Using SSL / options, ideas and what not...

Tips and Tricks HQ Forum » WP eStore Forum

Using SSL / options, ideas and what not...

(16 posts) (3 voices)

Started 6 months ago by Louis
Latest reply from Louis
Possible Solutions (Related Topics):

Tags:

12 Next »

Louis

So, I am trying to figure out the best way to use SSL with this cart.

First off, I am fully aware that for Paypal transactions, SLL is not a necessity. Thank you. Let's move on...

Here are three options, and I need advice, pros and cons etc...

1) I can run/redirect the whole site through SSL, via an apache rewrite rule, and it makes things easier to setup, as you don't have to worry about using relative or full paths etc... although you need to watch out for any pictures that link via external http on certain plugins.
Downside, there is some handshaking so it does slow things down a bit, so if you have a very busy site, might not be the best option... but, technically, it looks good, customers might feel safer, and I think that it would work great with the eMember plugin.

2) I can force the Checkout Page 'only' to go through https/SSL via a rewrite rule in apache. I ran into issues with this option, when using Digital Product Variations.

3) A bit 'like' option 2)/above, I can simply setup the Checkout Page url only, to go through https/SSL, but this time, in the cart setting options, like the following for example:
Checkout Page: https://www.the_shop_that_sales_ferraris.com/shop/
Now, in this scenario, should Return URL and Cancel URL go through https/SSL as well? and what else should and should not go through https, to avoid getting errors in certain browsers?
What about the download validation scrip; http or https?

There isn't much info on setting up the cart with SSL, what do you guys think?
Would be good to have a SOLID STICKY on SSL.

Posted 6 months ago #
wzp
Moderator

I use the Force SSL plugin and run my site in SSL 24/7...
http://wordpress.org/extend/plugins/force-ssl/

Posted 6 months ago #
Louis
Thanks for the link, I already new about this plugin. I saw your site btw, very nice.

Personally, I am trying to avoid adding extra plugins as much as possible.

If you are interested in a neat rewrite rule, here is one for the .htaccess, the following will take care of everything:
```
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.themagneticlouis.com/$1 [R=301,L]
```
Thing is, I'd would still like to discuss about option 2 and 3 if possible, as I would be offering video previews - speed is very desirable.
Posted 6 months ago #
wzp
Moderator

Unless you are doing the actual payments processing on your site, or your buyers live under oppressive forms of government,, the use of SSL is more of a "feel good" for the buyer.

So, assuming we are only doing this for the feel good effect, SSL on the thank you page only would be appropriate. I wouldn't use SSL for the cart checkout page, unless it had its own dedicated page; because of mixed content issues. SSL would not be appropriate for the download script, unless you want all your download streams to use SSL.

If video download speed is your concern, you might consider hosting the content on Amazon S3 and using the Lightbox ultimate plugin.

Posted 6 months ago #
Louis

Yes I understand, thank you. I agree. The thing is, I got a package that came with SSL, as an anticipation, just incase the site becomes very popular, and I suddenly become rich and famous overnight... while setting thing up, it's always good to have SSL in place for what I call; "phase 2". Meanwhile, since I already have it, I think I should use it, so at the same time I can learn a bit from it.

You said something that caught my attention;
1) yes, the cart would have a dedicated page, but are you saying that it is possible to have a cart without a dedicated page? If so can you give me an example?

2) I am actually browsing the forum, since this morning, trying to learn a bit about the "Thank you page", as I have tested a Paypal cart a few years ago, which had a dedicated section for setting up the "Thank you page", so I am looking into this at the minute.

AS far as Amazon is concerned, yes, I am fully aware and will most likely give it a go, BUT, I really need/want to separate content from products, so, I definitely keep the content on the site.

For the download script, again, ideally, I might want to use SSL, so I will have to look into it.

I have read about "mixed content", i.e; http coexisting with https on the same page, and that's why I raises the questions above.

The good thing about SSL, is that it also protects from possible spies, and hackers somehow, at different levels.
A http link could be intercepted more easily than https.

Posted 6 months ago #
wzp
Moderator

Here's your example...
http://www.tipsandtricks-hq.com/ecommerce/wordpress-estore-plugin-demo-175
In this case, the cart is on the same page as the products.

Here s the Thank You page information...
http://www.tipsandtricks-hq.com/ecommerce/wp-estore-instant-digital-product-delivery-499

As for using SSL with the download script, I would only recommend it if (1) you have the server performance to handle it or (2) you are delivering downloads to buyers who live in a high risk environment, like China.

If you have specific security or privacy concerns you'd like to discuss, please feel free to drop me a line...
https://TheAssurer.com/contact

Posted 6 months ago #
Louis

Thank you for the links. I see what you mean about the cart being on the page as the product(s).

I did see the thank you page set up in the end, so the short code takes care of it then.
I received a serious WARNING from Paypal IPN, so will have to look into it (will see if there is another post for that or start a fresh one).

As for the download script and SSL, will have to look into this as well. Thanks for the tips. Any ideas on how to check for server performance easily?

Did you try the rewrite rule?

Posted 6 months ago #
Louis

More tips on SSL, I mentioned this somewhere else.

IMPORTANT to note that Amazon S3 has some limitations with SSL.

You cannot use secured downloads/SSL (https instead http) as well as CNAME redirections:
your_subdomain.your_domain.com/folder/product.zip
INSTEAD OF
your_subdomain.your_domain.com.s3.amzonaws.com/folder/product.zip

In short, you can do
THIS: http://your_subdomain.your_domain.com/folder/product.zip
OR
THAT: https://your_subdomain.your_domain.com.s3.amzonaws.com/folder/product.zip

so
You CANNOT do this: https://your_subdomain.your_domain.com/folder/product.zip

I am weighing the pros and cons...

Posted 6 months ago #
wzp
Moderator

Are you afraid of a buyer having his digital download intercepted by the Mutaween?

SSL is only necessary to protect data from being intercepted by third parties. It is not an anti-piracy control.

Posted 6 months ago #
Louis

Yes I am aware of what you said. I am not talking about piracy. Anything non encrypted can be much more easily intercepted by hackers.

Posted 6 months ago #

RSS feed for this topic

12 Next »

Reply »

You must log in to post.