Jump to content

SSL Certificate


Guest Tom S

Recommended Posts

Guest Brivtech

SSL ensures that transactions your customers make from your store are properly encrypted. Otherwise, your customers details may be intercepted over the internet for other people to use. Your customers wouldn't like that much! */*

Link to comment
Share on other sites

I noticed there was an option in CubeCart for an SSL, do I need to pruchase an SSL certificate... Will CubeCart not be secure otherwise?
It depends to gateway you use. All is about sensitive data like Credit Cards data. Some sites used shared SSL which belongs to host company mainly and you dont need to purchase it. Dedicated one is related to YOUR domain name only and you have to purchase it.

Its a good investition to purchase SSL certificate anyway because of customers "trust".

Link to comment
Share on other sites

I noticed there was an option in CubeCart for an SSL, do I need to pruchase an SSL certificate... Will CubeCart not be secure otherwise?

It depends to gateway you use. All is about sensitive data like Credit Cards data. Some sites used shared SSL which belongs to host company mainly and you dont need to purchase it. Dedicated one is related to YOUR domain name only and you have to purchase it.

Its a good investition to purchase SSL certificate anyway because of customers "trust".

Oh ok yes I think my sahred server offers says that I have 2 SSL certificate's available, so do I enable one of these and then just follow the prompts in CubeCart... IS there anything I need to do to set it up? I have a few domains assocaited on my shared server account, does the SSL certificate work for all of these? or only one website...
Link to comment
Share on other sites

Guest shereen

listen, save yourself some potential headache. if you do decide to go with the SSL, which is what i did (shared ssl) and would highly recommend it if you are an e-commerce site, do NOT follow the cubecart instructions to put only half your website under ssl while leaving the other half under the public www domain. do yourself a favor and just put your entire store under ssl (both the index and cart pages). you will avoid going through a nightmare. and do NOT enable ssl in your cubecart admin control panel--agghhhh!!!! you can put your entire store in your host server's ssl folder and not worry about enabling any ssl function in the cubecart admin control panel.

best wishes.

--s--

http://www.splashgearusa.com

Link to comment
Share on other sites

listen, save yourself some potential headache. if you do decide to go with the SSL, which is what i did (shared ssl) and would highly recommend it if you are an e-commerce site, do NOT follow the cubecart instructions to put only half your website under ssl while leaving the other half under the public www domain. do yourself a favor and just put your entire store under ssl (both the index and cart pages). you will avoid going through a nightmare. and do NOT enable ssl in your cubecart admin control panel--agghhhh!!!! you can put your entire store in your host server's ssl folder and not worry about enabling any ssl function in the cubecart admin control panel.

best wishes.

--s--

http://www.splashgearusa.com

Hey thanks for the info! Where does CubeCart talk about SSL and enabling it? I can't seem to find that in my documentation...
Link to comment
Share on other sites

Guest shereen

here you go: https://www.cubecart.com/site/helpdesk/inde...;kbarticleid=24

i followed these instructions and it got me nowhere. i ended up just doing what my host server company tech told me to do and that was to put the entire store under ssl. don't know about your case, but in my case it apparently was NOT server intensive to put the entire store (ALL of the files) under shared ssl.

best wishes!!

--s--

Link to comment
Share on other sites

I have just created my e-commerce website using CubeCart. Please tell me, which is the recommended way- shared SSL or dedicated SSL. How much does it cost typically to buy a dedicated SSL?

How do I enable the SSL (shared or dedicated) within CubeCart?

Link to comment
Share on other sites

Guest shereen

shared ssl is free (at least through my host company). shared ssl means that you are sharing the secure server w/other websites (a common server). i could not get a dedicated ssl b/c i do not have my own server. i think if you purchase your own server then you are able to get a dedicated ssl that is not on the common server w/everyone else.

so, shared ssl should be fine if you trust your host company's dedication to security.

as for cubecart, no, you do not need to enable ssl in the admin control panel at all! just do not enable it b/c your entire store will be under ssl (including all the admin and all the index files and all the cart files)--all of your entire store is no longer in the www folder but in the ssl folder: "ssl/store/..." instead of "www/store/..."

