SSL advice

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi folks.

I'm in the process of setting up a small e-commerce website which uses Paypal as it's only payment gateway. Obviously the security of financial details being sent to Paypal is handled by them and I never see them. However, my site will require customers to register an account with username, password, postal address, etc, and they will be able to login to manage that account online. I have access to a shared secure server. Do I need to enable it for the pages gathering personal information? I know HOW to, but I don't know if I NEED to. It's a very small-scale operation and I don't want to spend much on it till I know if it's going to generate much interest. If it takes off and I need secure server access I'll invest in my own SSL cert for the domain. In the meantime, I think generic/shared SSL looks a bit clumsy. So, what do folk think? Is it a requirement legally? Is it advisable? Can I get away without it?

 

SSL is definitely mandatory for all pages with personal information. Otherwise it all gets sent in clear text from the user all the way to the web server.

An intercept anywhwere in between would make it very easy for them to get hold of all the information transmitted.

SSL certs are cheap, either don't collect and store the information or pay for the cert. Yes there are legal privacy concerns, normally this is a self enforced code of practice stated on the site, I'm not sure what the legal minimum is but its likey to include 'make adequate measures to protect customers sensitive data'.

 

Thanks for the input. I figured as much. Unfortunately, I can't go down the cheap SSL cert route as my host only allows the GeoTrust one at £149 (At least there's no markup and they set it all up for you). Still, staying legal and customer confidence will be worth it.

 

Actually, I've just realised that's a markup of £10 and then they add VAT. Bah!

 

I don't really want to change hosts. I'm a re-seller for them with most of my client's websites hosted there too, and it's a really good deal otherwise. It's not a huge markup considering they install the cert for you. I'm just slightly miffed they don't allow third party certs, but when it comes down to it I'd rather know I was covered by one of the better known brands SSL-wise. It's just the Scot in me rebelling at parting with money ;)

Thanks again for confirming I need one.