Re: htaccess SSL

TR's picture
Bug FinderFAQ ModeratorGetting busy with the Ubercode.
Joined: 11/05/2007
Juice: 3284
Re: htaccess SSL

I don't think that's a very good idea for several reasons. First, though, your implication that the Secure Pages module is no good because it is "beta" is way off the mark. Secure Pages has been around for several years, and is currently used in hundreds of live Ubercart sites without a problem. While I have no idea why the author persists in calling the current well-tested release a beta, the name has no bearing on the quality or functionality of the result. This is in stark contrast with the post you link to, which isn't even a day old and has not withstood the test of time or peer review to confirm that it works, let alone that it's a good solution. For that reason alone, it is not something that you should be recommending in a FAQ.

The main drawback with http redirects in the .htaccess file is this:

Customers don't care if your site is entirely http. They're not likely to run away without purchasing if your checkout page is not https, because they're not likely to notice it. They also don't notice if your site is entirely https. What they DO notice is a dialog box thrown up that cautions them that a page has mixed secure/unsecure content, and asks them if it's really OK. That causes even the most naive user to reconsider a purchase. And this is exactly what happens if you just use http redirects, since the pages you're redirecting to https will not have their content re-written to load page assets (CSS files, JavaScript, images, etc.) via https.

Likewise, the .htaccess scheme doesn't work when posting data. Form submittals will still be sent to the http address, only to be redirected to https upon arrival. But the form data is still initially sent to the server in the clear; only after the server replies with a redirect does the client initiate an https session to re-send the form data. Following the recommendation you link to, then, not only fails to secure the data but also leaves the site owner with a false sense that he's protected (he's using https, after all - that's safe, isn't it?), in addition to scaring off customers with a "may be insecure" warning.

I would appreciate it if any follow-up discussions on this topic take place in the forums, not in the comments for this FAQ. I will gladly post a link to that thread here.

Can Ubercart use HTTPS / SSL to protect user login and checkout? By: TR (3 replies) Fri, 02/01/2008 - 23:31