it'll make sense once you see the file structure.

i think the theoretical reason why one would enable ssl in the cubecart admin control panel is only if some of one's files (the less sensitive index files) are still in the public www domain, or folder; while the more sensitive files (ie, the cart files which contain e-mail addresses, mailing addresses, names of customers, etc) are in the secure ssl folder.

as long as you move your entire store from the www folder to the ssl folder, then the ssl enabling feature becomes obsolete in the cubecart admin control panel.

according to the cubecart instructions, you are not supposed to put the less sensitive, index files under ssl b/c it is more "server intensive". this is an issue you may need to ask your host company about. however, when i was having this nightmare of a problem, my host company simply suggested that i don't bother to split the store (half in www and half in ssl), but instead to put the entire store in ssl and apparently it is not server intensive for them. so, it works just fine.

you can tell which pages of your store are secure (under ssl) and which aren't by the presence or absence of the gold-colored padlock in the periphery of your browser. if the padlock is there and in the locked position, then that specific page you are viewing is under ssl; if it's not there at all, or it's there and is in the unlocked position, then that specific page you are viewing is not under ssl but is in the www domain.

hope this helps.

best wishes.

--s--

http://www.splashgearusa.com

Link to comment
Share on other sites

Guest KGBelectronics

I was thinking if you're using a secure payment gateway, do you still need to use an SSL certificate?

Hi Tom,

Gateways, like PayPal, Paymate etc will redirect your customers to a secure site (under SSL) so you don't need (read as not ABSOLUTELY necessary) it for that. However, (there's always a but) customers seem to get a "warm and fuzzy" feeling when they are protected by SSL so it's good for business.

Shared certificates will mean that your domain name gets hidden after your hosting servers name and that tends to concern some customers, the alternative is an individual SSL cert which means extra cost and a fixed IP. It's up to you if you think it's worth it. (I do!)

I'm actually finallising mine right now, take the advice offered above and don't enable SSL via CubeCart or you'll end up going down a messy path.

Cheers

Ken

PS If you still can't get rid of the Tax problem send me an email via here with your contact details and maybe I can look at it for you.

Link to comment
Share on other sites

Guest shereen

(sorry, i wrote my message below before knowing of KGBelectronics' message ;) )

I was thinking if you're using a secure payment gateway, do you still need to use an SSL certificate?

you may want to confirm the following information for accuracy:

there are two separate issues here: 1. if your cubecart store is secure; 2. if the payment gateway is secure.

some people (like me) contract with a payment gateway to handle credit card transactions. the way it works is that my customers will actually leave my site and be transferred to the site of the company which will ask for credit card number, security code, and expiration date, etc. no financial information whatsoever is kept on my site, all i have are informational pages as well as the cubecart "cart" files, which are the e-mail subscription, account registration, and shopping basket files. so, theoretically, i don't really need to have ssl for my site since there is no financial information kept at all. however, b/c i do have personal customer information (addresses) and b/c i know it's an excellent marketing tool for today's e-commerce, i opted to make my site ssl to give my customers peace of mind. even though i do inform my customers that they do get transferred to a 3rd party for the credit card transaction (i inform them for the sake of transparency), i still feel it's a nice idea to give my customers peace of mind that i'm taking steps to secure their personal information as well.

...i don't remember now if the 3rd party gateway has its own ssl, or if it still relies on my ssl to cover it...i think that the 3rd party gateway has its own ssl and that page is secure on its own, irrespective of what my merchant site is. you'll have to confirm this point. if so, and if this is the way you are going, then i would think you would not need your own ssl.

now, there are other folks who do take credit card information directly on their site. they do not have their customers transfer out of their site to a 3rd party. instead, those merchants will have code included in their pages that will allow their customers to provide that merchant with direct credit card information. the merchant then transfers all that information to the 3rd party gateway. in this case, i don't believe there is the issue of a "secure payment gateway" b/c the payment gateway happens to be the (cubecart) merchant site itself. in THIS case, i think it would behoove the merchant to make sure their site is under ssl. so, yes, you would want ssl.

