Home » Forums » Ubercart » Support
2 replies [Last post]
Thu, 07/23/2009 - 22:46
Danny_Joris
Danny_Joris's picture
Offline
Joined: 05/09/2009
Juice: 199
Was this information Helpful?

Hi all,

I'm almost ready to finish my first Drupal website with Ubercart. I have a few questions about security.

-My hosting provides SSL authentication for 95euro/year.
a) is that a good price?
b) They said they can secure an entire site or just a small part (/webshop for example). If they can secure the entire site, why should I choose for the option only to secure a small bit?
c)And if I would choose to secure only the webshop portion, what /maps should I most certainly have to secure then? And securing only part of a website, isn't that exactly what the Secure Pages Module does?
d) I feel like the answer on the next one is 'yes', but I'm going to ask anyway. My shop has two payment options: first is an offline bank deposit (no security needed for that i think), and the second one is Paypal. But since Paypal does not exchange credit card numbers directly over the site, why should I secure it? Again, I feel like i should definitely do it.
e) And a friend of mine answered me that probably the Paypal login data is being exchanged. If so: should I secure the admin pages where the Paypal API credentials are filled out, as well? ( admin/store/settings/payment/edit/gateways ).

I know these are alot of questions, but I feel I need to be sure about all this.
All feedback is very appreciated.

Cheers,
Danny

Top
Fri, 07/24/2009 - 09:59
#1 View page
Lyle
Lyle's picture
Offline
AdministratoreLiTe!
Joined: 08/07/2007
Juice: 6846
Re: quite some SSL questions

a) I honestly don't know. Smiling
b) Security costs performance. For pages and information that is freely available, it doesn't really matter if it's possible for someone to read the data passed back and forth. Instead, those pages should be made as fast as possible so that the most people have a chance to view it.
c) Here's a FAQ page with a link to a discussion about that. I think a certificate can be set to just particular paths, but changing that is a lot harder than modifying a module's settings.
d) If they are giving you bank account information during checkout, you definitely want to secure that. But if not, then you only need the capability to serve secure pages. Securing the PayPal login information should depend on their SSL certificate, not yours.
e) This is probably the biggest motivation for securing your website. The chances that someone is looking the one time you put your credentials in are pretty small, I imagine. But for this kind of thing it's much better to be safe than sorry.

Top
Fri, 07/24/2009 - 17:17
#2 View page
Danny_Joris
Danny_Joris's picture
Offline
Joined: 05/09/2009
Juice: 199
_

Cool!

d) Does Paypal Standard payment methond give away important information that needs stay secret? Like you said: all the stuff that needs to stay secure, happens on the Paypal website, or isn't it?

I kinda replied here: http://www.ubercart.org/forum/support/1850/ssl_which_paths_do_you_protec... .

Sorry if you feel that I repeat thing, but I'm not always sure if I understand it all. I just want to make sure.

I think I'm going to use SSL anyway to be sure. I just wanted to know if I'm not throwing away money.

Thanks so much for your help, Lyle!

Cheers,
Danny

Top