally no i do not believe its essential in any respect, BUT i understand lots of clients particularly from snobby nations for instance would believe that you simply should have it and would shy away out of your website if it didn’t have it. So from a company viewpoint, yes certainly require it anyplace you will get it.

There is nothing snoby about PCI compliance especialy if you are taking payment manualy and processing it through a terminal.