We're gearing up to go live with our first ubercart site. Anyway, I was hoping to get some feedback on which protected paths folks are specifying in their ssl configuration using the secure pages module. Let's assume a dedicated certificate to keep it simple. I just don't want to miss something that somebody has already discovered by running their store for a while. A definitive list or suggested list of paths would be great, a recommended secure configuration in terms of ssl would be great. I'm not looking for a complete pci compliant run through, just the paths to protect with ssl. Also, it might differ a bit if one was using something like paypalpro vs ipn. We are probably going to try for a full integration, not redirected like paypal ipn. I couldn't find this type of doc anyplace on the site. Thanks for the help, and I apologize if I missed it.
ssl - which paths do you protect?
|
|
Here's my setup ..
user
user/*
user/*/edit
admin
admin/*
cart/checkout
cart/checkout/review
cart/checkout/payment_details/*
cart/checkout/complete
uc_paypal/ipn/*
uc_paypal/wps/*
uc_paypal/wps/complete/*
cgi-bin/webscr
Wanted to keep all transaction and user information on the secure side, including stuff going out and coming back from PayPal IPN. Hope this helps some. (Probably not a definitive list but it's working for our site at this point.)
Torgos-
Question for you: do you think its necessary to do admin?
And do you do it for all sites? Does making admin SSL secure really help hacking you think? I can understand for when you process information but i never really rhought of putting the admin (or the users) for that matter.
What are your thoughts? THanks...
btw i'm at a mac store testing these new macbooks and i dont know about the rest of it but i love typing on this keyboard. I am really flying.
SSL should be employed wherever there's going to be sensitive information transmitted. This includes site configuration stuff like passwords, database connection info, sensitive paths ... basically, IMO, anytime I'm going to be typing things I don't want intercepted, I'll put it behind an SSL. And user information definitely should be, especially on the screens where they need to type a password (login screen at /user and account info screen at /user/*/edit
So yeah. I would say yes to putting admin behind a secure certificate. I would potentially even put it behind a level of HTTP authentication also (a "protected directory" in Plesk) - maybe not since I'm using Drupal now, but you can really never be too secure with your customer's and website's sensitive data.
Hi. I was wondering about why you protect the path ...
cgi-bin/webscr
which is a Paypal path? I'm assuming ubercart does an https call from withing the payment module to paypal?
Also, if you set "auto-return" to "on" then what path should you use for the return path? If you do this, then I believe ubercart sends an auto-return path as well -- does one override the other. Does ubercart send an ssl return path or is it irrelevant since it will be redirect to the ssl path when Drupal gets it from Paypal. Geez, sorry to dump all of that out there! Any help is grealy appreciated. Ahhh, love doing IPN stuff, so much fun. 
Ok, figured out why cgi-bin/webscr is there. It fixes a bug with the secure pages module that mangles your outgoing ssl url's like the https url to paypal for website paypment standard. You need to have this value in the secure url paths to make ubercart and secure pages play nice and create the secure url to paypal. Hope this helps somebody else.
Exactly. I forget if I found that solution on this forum or elsewhere (Drupal maybe?)
But as far as I know auto-return path gets sent via Post automatically so you don't need to specify it in your profile / web payment settings.
|
|
Joined: 10/08/2007