- This topic has 15 replies, 3 voices, and was last updated 13 years ago by
.
-
Posts
-
So, I am trying to figure out the best way to use SSL with this cart.
First off, I am fully aware that for Paypal transactions, SLL is not a necessity. Thank you. Let’s move on…
Here are three options, and I need advice, pros and cons etc…
1) I can run/redirect the whole site through SSL, via an apache rewrite rule, and it makes things easier to setup, as you don’t have to worry about using relative or full paths etc… although you need to watch out for any pictures that link via external http on certain plugins.
Downside, there is some handshaking so it does slow things down a bit, so if you have a very busy site, might not be the best option… but, technically, it looks good, customers might feel safer, and I think that it would work great with the eMember plugin.
2) I can force the Checkout Page ‘only’ to go through https/SSL via a rewrite rule in apache. I ran into issues with this option, when using Digital Product Variations.
3) A bit ‘like’ option 2)/above, I can simply setup the Checkout Page url only, to go through https/SSL, but this time, in the cart setting options, like the following for example:
Checkout Page: https://www.the_shop_that_sales_ferraris.com/shop/
Now, in this scenario, should Return URL and Cancel URL go through https/SSL as well? and what else should and should not go through https, to avoid getting errors in certain browsers?
What about the download validation scrip; http or https?
There isn’t much info on setting up the cart with SSL, what do you guys think?
Would be good to have a SOLID STICKY on SSL.
I use the Force SSL plugin and run my site in SSL 24/7…
Thanks for the link, I already new about this plugin. I saw your site btw, very nice.
Personally, I am trying to avoid adding extra plugins as much as possible.
If you are interested in a neat rewrite rule, here is one for the .htaccess, the following will take care of everything:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.themagneticlouis.com/$1 [R=301,L]Thing is, I’d would still like to discuss about option 2 and 3 if possible, as I would be offering video previews – speed is very desirable.
Unless you are doing the actual payments processing on your site, or your buyers live under oppressive forms of government,, the use of SSL is more of a “feel good” for the buyer.
So, assuming we are only doing this for the feel good effect, SSL on the thank you page only would be appropriate. I wouldn’t use SSL for the cart checkout page, unless it had its own dedicated page; because of mixed content issues. SSL would not be appropriate for the download script, unless you want all your download streams to use SSL.
If video download speed is your concern, you might consider hosting the content on Amazon S3 and using the Lightbox ultimate plugin.
Yes I understand, thank you. I agree. The thing is, I got a package that came with SSL, as an anticipation, just incase the site becomes very popular, and I suddenly become rich and famous overnight… while setting thing up, it’s always good to have SSL in place for what I call; “phase 2”. Meanwhile, since I already have it, I think I should use it, so at the same time I can learn a bit from it.
You said something that caught my attention;
1) yes, the cart would have a dedicated page, but are you saying that it is possible to have a cart without a dedicated page? If so can you give me an example?
2) I am actually browsing the forum, since this morning, trying to learn a bit about the “Thank you page”, as I have tested a Paypal cart a few years ago, which had a dedicated section for setting up the “Thank you page”, so I am looking into this at the minute.
AS far as Amazon is concerned, yes, I am fully aware and will most likely give it a go, BUT, I really need/want to separate content from products, so, I definitely keep the content on the site.
For the download script, again, ideally, I might want to use SSL, so I will have to look into it.
I have read about “mixed content”, i.e; http coexisting with https on the same page, and that’s why I raises the questions above.
The good thing about SSL, is that it also protects from possible spies, and hackers somehow, at different levels.
A http link could be intercepted more easily than https.
Here’s your example…
http://www.tipsandtricks-hq.com/ecommerce/wordpress-estore-plugin-demo-175
In this case, the cart is on the same page as the products.
Here s the Thank You page information…
http://www.tipsandtricks-hq.com/ecommerce/wp-estore-instant-digital-product-delivery-499
As for using SSL with the download script, I would only recommend it if (1) you have the server performance to handle it or (2) you are delivering downloads to buyers who live in a high risk environment, like China.
If you have specific security or privacy concerns you’d like to discuss, please feel free to drop me a line…
Thank you for the links. I see what you mean about the cart being on the page as the product(s).
I did see the thank you page set up in the end, so the short code takes care of it then.
I received a serious WARNING from Paypal IPN, so will have to look into it (will see if there is another post for that or start a fresh one).
As for the download script and SSL, will have to look into this as well. Thanks for the tips. Any ideas on how to check for server performance easily?
Did you try the rewrite rule?
More tips on SSL, I mentioned this somewhere else.
IMPORTANT to note that Amazon S3 has some limitations with SSL.
You cannot use secured downloads/SSL (https instead http) as well as CNAME redirections:
your_subdomain.your_domain.com/folder/product.zip
INSTEAD OF
your_subdomain.your_domain.com.s3.amzonaws.com/folder/product.zip
In short, you can do
THIS: http://your_subdomain.your_domain.com/folder/product.zip
OR
THAT: https://your_subdomain.your_domain.com.s3.amzonaws.com/folder/product.zip
so
You CANNOT do this: https://your_subdomain.your_domain.com/folder/product.zip
I am weighing the pros and cons…
Are you afraid of a buyer having his digital download intercepted by the Mutaween?
SSL is only necessary to protect data from being intercepted by third parties. It is not an anti-piracy control.
Yes I am aware of what you said. I am not talking about piracy. Anything non encrypted can be much more easily intercepted by hackers.
I have got an issue:
“The URL specified in the “Thumbnail Image URL” field does not seem to be a valid URL! Please check this value again:”
The product page does not accept https OR relative links either.
I am “forced” to use http, but the whole site is going through SSL, so that’s not going to work.
If you know that the URL of an image that you specified is correct then you can ignore that error message (obviously the image URL validity check from the plugin is failing). It is only shown to the admin of the site when saving the product. It does not have any bearing when your web page actually gets rendered.
Thank you. That’s a relief. But if you can easily update it one day to accept relative urls without the error, that would be great too.
@admin: I know you said to ignore it, but the errors are quite severe (visually).
The thing is, NONE of URLs in the “Additional Product Details” can be set to https.
Only the download link(s) can have https at the front.
Further, I am not sure if I mentioned this already, and I think it needs attention;
“Digital Product Variation” URLs CANNOT be set to /home/public_html/folder/product.zip, this path ONLY works for “Digital Product URL”. Worth mentioning?
@wzp: you said: “As for using SSL with the download script, I would only recommend it if (1) you have the server performance to handle it or (2) you are delivering downloads to buyers who live in a high risk environment, like China.”
What do you mean by “high risk environment, like China.”?
Can you elaborate? I am genuinely interested to learn something new.
Security is a bottom line business decision, involving risk and cost benefit analysis. That’s why Walmart does not prosecute shoplifters that are below a certain dollar level, and why countries pick their fights (…although there are always exceptions…) carefully.
There are a lot of people out there who can whip up the most secure systems you’ve ever seen. But unless they work for someone with infinite resources, those systems will not be secure for very long, and their employers will never turn a profit.
We dont know what you are selling. But if what you are selling is extremely valuable, lawyers and business insurance can pickup where security leaves off.
Now of course, if you are distributing digital products that are not quite up to the community standards of the country your intended buyers live in; that’s another matter, and completely understandable, why you are über-concerned about security. In that case, these kind of matters are best discussed off-forum, and you are invited to contact me via my site’s contact form.
- You must be logged in to reply to this topic.