Msg#: 3879671 posted 10:07 pm on Mar 26, 2009 (gmt 0)
I've been searching Google and here for a while and haven't found what I'm looking for.
I've written a shopping cart for use with Paypal payments. I know it isn't neseccary to use https as I wont be handling CC info, but for user experience would like the 'secure feeling'.
I have a free shared SSL with my host and have generated the keys/certs through Cpanel.
I just haven't got a clue what to do with them. I can't find any tutorials from the host. I vagely understand that the data is encrypted and decrypted somehow on the https page, but that's as far as I have got.
I've just refined my search while writing this as I am using PHP and found [uk.php.net...] so I will check that out. If anyone knows any good tutorials on the basics of using https please let me know.
Msg#: 3879671 posted 9:24 pm on Mar 31, 2009 (gmt 0)
I'm not sure I understand your question. If you're asking how to install your key & certificate, ask the key/cert provider. If you're asking how to make sure data is encrypted, that happens automatically once you get your key & certificate installed, and your visitors go to an https:// url. When they go to https://, the data is automatically encrypted in both directions, as long as you have a key & certificate installed.
But most of the time you want your visitors on plain, unencrypted http:// pages, because it's faster. Your server won't have to spend time encrypting the data, and the visitors computer won't have to spend time decrypting it (and vice versa for data that goes from the user to the server). So on unimportant pages you should direct requests from https:// to the http:// counterpart. But for pages that should be secure, like credit card info, you should do the opposite, and redirect any http:// requests to https:// requests. Make sure it's impossible for the user to put in credit card info on a http:// page, even if they type the http:// address by hand.
Thanks. I was trying to use the free shared SSL cert from my host. It turns out you just need to link to pages with https://hostnamestuff/mydomain/ and didnt need to set anything up. Not sure why they didnt put this info anywhere on their site, I had to email support. I think I was trying to set up a dedicated SSL without buying one :/