|
-
Oct 19th, 2003, 06:27 PM
#1
Thread Starter
Lively Member
Question about security
Hi,
I just have finished a site where user can buy stuff from our company's, but now I must add security for the payment (the credit card number for example). I think I need SSL to do it, but I have no idea on how to do it, so if anyone can direct me to somes sites where there examples or sites that explain how ssl work, that would be great  .
Thanks 
-
Oct 20th, 2003, 10:14 PM
#2
Frenzied Member
your server has to have it installed or enabled and you have to buy a certificate.
ssl is not difficult and you don't really need php to do anything with it.
I wouldn't keep the cc # in anything on the site, let paypal or 2checkout or authorize.net do it. less hassle on your part.
-
Oct 21st, 2003, 09:24 PM
#3
Thread Starter
Lively Member
Thanks,
I will contact my web hoster to enable SSL (has they told me when I buy a package from them that it should support it).
Prosys
-
Oct 21st, 2003, 10:50 PM
#4
Stuck in the 80s
Originally posted by phpman
and you have to buy a certificate
Just wondering (as I probably wont ever do it)...how much does this cost? Would you have to update it annually like a subscription? And what do you have to do to prove you're not scamming people?
-
Oct 21st, 2003, 10:59 PM
#5
Frenzied Member
I don't know the fine details but yes you have to update it once a year or so. and no it can't be a scam because your brwoser detects the certificate and lets you know if it is out of date or a incorrect certificate.
-
Oct 21st, 2003, 11:03 PM
#6
Stuck in the 80s
I meant that when you purchase the certificate, how do they know (the people that sell it to you), that your site is not scamming people and stealing credit card numbers?
-
Oct 21st, 2003, 11:26 PM
#7
Frenzied Member
you can't steal creditcard numbers just form a SSL site. well I suppose you could but the certificate doesn't have anything to do with it. you can still go to a https:// site without a certificate and do the samehting, but the user is pretty stupid if they didn't notice a certificate. you can check any SSL site in the browser.
go here
https://www.accountonline.com/View?d...teId=BKCD_WAMU
and in mozilla go to View->page info and go to the security tab. tha twill tell you all you need to know if the certificate is valid and where it came from.
i have never done it myself but the owner of the site I run does it so I don't see it.
-
Oct 22nd, 2003, 03:16 PM
#8
Stuck in the 80s
You're still not answering the right question.
How do the people that sell the certificates verify that the site is actually secure? There has to be something to 'secure' other than having a certificate.
-
Oct 22nd, 2003, 04:20 PM
#9
The certificate doesn't tell people that your site is secure, it tells people that the site is what it claims to be, i.e. that no cracker somehow hijacked your IP and tries to lure people into giving out information.
The certificate is akin to an ID card.
All the buzzt
 CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Oct 22nd, 2003, 04:55 PM
#10
Stuck in the 80s
I still don't understand. So all a certificate does is tell people that the site is what it says it is?
-
Oct 22nd, 2003, 07:44 PM
#11
Frenzied Member
Hobo, I know wha tyou are asking and I just can't think of the words to really tell you. that site I gave you lets you see the certificate so you can be the judge and jury on whether it is safe. see where teh certificate is authorized from and go there and see what they say.
I just can't think of what to say on your question, sorry.
-
Oct 22nd, 2003, 09:26 PM
#12
I know exactly what Hobo's thinking, because I wonder the same thing. He's basically asking how do the people who supply the certificate know if the buyer is legit or not? I don't really know how they would figure that out, and so I guess I could go buy a certificate and scam thousands of people because I'm just a kid that wants money from stupid people. I really thought it was quite simple to understand what he meant, but while I was reading this, no one knew.. or knows.
-
Oct 22nd, 2003, 09:50 PM
#13
Frenzied Member
well think of it this way.
if you get a SSL certificate and you use it to demise users and get there CC# then prepare to get sued.
go ahead and do what you want with the CC#'s. but I quote
A single fraud incident can put a merchant out of business
read here as it will answer your questions. like I said in the beginning.
http://www.verisign.com/products/sit...28-bit.html#17
-
Oct 23rd, 2003, 01:15 AM
#14
Ok, I'll try it again.
A certificate by itself doesn't mean that you are doing legal things or that you are in any way to be trusted. The certificate ensures two things:
a) If your page claims to be that of company XYZ then it really is that of company XYZ. This allows the user to decide whether to trust company XYZ, instead of whether to trust a website that claims to be that of company XYZ. The certificate gives a trusted link between a website and its owner.
b) Your page will not get hijacked. It is sometimes possible to redirect all requests to an IP to another IP, or the DNS server that stores your web address gets hacked and your entry changed so that all requests to www.xyz.com go not to your server but to some other. This server could then provide a mirror of your page and try to lure people into giving out information. But since your server has a certificate and the other not, the browser will warn people about that. People will know when they are on your page. The certificate guarantees that the page you're viewing is the one you think you're viewing.
Fraud is possible. But it is stupid. The two things the certificate does guarantee that it is you who did the fraud, and you'd get sued to hell.
All the buzzt
CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Oct 23rd, 2003, 07:56 AM
#15
Frenzied Member
and besides all that that link explains that you have to have a business license and the gov'ts aggreement that you are legit.
-
Oct 23rd, 2003, 09:58 AM
#16
Stuck in the 80s
-
Oct 23rd, 2003, 04:21 PM
#17
Frenzied Member
Originally posted by phpman
you can't steal creditcard numbers just form a SSL site. well I suppose you could but the certificate doesn't have anything to do with it. you can still go to a https:// site without a certificate and do the samehting, but the user is pretty stupid if they didn't notice a certificate. you can check any SSL site in the browser.
go here
https://www.accountonline.com/View?d...teId=BKCD_WAMU
and in mozilla go to View->page info and go to the security tab. tha twill tell you all you need to know if the certificate is valid and where it came from.
i have never done it myself but the owner of the site I run does it so I don't see it.
if you would have done what I asked you to do you could find out all that info. I did it and found out where they bought that certificate and searched. just takes initiative
-
Oct 23rd, 2003, 09:55 PM
#18
Stuck in the 80s
If I wanted to find the answer on my own, I wouldn't be asking questions here. 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
