homepage Welcome to WebmasterWorld Guest from 54.145.238.55
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Strategy for SSL?
stu2

5+ Year Member



 
Msg#: 3552359 posted 8:12 am on Jan 19, 2008 (gmt 0)

Ok. I'm going to be developing a website which required registration and sells things. All the sales items can be viewed without logging in but you'll need to be logged in to purchase. Purchases will be by PayPal and Credit Card. So I know I'm going to need an SSL certificate, which I've acquired.

I'm unsure on how I should implement the SSL. If I've understood the way things work correctly, I just need to link to my regular pages prefixed with "https://" instead of "http://". Correct? But what pages to secure? All logged in pages or just the securing the registration, login, member updates, checkout pages?

I'm an SSL noob so any advice is welcome. Even if i haven't asked the questions yet :)

I see some sites put everything on a sub-domain liked secure.example.com. Is this a good idea?

Is displaying the secure seal a good idea? How do you implement that when some pages are secured and some aren't? How to get the seal to show only on the secured pages? ie http:// and https:// display the same physical page? does it matter if the seal is shown on an unsecured page?

 

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3552359 posted 4:57 pm on Jan 19, 2008 (gmt 0)

If I've understood the way things work correctly, I just need to link to my regular pages prefixed with "https://" instead of "http://". Correct?

Yes - but it's *just* as important to link to non secure pages from the secure area. SSL pages are encrypted. This means before sending the data the browser uses the public key to encrypt the data before sending, and the server does the same thing in responding. So SSL pages are notoriously slow. In your template for the secure area, be sure to link back to [any_page...]

But what pages to secure? All logged in pages or just the securing the registration, login, member updates, checkout pages?

Any page that would potentially reveal sensitive information. One misunderstanding people seem to have is that you only need to submit to a secure URL, leaving their payment forms on non-SSL. This couldn't be more false. See above,

the browser uses the public key to encrypt the data before sending

So if you have a form with credit card info to submit, the URL better start with https or you will be sending that data as clear text.

Login areas - follow other models. Link a page to "log in securely," unless every login leads to information that is sensitive in some way. Log in to a bank account, or some area that allows you to view and change personal details? Definitely. Log in to a forum? Nah.

Is displaying the secure seal a good idea?

Recent discussion [webmasterworld.com]. You decide.

How do you implement that when some pages are secured and some aren't? How to get the seal to show only on the secured pages? ie http:// and https:// display the same physical page?

Well, you should **not** allow anyone to get to a page that needs to be secure via non-secure http. This can be done with a simple redirect using mod_rewrite. Any request for a secure area that does not start with https gets redirected to https. So that takes care of that. :-) More info in the Apache forum.

does it matter if the seal is shown on an unsecured page?

No it does not. It just advertises you've taken the time to secure the transmission of data where it's required.

However, some seals are loaded via Javascript and may only load over https to verify the exact page you are on.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved