Hello and welcome to our community! Is this your first visit?
Register
Results 1 to 8 of 8

Thread: SSL-Encryption

  1. #1
    Veteran Enthusiast DAMON's Avatar


    Join Date
    Nov 2004
    Posts
    6,468

    SSL-Encryption

    Hey DD,

    I'm currently working an internship for 6 months working for a company that sells welding equipment. They've opened an online webshop for hobbyists around a year ago, but as it stands it's costing more money than it's earned. That's where I come in. It's my job to analyse the website and try to improve it so that this problem will go away. One way of doing this is to inspire more confidence in the users, which is what I'm working on right now. In Holland there's a company whose sole purpose is to see if a webshop is trustworthy. If they find it is, they are allowed to use their seal of approval on the site, which brings a lot of credibility with it. There are, however, a lot of requirements your site has to meet before you are allowed in. That's where the problems start.

    While I've taken care of pretty much every other requirement, it is required that every page dealing with the user's personal information is SSL (or likewise)-encrypted. I don't do a whole lot of coding, and this is as it stands beyond me. I do, however, have the backing of a professional webdesign bureau to take care of the coding for me. They're not completely horrible, but I'd get better results hammering a seals balls than letting them work unsupervised.
    The problem is as such: the webshop was never designed with SSL-encryption in mind. The guys over at the design bureau are saying that it'd be a hell of a job working SSL-encryption into the order/checkout pages, and that it'd cost a lot of money for them to do so. Apparently they'd have to separate those pages from the rest of the site in order to properly encrypt them. Meaning that the option to have them do it is out. My boss wants to try and slip the fact we don't have encryption under the radar, but I'm 100% positive we will be rejected on these grounds.

    So I'm thinking that maybe, with a lot of time and effort, I can add an SSL-encryption myself. There are, however, a few problems:
    -I have no idea how to add SSL-encryption.
    -I have no idea how to personally access the server (I work through a shitty CMS), though perhaps I could pry loose this info.
    -I have no idea how the website actually works internally (as I said, I work through a CMS to update it).
    So obviously it's not going to be easy for me.

    My question to you is: Do you think it'd be at all possible for me to pull this off? If so, how the hell do I SSL-encrypt anything?

    TL;DR: Need to SSL-encrypt a few pages of a webshop, don't have a clue how to, what do?

  2. #2
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: SSL-Encryption

    It really depends on the site itself without seeing it would be hard to make a judgement on the complexity.
    Some things which would factor how complex the job would be are:

    - How well the site is put to together,
    - What language the site is programmed with on the backend.

    Essentially using SSL protection you would have an additional folder on the server, this folder is protected by the encryption. All the files you want to protect reside within this folder.

    Now sadly itís not as simple as that. The problem with HTTP, and HTTPS is that if you have session information stored on HTTP, as soon as you move to a HTTPS area you've lost it. So you need some way of telling a secure area what your information is from where youíve come from. On the systems Iíve worked on normally when you go to a secure page, HTTP posts a ID normally the basket ID or cart id and HTTPS can grab that post request and use it to pull information back from the database to repopulate any session data as needed.

    This would be very tricky to try and do if you donít have too much experience in this area.

  3. #3
    Veteran Enthusiast DAMON's Avatar


    Join Date
    Nov 2004
    Posts
    6,468

    Re: SSL-Encryption

    I'm a bit reluctant to post the website, as my employer may not appreciate the "negative" light this may shed on the website, but to hell with it. I'm working on http://www.eweld.eu.
    There's not much data that needs to be transmitted, only the basket and it's contents. Users don't log in with accounts or anything like that, and for online payment they're sent over to different sites like Paypal or iDeal (a Dutch initiative).
    I have no clue what the site is written in on the back-end, which I suppose is a showstopper for this plan, then.
    Would it be possible to use PHP to post the contents of the basket in a GET to the secure part of the site through the url?
    Or would it be possible to use superglobals to do the work? I'm assuming that these also get wiped, so no, but I might as well ask.

