1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL advice

Discussion in 'Web Development & Web Hosting' started by thecatsmother, May 1, 2009.

  1. thecatsmother

    thecatsmother Byte Poster

    100
    4
    20
    Hi folks.

    I'm in the process of setting up a small e-commerce website which uses Paypal as it's only payment gateway. Obviously the security of financial details being sent to Paypal is handled by them and I never see them. However, my site will require customers to register an account with username, password, postal address, etc, and they will be able to login to manage that account online. I have access to a shared secure server. Do I need to enable it for the pages gathering personal information? I know HOW to, but I don't know if I NEED to. It's a very small-scale operation and I don't want to spend much on it till I know if it's going to generate much interest. If it takes off and I need secure server access I'll invest in my own SSL cert for the domain. In the meantime, I think generic/shared SSL looks a bit clumsy. So, what do folk think? Is it a requirement legally? Is it advisable? Can I get away without it?
     
    WIP: CIW Website Design Manager
  2. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    For a business (no matter if it's big or small) gathering data of customers, I would say get yourself a SSL cert. You can get a SSL for under £20 per year, see here.

    You may get away with it, however if your site was attacked/hacked and your customers personal details were taken. You will face "not so good news", as it would be classed as a data protection issue: "safe guarding data" (among others).

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  3. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    SSL is definitely mandatory for all pages with personal information. Otherwise it all gets sent in clear text from the user all the way to the web server.

    An intercept anywhwere in between would make it very easy for them to get hold of all the information transmitted.

    SSL certs are cheap, either don't collect and store the information or pay for the cert. Yes there are legal privacy concerns, normally this is a self enforced code of practice stated on the site, I'm not sure what the legal minimum is but its likey to include 'make adequate measures to protect customers sensitive data'.
     
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  4. thecatsmother

    thecatsmother Byte Poster

    100
    4
    20
    Thanks for the input. I figured as much. Unfortunately, I can't go down the cheap SSL cert route as my host only allows the GeoTrust one at £149 (At least there's no markup and they set it all up for you). Still, staying legal and customer confidence will be worth it.
     
    WIP: CIW Website Design Manager
  5. thecatsmother

    thecatsmother Byte Poster

    100
    4
    20
    Actually, I've just realised that's a markup of £10 and then they add VAT. Bah!
     
    WIP: CIW Website Design Manager
  6. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    Can you change hosts?

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  7. thecatsmother

    thecatsmother Byte Poster

    100
    4
    20
    I don't really want to change hosts. I'm a re-seller for them with most of my client's websites hosted there too, and it's a really good deal otherwise. It's not a huge markup considering they install the cert for you. I'm just slightly miffed they don't allow third party certs, but when it comes down to it I'd rather know I was covered by one of the better known brands SSL-wise. It's just the Scot in me rebelling at parting with money ;)

    Thanks again for confirming I need one.
     
    WIP: CIW Website Design Manager

Share This Page

Loading...