SSL Transactions 1

[Shilohcity]

Hi there

I am a confused web designer....

I am setting up a website to conduct credit card transactions over the internet. I thought I had everything sorted out in relation to SSL and now my hosting provider informs me I need a SSL certificate in addition to a secure server. I have checked a few websites and am still confused as to whether both a certificate and a secure server are always needed or whether it is just my ISP that needs them.

I know this is probably basic stuff but any help would be most appreciaited and I promise you riches beyond your wildest dreams...(maybe)..

Cheers
Justin.

 

[GunJack]

Hi Justin,

SSL is really not that bad. Basically, you need a digital certificate installed on your webserver and configured for your website to enable SSL for your site. When the digital certificate is installed, your website becomes what they're calling a "secure server". Digital certificates are issued by select companies such as Verisign & Thawte and they make sure that someone requesting a certificate is who they say they are AND that they own the domain they're requesting it for. This is because certificates contain information about the company (or person) who own them as well as the website they were issued to provide encryption for.

Whenever someone requests a secure document, browsers such as IE & Netscape allow the visitor to view the certificate information and see the company name and address information. If you used your ISP's certificate, it would appear to the visitor that they were purchasing products from the ISP (if they checked the certificate). If this unlikely event is acceptable to you, there is no reason you couldn't piggy-back off your ISP's certificate (if they have one). There are some configuration issues but it's technically feasible and a number of ISP's offer it. They are however opening themselves up to potential customer inquieries and complaints which is why they probably don't want to do it.

If you have any other problems in this area, my company (atlbiz.com) provides a range of hosting solutions including complete shopping cart systems.

Good Luck!

 

[Shilohcity]

Thanks for clearing that up.

It somehow makes a lot more sense laid out on a page in front of me.

(ahhhh...and those riches I promised in my first post....ummm..yeah well the biggest present u get for Xmas thats from me. hehehe)


Thanks again

Justin.

 

[SDM]

We are considering setting up a web site which will capture credit card and bank details on a form as part of the process. For this reason I am aware that we need to set up an SSL Server which will secure the the communication between the browser and the server - however I assume that I will need to secure the email that is subsequently sent to me from the web server. From what I understand, there are personal certificates to do this but do I need to write some code to encrypt the email message that is sent to me from the web server?

Any help would be useful...Thanks.

 

[GunJack]

To do what you're doing, I would reccomend one of two options. You could just e-mail a notification of an order with a link back to a secure page on the server. This would allow you to use the ssl on the server to protect all important information. If however, you do need to send sensitive information in the e-mail, I would recommend Cold Fusion with the cfx_pgp custom tag. I haven't had to use this but it seems to be the solution most people use for Cold Fusion when they need to send encrypted e-mail. I believe the same can be done with ASP but I find you usually have to install more 3rd party products with ASP.

GJ