Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




17 posts

Geek
+1 received by user: 7


Topic # 180868 24-Sep-2015 13:13
Send private message

Hi all,  I have been reading through the posts on SSL certificates which only confused me more.
I run a website with paypal as checkout.  I recently swapped hosting providers from ipage (they seriously suck) to freeparking. (had no problems so far).
While i was with ipage i tried to get SSL cert installed which failed and ipage caused all sorts of problems trying to install it.  Long story short I moved to freeparking.
However I do worry that I should have SSL???  They seem really expensive for the 'good' ones.  I am not up to installing it myself if i got one so freeparking will sell me it and charge me 39.95 to install it and then there is a $5. monthly fee as well from memory.
Do I need it?
Would you shop from a store that doesn't have it but uses paypal to process payments?
All comments would be appreciated. smile

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
BDFL - Memuneh
59412 posts

Uber Geek
+1 received by user: 10621

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1393504 24-Sep-2015 13:16
Send private message

Yes, and no. If you are not doing the transactions yourself (PayPal is) then I wouldn't worry too much.

If you do have things such as login, and store personal details then a SSL cert is just one of the things you'd have to worry about.





2499 posts

Uber Geek
+1 received by user: 927

Subscriber

  Reply # 1393529 24-Sep-2015 13:25
One person supports this post
Send private message

If I have to, or can, create an account on the site for purchasing purposes, I would expect it to support https. If there is no login/personal details and all payment is handled by PayPal or some other trusted external provider, I probably wouldn't care.




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

 
 
 
 


379 posts

Ultimate Geek
+1 received by user: 176


  Reply # 1393530 24-Sep-2015 13:26
Send private message

We have just sent some info to our customers regarding SSL....if you are hosting the payment page then this is relevant for you.

Last year there were a significant number of merchant data breaches globally and the Payment Card Industry Security Standards Council (PCI SSC) and the Card Schemes (Visa/ MasterCard etc.) determined that SSL and early TLS versions were no longer suitable for secure online transactions. The card schemes have now mandated specific rules around the use of SSL and TLS. The key messages for businesses selling products online are:

 

  • Secure Socket layer (SSL) can no longer be relied on to protect payments data
  • If you own an e-commerce website you need to ensure Transport Layer Security (TLS) is running at a minimum version 1.1, but ideally version 1.2.
I hope this helps. I'm not an expert on this, just passing on the info but if you have any questions I might be able to help :)

gzt

9261 posts

Uber Geek
+1 received by user: 1320


  Reply # 1393595 24-Sep-2015 14:11
One person supports this post
Send private message

There are a fair number of very small tech stores with non-https login for shopping cart and ship details. I have purchased if the price is right, but it is kind of unprofessional compared to the small cost of a certificate. In addition most people now think there is something wrong if the padlock icon is not there during login or part of the transaction. You could be losing customers on that score.

13451 posts

Uber Geek
+1 received by user: 2275

Trusted
Subscriber

  Reply # 1393609 24-Sep-2015 14:22
Send private message

I would not put any personal or financial details into a non-encrypted website. Lets Encrypt may make this easier in a few months, and a free CloudFlare plan can either do it properly or do part of the job in a way that looks like it's done properly. The half way solution isn't good enough for financial or personal details though.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


BDFL - Memuneh
59412 posts

Uber Geek
+1 received by user: 10621

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1393611 24-Sep-2015 14:24
Send private message

As I mentioned, the SSL is only one part of a whole security thing. It protects the information while in transit from the browser to your server. It does not protect your server, it does not protect your database, etc.

Security is a lot more than SSL only.




gzt

9261 posts

Uber Geek
+1 received by user: 1320


  Reply # 1393663 24-Sep-2015 15:23
Send private message

Yes, the SSL certificate padlock is a false security in many cases.

13451 posts

Uber Geek
+1 received by user: 2275

Trusted
Subscriber

  Reply # 1393681 24-Sep-2015 15:52
Send private message

I design solutions for a living, for government and big business. Security is often a significant fraction of the effort for a project. For a small solution I designed recently, a couple of man years of work, security drove the network and solution design. If security wasn't an issue it would've taken half as much time, so you could say security was 50% of the effort. SSL just protects information in transit from browser to server, you may need to secure inter-server communications (database, LDAP, general communication) and data at rest (encrypted database, encrypted disk encrypted database columns). You need to consider the OWASP top ten, client side security, and protecting against rogue staff. You may have to do penetration testing to ensure your servers are protected - for the simple application I mentioned earlier we paid a security firm around $20K for that testing.

Security is complex. There are people who's entire job is security, either security architect or at an infrastructure level.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




17 posts

Geek
+1 received by user: 7


  Reply # 1393686 24-Sep-2015 15:58
Send private message

Ok, so I don't host the payment page but do have an area for customers to put their details.
Freitasm what would protect the data base? Server.... Is that my host freeparking? Sorry I'm completely out of my knowledge base here. 😳
Point taken with regard to ssl certificate providing false security, but probably worth while doing for customers peace of mind.
I just looked at link timmmay but yes they are not available yet.

Thank you all for taking the time to reply by the way. πŸ‘πŸΌπŸ‘πŸΌ



17 posts

Geek
+1 received by user: 7


  Reply # 1393692 24-Sep-2015 16:12
Send private message

Timmmay, just looked at owasp top 10......way over my head lol
I get the gist of it all but in no way does it seem attainable for small startup business.

BDFL - Memuneh
59412 posts

Uber Geek
+1 received by user: 10621

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1393705 24-Sep-2015 16:22
Send private message

The basic stuff on srver side: make sure your server is always fully patched up, if you use some CMS always have it on the latest version, make sure your system do not store passwords in plain text (people tend to reuse the password, so if someone breaks into your database they will have email, usernames and password that can be tested against other services such as Internet bankingn, Amazon, Twitter, Facebook and so on).

If you can spend $20 a month put your service behind Cloudflare since they offer a WAF (Web Application Firewall) that will stop some threats (but not all).







13451 posts

Uber Geek
+1 received by user: 2275

Trusted
Subscriber

  Reply # 1393706 24-Sep-2015 16:24
One person supports this post
Send private message

The best option for a small business is to use a hosted solution that deals with everything for you. You probably shouldn't be getting web hosting and installing things, you should be buying access to a platform that lets you sell whatever it is you want to sell - PAAS / platform as a service. If you get web hosting, maybe download some open source software, there's a lot that can go wrong security wise.

With the solution I described above the original vendor said they'd put it through security testing, found problems, and fixed them. When we had our own vendor (the $20K place) take a look they'd broken into it and had full database access within two hours of starting their assessment. Not good. And this is version 4 of a platform, AFTER it had been through at least a few rounds of security testing.

Apache mod_security is another web application firewall, it's free but REALLY quite complex.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




17 posts

Geek
+1 received by user: 7


  Reply # 1393756 24-Sep-2015 17:50
Send private message

ok thanks guys, I will look into all these options. cry

1480 posts

Uber Geek
+1 received by user: 360


  Reply # 1393768 24-Sep-2015 18:40
One person supports this post
Send private message

https://www.startssl.com

Any good?

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 1393769 24-Sep-2015 18:44
Send private message

MadEngineer: https://www.startssl.com

Any good?


Yep, no complaints and the "certmaster" is responsive to queries/problems.

Can't complain for free yearly certs really

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Zealand hits peak broadband data
Posted 18-Jan-2018 12:21


Amazon Echo devices coming to New Zealand early February 2018
Posted 18-Jan-2018 10:53


$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52


NOW to deploy SD-WAN to regional councils
Posted 19-Dec-2017 19:46


Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.