SSL, Shared SSL - What Gives?

[Guest Tintent]

I'm a little confused about this SSL thing. I know that my host includes a shared SSL but they say that this cannot be used with certain types of cart written in particular languages. I have seen reference to CC being one of these carts. However, the CC help pages suggest that a shared ssl can be used. Finally, I've seen quite a few mentions of big problems after ticking the box to turn on the ssl function in CC which kind of puts me off playing around with it.

At the moment, I think the only practical advantage of using ssl is that I could use Google Checkout. All the other payment modules I'm using don't need it. Therefore, is it worth worrying about at all? Is it possible I can use the shared ssl with CC or do I need more detail to know this? And finally, is there any other reason for using ssl that would justify paying for the certificate if I don't need it for my chosen payment modules?

Many thanks for any replies and sorry for my ignorance but this is sending me round in circles!!

Jamie.

[Guest hennaboy]

Another reason you may wish to consider using SSL is for customer safety value. If a customer has to enter any info then they are going to feel better if its in a secure enviroment.

We switched to SSL when we launched CC4 in January. This resulted in a significant decrease in dropped orders either at the registration / initial checkout page or just before payment gateway selection.

Our conclusion is that many people are worried about identity theft even when inputting their name and address and having these sections under a secure enviroment gives them more confidence in your business and website.

<Link deleted>

[Guest Brivtech]

Sorry, but I had to delete the link from the above post. Please be aware of forum advertising rules. If you want to discuss recommendations for where to buy SSL certificates from, please use Google, or cubecartforums.org.

[Guest lamina]

Stevie,

You mention changing the global.inc.php file - We have set up SSL without altering this and I have just checked that this is not mentioned in the KB article:

https://support.cubecart.com/index.php?_m=k...=24&nav=0,2

Unless I am looking at the wrong article - which could be very likely. :-)

As far as we are aware SSL is working just fine - just a little worried in case I have forgotten something.

That won't be the first or last time :-)

Richard

[Guest Tintent]

Thanks for the replies guys. I think I'm starting to understand it now!! Hennaboy - Although we've only been up and running a few weeks, the Google Analytics Stats are showing a drop off through the checkout process, so there could well be something in what you say!

As ever, more questions. My webhost says I need a dedicated IP to host the SSL Certificate. This (of course) costs more - albeit not much - their reasoning seems to make sense but I just wanted to make sure this is right? Second. The SSL certificates offered by the host are $99 (including free setup), this is a lot more than I have found the Rapid Certificates for. What are you getting for your money for such a huge difference in price, and are the Rapid Certificates as easy to install as is made out?

I really do appreciate the help. For info, we are currently using Paypal but aim to change this over to Worldpay over the next couple of weeks. I think this means that the expensive certificates aren't necessary, but from the replies received I think I should go for the cheaper option. That's providing a dingbat like me can install it easily enough!!

Cheers,

Jamie.

Sorry, one more!!

When navigating through my site using CC, it drops the www. from the address. Does this mean the SSL cert will need to be on the address without the www. or, can I change the navigation of the site to include www.?

When I read this back it looks a bit confusing. Sorry, I can't think of another way of putting it. Hope it makes sense!!

Ta,

Jamie.

[Guest Brivtech]

As ever, more questions. My webhost says I need a dedicated IP to host the SSL Certificate. This (of course) costs more - albeit not much - their reasoning seems to make sense but I just wanted to make sure this is right?

Most people use shared hosting, it's fairly cheap and does the job. When you run a SSL it requires a dedicated IP address, so that its key remains valid. Some good value SSL certificates offer a dedicated IP address as part of the bundle. I would consider shopping around, you don't need to get an SSL certificate from your current host to use it.

Second. The SSL certificates offered by the host are $99 (including free setup), this is a lot more than I have found the Rapid Certificates for. What are you getting for your money for such a huge difference in price, and are the Rapid Certificates as easy to install as is made out?

There are different levels of customer validation for SSL certificates, and this is reflected in the price (They can check your address, and more still, can verify your business credentials). However, this makes little difference to your customers who are shopping, they just need to know the site is secured, and the majority would be unaware that of the different levels of SSL company validation. On the other hand, your host may simply charge a lot of money. They could be buying from a supplier of a supplier, where the price is loaded up each time. Again, shop around, you are not tied to your host.

I think this means that the expensive certificates aren't necessary, but from the replies received I think I should go for the cheaper option. That's providing a dingbat like me can install it easily enough!!

There's no real reasons why you shouldn't go for the cheaper option. At the end of the day, you get a dedicated encrypted connection that your customers need to pay securely with.

