Can Ubercart use HTTPS / SSL to protect user login and checkout?

Category: 
User
Topic: 
Features

This functionality is provided through the Drupal module "Secure Pages", which you can download from http://drupal.org/project/securepages. Once installed on your site, that module allows you to designate certain sections of your site as secure, accessible using only the HTTPS protocol. As a minimum, you should consider protecting any page that displays or collects sensitive user information such as passwords, credit card numbers, etc.

A discussion of which paths to protect in a typical Ubercart installation can be found at http://www.ubercart.org/forum/support/1850/ssl_which_paths_do_you_protect

joe4's picture
Offline
Joined: 07/15/2008
Juice: 29
htaccess SSL

This can also be done via the htaccess file pre-packaged with Drupal and does not require the installation of beta modules.

http://www.runssl.com/content/how-redirect-drupal-or-ubercart-ssl-connec...

TR
TR's picture
Offline
Bug FinderFAQ ModeratorGetting busy with the Ubercode.
Joined: 11/05/2007
Juice: 3266
Re: htaccess SSL

I don't think that's a very good idea for several reasons. First, though, your implication that the Secure Pages module is no good because it is "beta" is way off the mark. Secure Pages has been around for several years, and is currently used in hundreds of live Ubercart sites without a problem. While I have no idea why the author persists in calling the current well-tested release a beta, the name has no bearing on the quality or functionality of the result. This is in stark contrast with the post you link to, which isn't even a day old and has not withstood the test of time or peer review to confirm that it works, let alone that it's a good solution. For that reason alone, it is not something that you should be recommending in a FAQ.

The main drawback with http redirects in the .htaccess file is this:

Customers don't care if your site is entirely http. They're not likely to run away without purchasing if your checkout page is not https, because they're not likely to notice it. They also don't notice if your site is entirely https. What they DO notice is a dialog box thrown up that cautions them that a page has mixed secure/unsecure content, and asks them if it's really OK. That causes even the most naive user to reconsider a purchase. And this is exactly what happens if you just use http redirects, since the pages you're redirecting to https will not have their content re-written to load page assets (CSS files, JavaScript, images, etc.) via https.

Likewise, the .htaccess scheme doesn't work when posting data. Form submittals will still be sent to the http address, only to be redirected to https upon arrival. But the form data is still initially sent to the server in the clear; only after the server replies with a redirect does the client initiate an https session to re-send the form data. Following the recommendation you link to, then, not only fails to secure the data but also leaves the site owner with a false sense that he's protected (he's using https, after all - that's safe, isn't it?), in addition to scaring off customers with a "may be insecure" warning.

I would appreciate it if any follow-up discussions on this topic take place in the forums, not in the comments for this FAQ. I will gladly post a link to that thread here.

<tr>.
joe4's picture
Offline
Joined: 07/15/2008
Juice: 29
Re: Re: htaccess SSL

Created post in support forum. http://www.ubercart.org/forum/support/8020/ssl_htaccess_redirects_discus...

OP can remove original post in FAQ until further testing is done on htaccess.