ssl certs

fearanphoist

hi folks.

i am new to implementing one of these .

can somebody give me the run down on what is involved.

do you buy the cert , which there are all different types. and how do you implement that to secure data from your browser to server? or does it just secure the tranaction ?

how much do they cost per annum ?

been online for years , i am taking the next step with a store .

thanks

biko

This is a general answer in case someone else stumbles upon this thread:

In short you install the certificate on the shop server and make the pages https.
When someone comes to buy stuff the certificate makes a copy on their computer so server/client knows they have a private conversation
and CC details etc won't be snatched up by someone else.

Comodo, known for firewalls etc, now has SSL.
http://www.instantssl.com/
http://www.comodo.com/business-security/digital-certificates/ssl-certificates.php
Price range from free to 100s

Start by reading this http://www.instantssl.com/ssl-certificate-products/what_is_ssl.html


In the beginning, network administrators had to figure out how to share the information they put out on the Internet.

They agreed on a procedure for exchanging information and called it HyperText Transfer Protocol (HTTP).

Once everyone knew how to exchange information, intercepting on the Internet was not difficult. So knowledgeable administrators agreed upon a procedure to protect the information they exchanged. The protection relies on SSL certificates to encrypt the online data. Encryption means that the sender and recipient agree upon a "code" and translate their documents into random-looking character strings.

The procedure for encrypting information and then exchanging it is called HyperText Transfer Protocol Secure (HTTPS).

With HTTPS if anyone in between the sender and the recipient could open the message, they still could not understand it. Only the sender and the recipient, who know the "code," can decipher the message.

Humans could encode their own documents, but computers do it faster and more efficiently. To do this, the computer at each end uses a document called an "SSL certificate" containing character strings that are the keys to their secret "codes."

SSL certificates contain the computer owner's "public key."

The owner shares the public key with anyone who needs it. Other users need the public key to encrypt messages to the owner. The owner sends those users the SSL certificate, which contains the public key. The owner does not share the private key with anyone.

The security during the transfer is called the Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

The procedure for exchanging public keys using SSL certificates to enable HTTPS, SSL and TLS is called Public Key Infrastructure (PKI).

CreepingDeath

fearanphoist wrote: »

hi folks.

i am new to implementing one of these .

can somebody give me the run down on what is involved.

do you buy the cert , which there are all different types. and how do you implement that to secure data from your browser to server? or does it just secure the tranaction ?

how much do they cost per annum ?

been online for years , i am taking the next step with a store .

thanks

The likes of Verisign sell the SSL certificates.
You install it on your web/application server and configure it to use the cert for HTTPS traffic.
Then the clients browser connects via HTTPS.
Some sites only send the login details over HTTPS, some run the entire user session over HTTPS for more security.
( Google mail just changed from using https for login, to using https for the entire session )

If you have a valid SSL certificate then the clients browser will accept it.
( I think the trusted certificate authority sell them with an expiry date from 1 - 3 years )

If you create your own free (self-signed) certificate, then the browser will throw up a warning that it doesn't trust the site and do you want to continue. Okay for testing in a development environment, but not for an online payment system.

Are you going to write your own payment system, accepting credit card numbers and the like ?
You have to know what you're doing to make that safe from scripting & SQL injection attacks.

It might be easier to redirect your payments to Paypal or the like.
* See the Paypal merchant tools.

I'd be very cautious about accepting and storing peoples credit card numbers.
You'd have to ensure you've secured
- the web / application server
- database is locked down and no default passwords/users still active
- ideally encrypt the payment details in the database also
- properly firewalled
- every single user entry is considered potentially malicious to SQL & script injection attacks
- url parameters must be vetted / ignored

There's a fantastic podcast called "Security Now" which has been running for years and has gone through practically every security topic you could want. It's definitely worth a look.

Security Now Podcasts

fearanphoist

hi folks

thanks for the quick replies

i am implementing the software ( shop ) from a commercial provider and not coding it myself.

what determines the different costs of SSL certs ?

do i need to secure the whole online shop ? or just the transaction part ?

the problem with paypal is the amount they take off you . there are many online stores about with SSL. i will have payment modules installed but i have yet to decide which one to go with

thanks



thanks

Gone Drinking

Have a look at something like Realex, you set up with them, they give you the plugin and show you how to install it.

Not worth doing the whole SSL thing yourself, there's too much behind the security and you'd be liable if details were taken off your site via one of the many other securities gaps there can be.