I would just add, that you should look out for certificates with up to 256-bit encryption, rather than 128-bit encryption. I personally go for these, at about $30 a year and have a dedicated IP thrown in.

The setup process is straightforward - When you purchase the certificate, you enter in the domain details. The certificate is issued along with some other data that allows your existing host to switch to the dedicated IP address when you're entering SSL mode. The server update can take up to 48 hours depending on your host. You also get provided with a script that you can drop into your web pages that hows the SSL symbol with a validation link.

Whoever you get the SSL certificates from will be able to provide assistence with the setup process. It really isn't that difficult.

To answer your last question that I almost missed:

Does this mean the SSL cert will need to be on the address without the www. or, can I change the navigation of the site to include www.?

The SSL certificate will work with and without the www. - However, only for that level of your domain. If you want to use a subdomain (http://subdomain.domain.com), then you'll need something called a wildcard certificate that covers all subdomains, and is far more expensive, or point the SSL certificate to that instead. I don't bother with subdomains any more.

When navigating through my site using CC, it drops the www. from the address.

This is not normal - Have you programmed it this way? I would suspect a configuration setting hasn't been set quite right.

[Guest Tintent]

Is there a way to stop CC dropping the www. when navigating through the site? My concern is regarding a warning from the host saying that if an ssl certificate is set up on the address without the www. and some accesses using www. it will show a security warning. This is something I would prefer to avoid! I haven't set the site up this way deliberately.

Am I worrying about something that is likely to happen? I did read somewhere that CC will automatically redirect to the secure address. Will this stop the site navigation dropping the www.?

Sorry this thread has got so long. I hope it's of interest to others as well!!

Jamie.

[Guest Brivtech]

Is there a way to stop CC dropping the www. when navigating through the site?

As I mentioned, I think it's something wrong in your configuration. If you can post it up here, I may be able to spot any problems. Please do not post passwords.

My concern is regarding a warning from the host saying that if an ssl certificate is set up on the address without the www. and some accesses using www. it will show a security warning. This is something I would prefer to avoid!

How unusual. I can't say I've come across that before with any of the SSL certificates I've used.

I did read somewhere that CC will automatically redirect to the secure address. Will this stop the site navigation dropping the www.?

It will go to a "new domain":, being HTTPS, rather than HTTP. I can't see why if www is programmed into the SSL configuration as the target address, why it should omit it.

[Guest Tintent]

Hi Brivtech, I appreciate your patience with me. I'm going to test it further though by asking how to post my configuration.

I did notice in the root folder, I have a public_html file and a www file that look identical. Is this right? I have uploaded everything into the public_html file so I presume it has copied automatically.

The line I refer to in my hosts FAQ is below:

*Please also note that a certificate can only be set up for either https://www.domain.com

or https://domain.com. If a certificate for https://domain.com is accessed

through https://www.domain.com, it will give a security warning saying the name

does not match the name on the certificate. The certificate will still secure the data however.

Thanks once again!!

[Guest Brivtech]

Hmmm, this is most strange, and as such, may be outside of the scope of my help.

Your configuration settings are in includes/global.inc.php.

Specifically, can you copy and paste the lines that hold the $glob['rootRel'] and also the $glob['storeURL'] variables.

I don't actually know what version of CubeCart you're using. As soon as I know, I'll move this topic over to the correct section.

In regards to your response, it seems that the certificate your host wants to provide needs to be strict to whether it's withor without WWW - so I guess the choice is yours. When the site switches to SSL, it bypasses the normal domain settings, so even if you were running withour WWW, if you switched to a SSL with WWW, it should show as WWW.

There are other SSL certificate providers out there. Don't feel obliged to be loyal to your host, unless of course, they are family, friends, etc.

[Guest Tintent]

Thanks for all the comments folks. I got set up and it was remarkably pain free. CC support suggested staying with the www. version of my address. That done, it does automatically switch to the right version. There was an error in my config file. so it defaulted to the address without the 3w's.

Thanks to all!!

J.

[Guest Brivtech]

I told you!

Glad you got it sorted! ;)

[Guest Brivtech]

Here's a handy .htaccess fix that will turn domanis without the www into ones that have the www. It's useful for search engines so they don't dilute results over 2 domains (that are the same).

RewriteEngine On

RewriteCond %{HTTP_HOST} ^mydomain.com

RewriteRule (.*) http://www.mydomain.com/$1 [R=301,L]

If you're using the SEO MOD, then remove the "RewriteEngine On", and insert the rest of the above code straight underneath where the "RewriteEngine On" already exists in the .htaccess used for the SEO MOD.