    Perhaps this is a very stupid question, but wouldn't it be possible to just dump the entire site into the secure folder, thus removing the HTTP/HTTPS switchover alltogether?

  4. #4
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: SSL-Encryption

    It looks like the site is written in php.

    I'm a bit reluctant to post the website, as my employer may not appreciate the "negative" light this may shed on the website, but to hell with it. I'm working on http://www.eweld.eu.
    There's not much data that needs to be transmitted, only the basket and it's contents. Users don't log in with accounts or anything like that, and for online payment they're sent over to different sites like Paypal or iDeal (a Dutch initiative).
    If this is the case and your not holding credit card information and your merly sending customers to a third party checkout then SSL secure isn't really required as security is handled on the payment gateways. However saying that lots of websites use SSL on their sites just for making it look more trustworthy.

    Perhaps this is a very stupid question, but wouldn't it be possible to just dump the entire site into the secure folder, thus removing the HTTP/HTTPS switchover alltogether?
    Yes you can. However some of the draw backs are listed here:

    http://www-uxsup.csx.cam.ac.uk/~jw35/co ... l/x183.htm

    So you're left with:

    Don't use https,
    Https the entire site,
    Https the members area only.

  5. #5
    Veteran Enthusiast DAMON's Avatar


    Join Date
    Nov 2004
    Posts
    6,468

    Re: SSL-Encryption

    The users do fill in their personal details like address, postal code and name on our website. The organization we're trying to become affiliated with mandates that even these details are sent securely to ensure the safety of personal information.

    The downsides to dumping it all on HTTPS don't really seem that aggregious.

    I read about openSSL in that document, is that entirely free? Is it trustworthy?
    Also, is it possible to have proper SSL encryption without a commercial CA? We're on a very tight budget and saving a couple hundred bucks is a nice win. (The budget is the reason an inexperienced intern like me is handling SSL encryption in the first place).

  6. #6
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: SSL-Encryption

    Quote Originally Posted by DAMON
    The users do fill in their personal details like address, postal code and name on our website. The organization we're trying to become affiliated with mandates that even these details are sent securely to ensure the safety of personal information.

    I read about openSSL in that document, is that entirely free? Is it trustworthy?
    Sadly I'm not too familiar with OpenSSL, the only thing I've come across with OpenSSL is it's needed to be installed on a server when using Paypal's IPN gateway.

    The downsides to dumping it all on HTTPS don't really seem that aggregious.
    Well, you'd have to consider things like bandwidth usage. There's nothing major, but valid considerations.

    Also, is it possible to have proper SSL encryption without a commercial CA? We're on a very tight budget and saving a couple hundred bucks is a nice win. (The budget is the reason an inexperienced intern like me is handling SSL encryption in the first place).
    You can buy a standard cheap SSL cert which is self signed, ie it's signed by your own server as opposed to a third party.

    http://www.namecheap.com/learn/other-se ... icates.asp

    The problem with that is the browser will fire out a warning "SSL Error" or something I can't remember the phase but you have to add an exception. You still get the securtiy, but each customer will need to add an exception, not great. So you may have to fork out for a third party SSL to prevent this.

    My knowledge in this area is quite limited, I've only ever setup one SSL cert, which is self signed.

    Another point of reference :- http://www.webhostingtalk.com/ there'll be people there if you need proper support with SSL setups.

  7. #7
    Veteran Enthusiast DAMON's Avatar


    Join Date
    Nov 2004
    Posts
    6,468

    Re: SSL-Encryption

    I'm entirely lost on how to set this up on the server (I've not acutally gotten access to the server yet, but I'm educating myself just in case I do).
    I've looked at some online tutorials, but for a novice it seems rather daunting. Lots of command-line work involved. Though I really can't assess how I'd go about this without knowing how the server works on the back-end.

  8. #8
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: SSL-Encryption

    Indeed you would need root level access to start. If the server has WHM (Web host manager) installed there is a basic setup guide and GUI to help. But by the looks of it that website isn't on a server running WHM.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •