User Name
Password
AppleNova Forums » Programmer's Nook »

SSL on Shared Host


Register Members List Calendar Search FAQ Posting Guidelines
SSL on Shared Host
Thread Tools
jdcfsu
Veteran Member
 
Join Date: Jun 2006
Location: Florida
 
2008-01-23, 23:13

One of the sites I manage has asked about adding a web form to have parents sign up for various things. Due to the nature of the information being collected (personal, demographic, and potentially payment) it'd need to be done over a secure server. I've never used an SSL before and know that I can add one onto my shared host for about $100. Is using SSL on a shared host a security risk? Also, if we do purchase the SSL would I then need to use a typical php/cgi form script to send the information to an email address, or is there a better way of doing this web-registration? Thanks guys.

90% of statistics can be made to say anything 50% of the time.
Website | Twitter
  quote
scratt
Veteran Member
 
Join Date: Jul 2004
Location: M-F: Thailand Weekends : F1 2010 - Various Tracks!
Send a message via Skype™ to scratt 
2008-01-24, 00:05

Typically when on a shared host the SSL cert is shared.. But it's secure.
I got mine with my server so am not sure of the cost, but seem to remember a unique certificate is more last time I looked. So I am basing it on that assumption.

On my new server (got rid of useless IX Webhosting finally) I put my secure stuff in the https folder as opposed to the http folder and it's all seamless, other than you use 'https' URLs for the secure stuff.

You use standard html and php.. But obviously make sure your html (and your php) is nice and secure.. Perhaps check out hotscripts for some ideas.

I am not an expert on this, I just kind of muddle through web stuff, and am just giving you my experience on a few servers over the years. So feel free to take advice from others also.

'Remember, measure life by the moments that take your breath away, not by how many breaths you take'
Extreme Sports Cafe | ESC's blog | scratt's blog | @thescratt
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2008-01-24, 00:59

Quote:
Originally Posted by jdcfsu View Post
Due to the nature of the information being collected (personal, demographic, and potentially payment) it'd need to be done over a secure server. [...] Also, if we do purchase the SSL would I then need to use a typical php/cgi form script to send the information to an email address, or is there a better way of doing this web-registration?
Unless the email server forces SSL authentication, that link in the chain would defeat the whole purpose of getting a certificate for the web site. Email, unless authentication is mandatory for all users involved and users can be trusted not to forward messages and all users are required to use message encryption with something like PGP, is inherently insecure because messages are transmitted by plaintext and stored in plaintext. Sensitive information like bank/credit payment information should never, ever, ever be transmitted over email, even when you think you have a secure connection. The risk of someone or something inadvertently breaking that chain of security is just too great.

If you're going to be working with any kind of payment data, you need to work with a database of some sort on the server that has limited means of access and all communication with and data stored on that server need to be encrypted. Using a shared host here is also a big security risk since there's risk of another user on the server gaining access to your data.

(Full disclosure: I've been working primarily on the commerce/finance systems of a web-based company for the past year or so. It's a fun world, but you have to be extra careful when you're dealing with other people's money and sensitive data.)

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
scratt
Veteran Member
 
Join Date: Jul 2004
Location: M-F: Thailand Weekends : F1 2010 - Various Tracks!
Send a message via Skype™ to scratt 
2008-01-24, 01:14

Thanks Brad, that was good advice...

With regards to money transactions..

Most of my websites that take money do it via www.2checkout.com.
(They are not as bad as the press they get. They are simply not much better than most other online solutions! I have been with them for 5 years now, and only fallen out a few times.. Normally they are accommodating if you are blunt with them. And I've befriended one of the senior web people over the years so can at least ping him when things get stressy!)

So if you are taking payments use them... They handle the secure side, and I simply transfer people to them from my insecure web portal prior to taking any private data.

'Remember, measure life by the moments that take your breath away, not by how many breaths you take'
Extreme Sports Cafe | ESC's blog | scratt's blog | @thescratt
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-01-24, 03:19

I wonder if there is such thing as an alternative to SSL? Is TLS any more secure?
  quote
jdcfsu
Veteran Member
 
Join Date: Jun 2006
Location: Florida
 
2008-01-24, 08:12

Thanks for the replies. So basically this is a no-go because of the shared server. Do you have any suggestions to do web registrations securely on a shared host?

What would the benefit be to using something like 2checkout or PayPal over running something on our own server?

90% of statistics can be made to say anything 50% of the time.
Website | Twitter

Last edited by jdcfsu : 2008-01-24 at 09:03.
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2008-01-24, 10:21

Quote:
Originally Posted by jdcfsu View Post
What would the benefit be to using something like 2checkout or PayPal over running something on our own server?
The big benefit to using a third-party payment handler is that you don't have to process the payments themselves. If you build a cart/checkout/payment process in-house, on the other hand, you'll have to collect and store the users' credit card information yourself and integrate with a bank/gateway to process the payments through an API.

The drawbacks to using a third-party payment handler are that your visitors will be redirected out to the third-party site, you may encounter delays in getting responses from the handler, and the per-transaction fee may be higher.

The big benefits to building the checkout/payment process in-house are that you can present a completely seamless interface to your users, should be able to get immediate feedback from the bank/gateway's API, and likely have a lower per-transaction fee. Of course, a major drawback to the in-house solution is that it requires a much higher level of technical skills to implement.

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
scratt
Veteran Member
 
Join Date: Jul 2004
Location: M-F: Thailand Weekends : F1 2010 - Various Tracks!
Send a message via Skype™ to scratt 
2008-01-24, 10:39

What Brad says is correct.

However, having looked at the setup costs / time involved in handling this yourself I decided that any higher gateway fee is probably worth it. To set it up, and then maintain it, and keep it secure is a full time job for someone IMHO. Definitely not something for your web startup!

Response time is not an issue as you get immediate feedback for sales from most of these sites, and if you don't use PayPal they do give a s&%t, and do actually have real people on the end of phones 24/7. 2checkout do actually fight chargebacks if you ask them, and often waive the fees if they are sympathetic to your case.. A lot better than PayPal in that regard.

Also having looked very carefully into the merchant fees, gateway fees, and bank fees it is actually more expensive for me to go that way in Asia right now. Hence using a US company. They even issue a credit card now which you can credit direct from your online account, and (not sure if this is good or bad) but 2checkout.com now do PayPal too!

One big advantage of *really* processing cards yourself (if you are allowed to do it where you are) is that you get paid daily into your account for each transaction. This can in some cases cost you more because of extra transaction fees, but not if all the hardware / servers / banks are local to your country.

I on the other hand get paid weekly from 2checkout.com, which is good enough for me..

If your security concerns are not uber high then perhaps look at putting a modded version of OSC together on the secure side of your server. OSC, although a shop database can be used for myriad uses.. We use them often for quick-to-setup skydiving boogie registration pages, where we collect flight info, passport info etc. etc.

OSC has a great community, and loads of people out there willing to mod for a few $$$.

'Remember, measure life by the moments that take your breath away, not by how many breaths you take'
Extreme Sports Cafe | ESC's blog | scratt's blog | @thescratt

Last edited by scratt : 2008-01-24 at 11:00.
  quote
jdcfsu
Veteran Member
 
Join Date: Jun 2006
Location: Florida
 
2008-01-24, 14:57

Thanks guys. I'm not able to maintain the website on a daily basis let alone a full on secure server running transactions. I'm putting together a cost/benefit for the different options and I'll include PayPal and 2checkout. Does VeriSign do a similar thing, or are they more into the SSL certificates and digital signing? Any other options out there that might be worth a shot?

90% of statistics can be made to say anything 50% of the time.
Website | Twitter
  quote
Gargoyle
http://ga.rgoyle.com
 
Join Date: May 2004
Location: In your dock hiding behind your finder icon!
 
2008-01-24, 17:19

I used GoogleCheckout the other day and was very impressed with the whole experience from a customer point of view.
  quote
scratt
Veteran Member
 
Join Date: Jul 2004
Location: M-F: Thailand Weekends : F1 2010 - Various Tracks!
Send a message via Skype™ to scratt 
2008-01-24, 20:26

Yes.. I would go to GoogleCheckout in a hearbeat if they were international.
  quote
jdcfsu
Veteran Member
 
Join Date: Jun 2006
Location: Florida
 
2008-01-24, 21:42

I like how GoogleCheckout is free for Non-Profits until 2009... but it looks like PayPal has far more features than Google. Maybe it's just the website, but scratt, why would you move to GC should it be international?

90% of statistics can be made to say anything 50% of the time.
Website | Twitter
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2008-01-25, 04:57

Quote:
Originally Posted by jdcfsu View Post
Does VeriSign do a similar thing, or are they more into the SSL certificates and digital signing? Any other options out there that might be worth a shot?
VeriSign actually used to do direct Visa/MasterCard/American Express transactions as a payment gateway via software called Payflow Pro. PayPal, however, purchased that segment of the company a while ago. Details about Payflow Pro at PayPal.com

That said, I have major disdain for PayPal as a company. If Google Checkout can work for you, I say go for Google.

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
scratt
Veteran Member
 
Join Date: Jul 2004
Location: M-F: Thailand Weekends : F1 2010 - Various Tracks!
Send a message via Skype™ to scratt 
2008-01-25, 05:12

Quote:
Originally Posted by jdcfsu View Post
..but scratt, why would you move to GC should it be international?
Last time I checked they were slightly cheaper than 2checkout.com and comparable, except they don't do anywhere but the US.
I would think that (regardless of how they deny it) you'd get slightly better traffic and sales if you ran your business through them.
I also make use of adsense and earn reasonably well from it, and like the idea of having it all under one roof.

I have spoken to them and they do intend (eventually) to integrate online payments, adsense and adrevenue into one thing. In that sense I coule pay to advertise, get ad. revenue and take customer orders all online in one account. Cool!

Currently they pay me here in Thailand for ad. revenue with local cheques and give me a great exchange rate!!

Also, for me personally, Google have always been great at customer service.. I always get replies, even to quite minor enquiries.
My main mail account is now with them.. A lot of stuff I have is with google.

The only thing I don't have with them is my alternate secure online backup stuff which is elsewhere.
But I do have a couple of GMail accounts I use as backup disks as well!

I would not dump 2checkout.com, but I would run both side by side so I had the option to dump one or other if they pissed me off. I did that with PayPal, and PayPal pissed me off, like they do everyone, so I dumped them.. and left them holding the bag with a bogus / fraudulent refund attempt they would not protect me on.. Something I am quietly rather proud of!

'Remember, measure life by the moments that take your breath away, not by how many breaths you take'
Extreme Sports Cafe | ESC's blog | scratt's blog | @thescratt
  quote
Gargoyle
http://ga.rgoyle.com
 
Join Date: May 2004
Location: In your dock hiding behind your finder icon!
 
2008-01-25, 05:23

Quote:
Originally Posted by scratt View Post
Last time I checked they were slightly cheaper than 2checkout.com and comparable, except they don't do anywhere but the US.
I'm in the UK
  quote
scratt
Veteran Member
 
Join Date: Jul 2004
Location: M-F: Thailand Weekends : F1 2010 - Various Tracks!
Send a message via Skype™ to scratt 
2008-01-25, 05:30

Yes.. But you were dealing with a US retailer I presume.
I am talking about being a merchant with them.
  quote
Gargoyle
http://ga.rgoyle.com
 
Join Date: May 2004
Location: In your dock hiding behind your finder icon!
 
2008-01-25, 05:39

It was from ebuyer.com. They have their contact address as Ebuyer (UK) Ltd, Howden, East Yorks, DN14 7UW
  quote
scratt
Veteran Member
 
Join Date: Jul 2004
Location: M-F: Thailand Weekends : F1 2010 - Various Tracks!
Send a message via Skype™ to scratt 
2008-01-25, 05:45

You made me curious so I went and checked.. Google do UK and US now.
If it was any other company I'd say that I wouldn't hold my breath for Thailand, but with Google I have faith it'll be up and running at some point in the next 12 months.

'Remember, measure life by the moments that take your breath away, not by how many breaths you take'
Extreme Sports Cafe | ESC's blog | scratt's blog | @thescratt
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
good web host with high (or no) outgoing smtp limits? jsk173 Genius Bar 26 2007-11-13 22:30
Shared external drive not available... Engine Joe Genius Bar 4 2007-11-06 12:03
anyone using Host Monster to host their site(s)? apple007 General Discussion 0 2007-10-30 02:13
Can I set up a web browser accessible FTP on host? turtle Programmer's Nook 2 2007-04-02 22:16
Linker option to get dynamic library (apart from -shared ) kate Programmer's Nook 3 2006-08-10 07:41


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 07:11.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2024, AppleNova