if you are using the host company's ssl, then you do not need a certificate at all. i do not use a certificate (one of the payment gateway techs erroneously informed me that i needed to have and use their company's ssl certificate; but that is not true b/c the 'certificate' i'm using is my host company's ssl).

things may be different at your end. if i were you, i'd talk w/your hosting company to find out if a] they offer you an ssl (shared of dedicated); and b] how to use it or if it's automatic; or c] if you need to use your payment gateway company's certificate. if you go to my site, you'll see that as soon as you get to the index page (the homepage), you are already in a secure environment. i do not need to show any certificate or use any code for any certificate. it's just automatically on a secure server with my hosting company as i placed my store in the ssl folder and not the www folder.

i sure hope this helps, and forgive me if i've inadvertantly provided incorrect information. you may need to ask more specific people. i'm relaying to you what i know based on my own experiences.

best wishes.

--s--

http://www.splashgearusa.com

Link to comment
Share on other sites

Thanks for assistance.

How do I display the gold-colored padlock icon? I get a warning message instead stating that you are going to a secure webpage.

All the credit card details are done by an internet gateway payment company and customers are re-directed to their website.

I guess I need SSL for my website for my customers at least as a shared type, which is crucial when they log-in to their account. I am planning to use a shared SSL of my host company. In the case of shared SSL, what does the customer/buyer types in as the URL address. Does that change or is it just the default www.yourdomainname.com?

Thank you.

Link to comment
Share on other sites

Guest shereen

How do I display the gold-colored padlock icon?

you don't. the browser does this automatically when it detects a secure page (ie, one that uses "https://" or something similar). so don't worry about getting this on your site, this will happen automatically once you have a secure site. non-secure sites do not display the locked padlock; secure sites do display the locked padlock.

I get a warning message instead stating that you are going to a secure webpage.

exactly!!!! that's what i kept getting when half of my site was in ssl and the other half was in www. so, in order to avoid this completely, you need to put your entire site in ssl. once you do that, then you will no longer get that warning message. at least that's what happened in my case.

In the case of shared SSL, what does the customer/buyer type in as the URL address. Does that change or is it just the default www.yourdomainname.com?

unfortunately that did change in my case. you may want to talk to your hosting company to find out more, but in my case, my domain name is "www.splashgearusa.com". this is of course the www public domain name. once i put my store under ssl, the domain name naturally changed to "https://splas004.secure.omnis.com/..." the "https://" part signifies the site is secure ("http" is not a secure site); the "omnis.com" site name is my hosting company (b/c i'm using their ssl) and they automatically generated my site's secure domain name which is "splas004.secure". i was not able to use "splashgearusa" anymore. however, this ended up not being such a problem for me, luckily, b/c i had already designed a 'welcome' page before the visitor gets to my homepage. the welcome page/file i kept in my www folder and is not secure and i'm still able to use "http://www.splashgearusa.com" for that page/file. then once the visitor clicks on that logo on that welcome page, they get redirected to the secure "https://splas004..." cubecart homepage/index page and there is no pesky warning message.

again, you may need to talk to your hosting company to see how they do it or you may need to look into alternatives or maybe find out how to purchase a new domain name for your secure site(???).

...an idea occurred to me. you may want to design your own public page that utilizes your current domain name, but then it automatically redirects visitors to the secure store. i'm not sure how you would do that. it would basically be the same concept as my welcome page, but come to think of it, it happens quite a bit that one visits one site and that page will automatically redirect one to another page. so, you may want to try and figure out how to design a page that can automatically redirect people to your (new) secure url. or even have them click a hyperlink to get them to the secure site (as i did). just a thought.

hope that helps.

--s--

http://www.splashgearusa.com

Link to comment
Share on other sites

It seems to me that there may be a bit of misinformation in some of the above posts.

There are 2 reasons to use SSL.

First is to protect the data that is being transferred between your visitor's computer and your website's server. Second is to give your customer a feeling of security.

Using a shared SSL certificate requires that your domain be replaced by the host's domain in the browser's address bar, and that tends to lose a number of customers, as they fear that their purchase is being hijacked by another company.

Sometimes the same is true when we send our customers to a 3rd party payment processor like PayPal. Even though WE know it's safe doesn't mean our customers know that. Getting my own merchant account was one of the best things I did for my business. Sales jumped at least 50% immediately.

Many customers are just as concerned about their personal details like email addresses, passwords, and so forth. Our church just did a photo directory, and over half the members DID NOT want their names and addresses to be posted to the church's website. And that was even after they knew that it would be in a password protected area available only to other members. A lot of people are paranoid, and as merchants we just have to deal with it.

The default CubeCart usage of SSL is standard and will not cause any problems IF your SSL certificate is installed properly and the setting in the admin panel are correct.

For a server hosting a bunch of unpopular sites, it's no big deal to place the whole site under SSL, but for a busy server, encrypting the whole site is overkill and inefficient, potentially crashing the server so that no-one can access anything. Kind of like how speeding can make you later if a cop pulls you over to give you a ticket. Many webhosts are overselling their servers in these days of ultra-cheap hosting, so you have to be careful of this.

Installing a SSL certificate specific to your domain isn't a difficult thing and any server adminstrator can do it for you.

In the tech area, I consider myself an "advanced amateur" since I am not afraid to follow directions that take me into technical areas, but would not be able to figure a lot of things out for myself. Yet, I was able to install my own SSL certificate to my VPS (virtual private server) and everything worked great right out of the gate, with only 1 small snag since I entered the wrong directory info into the CC admin panel.

For those on shared hosting, just ask your server administrative staff to install the SSL cert. Once that's done, test it out by accessing some of your normal pages with https:// in the URL and see how it works. When you see the pages coming up normally even under SSL, you're ready to enable SSL in CC.

Link to comment
Share on other sites

Guest shereen

The default CubeCart usage of SSL is standard and will not cause any problems IF your SSL certificate is installed properly and the setting in the admin panel are correct.

the cubecart instructions allow for both shared and dedicated ssl to be used/enabled. for the record, i did exactly everything in the instructions and i still could not get the shared ssl to work when i enabled it in the cubecart admin. i put in the correct root url and everything else it asks for in the admin panel, and it just never worked properly when i enabled it.

if other people have gotten it to work, then kudos to them. i know i'm not the only one, but i found an alternative that works. just sharing my info for what it's worth.

--s--

http://www.splashgearusa.com

Link to comment
Share on other sites

Thanks for all the help.

For AlanT, could you please tell me which dedicated SSL certificate did you bought it from. How much did it cost.

In my PC, a padlock does not appear even if I am in a secure website. However, I do get a warning message on panel window that you are about to be going on a secure website. How do I display the lock on IE? I know it should appear automatically, but for someon it doesn't occur in my pc even with using the defualt settings?

Link to comment
Share on other sites

I'm still confused in one area, I tested my domain by typing https, and it resolved to my page no probs. But customers will just type http, so do I need to put a redirect on the http page? that re-directs to https... IS this the normal procedure?

Link to comment
Share on other sites

@JRz: I got my SSL cert from http://www.rapidssl.com. I used the 30 day trial cert to test myself and my server first (it's free) before making the purchase. I think I spent about $70 for a 2 year certificate. (When you do the trial version first, you get a discount on the 'real' one.)

@Tom: Typing in the https:// is only a matter of testing the system. When CubeCart is set to use SSL, it will handle the redirection on it's own any time the customer needs to access a secure page, such as the login page or all checkout pages.

The only 'problem' that I found was that after a customer logs in, they are redirected back to the homepage, which is unsecure and IE gives a warning about being redirected to an unsecure page.

For anyone with a CPanel server and wanting to install the certificate yourself, note that installing through CPanel itself did not work on my system. I had to access WHM (WebHostManager - The CPanel server administration software) and do it from there. I think the instructions from RapidSSL mentions this.

Link to comment
Share on other sites

@Tom: Some of them DID say that, although I feel that it is incorrect advice.

It's better to make sure the SSL certificate gets installed correctly and only protect those pages that need protecting, as CC does when the SSL feature is activated.

My reasoning is this. First, almost no-one is going to type the https:// when going to your site. Most of the time when I type a URL, I just type the www part and let the browser add the http:// part.

Second, depending solely on web traffic where the secure URL is in place limits the number of people you can serve.

Third, forcing your visitors to click a link on your home page to get to the secure shopping area adds one more place where you'll lose customers. (Studies have shown that every click you add to the process, you lose about half your potential customers.)

And fourth, if you're on a busy server that gets lots of traffic, encrypting every page can possibly overload the server and crash it, at which point you'll lose everyone who tries to access your site at that time.

All in all, it's just better to do things the right way.

Link to comment
Share on other sites

Thanks Alan, that's what I thought. My server also said that the reason the customer gets a message that they are entering a secure site, is becuase that's a wildcard certificate. They said I would need to get a new IP for $1 and then an SSL certificate (a new one) for $70 a year. Do you think it's worth it so customers don't get the secure alert box all the time?

Link to comment
Share on other sites

Guest shereen

hi, tom, yes, there are lots of opinions in this thread and you will need to fish through and figure out what works for YOU in your case.

alant is suggesting that a merchant get their own server and purchase their own certificate. that's one way of doing things--certainly not the only way of doing things.

tom, if you can have your own ip and your own server and get your own ssl certificate, then you may want to try alan's strategy.

however, for the rest of us who have no problems going with the shared ssl manner, then i would suggest you not enable the ssl in cubecart (if you are doing shared ssl).

there is really only one way for you to find out. go ahead and enable ssl in cubecart and see what happens. if it works fine for you, then great! no problem, you can do that and live with it. for some of us, it didn't work. i tried and tried and tried and just could not get it to work. but you won't know until you try yourself.

so, to each his or her own. do what works for YOU.

by the way, if you do want to do a redirect page, it's only ONE click. if your customers are too lazy to do ONE click, then maybe they're not worth your while. i seriously doubt you will lose customers if they need to make one click. my stats show that my site has travelled around the world and i get several hundred hits per month (may not be much, but i just started) and i've made both national and international sales. obviously the redirect/welcome page is not an obstacle. ALSO, serious customers will end up bookmarking your homepage/index page or forwarding that on to friends, and they may never go through the redirect page again. i can confidently say that most of my cutomers and visitors learned about my company through word of mouth or a friend.

so, again, do what you think is best in your situation, but don't let other people scare you.

--s--

http://www.splashgearusa.com

Link to comment
Share on other sites

@Shereen: I think you misunderstand me. You don't have to have your own server in order to have your own SSL certificate. A merchant can have their own SSL certificate even on a shared hosting environment. I think the problems you had regarding the use of the shared certificate were due to the server administrators not installing it correctly, which was out of your hands. Without knowing the specifics, however, that is only conjecture.

Now that the subject of a dedicated IP address comes up, I recall something about that being necessary in order to install the SSL certificate, but even that is possible on a shared hosting server. A single server can have many different IP addresses assigned to it.

In my situation, I have a VPS, which is between a shared host server and a dedicated server. In essence, there are about 20 accounts on the server I use and I only pay $50 a month for the space. From my perspective, it's the same as having a small server to myself, but not as expensive. Great when you need to have a special Apache module installed for a piece of software.

For most people, this is overkill, and the main reasons I went this route were security, stability, and cost. With a dozen domains that I run, this is cheaper than a dozen accounts at $5 per month, and I have plenty of space for a dozen other accounts. And the company I use has redundant EVERYTHING, so it's almost impossible for the server to crash.

@Tom: You kind of have to judge that one for yourself. Most customers won't move from secure page to unsecure page and back to secure again too often, so the annoyance factor won't be too great. For that, I expect that it would depend mostly on the type of products you sell and the type of customers you attract.

A wildcard certificate is one that is assigned in a generic situation, kind of like a dealer plate on cars. There's no way to identify exactly what company it represents. Browsers want to have a fixed identity associated with the SSL certificate, or they throw up the red flags.

The bottom line is this: Will the presence of a dedicated SSL certificate increase your conversions enough to be profitable? Most merchants that have purchased their own seem to agree that it does. I know that when I got mine and the merchant account, my sales went up dramatically, so they were VERY profitable.

Beyond that, it's only a matter of making sure the certicate gets installed correctly, and then the proper entries made within CC before enabling the SSL mechanism.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...