Anyone want to explain SSL to me?

[Bazzlad]

As I've never had to use it before.
I want to set up an order system online, and as credit card details will be exchanged I want it to be secured.

Now from what I gather, you buy the certificate and secure your server OR you buy a shared certificate from you hosting company (what I intend to do).

That route I intend to take means I'll have a folder in my webspace which is secured.

This is where it become hazy.
Can I just use a mail form (HTML post and php) inside this folder and it'll be protected?
Can I email the information securely to the end user?
Or should I use a database? Will that need securing?

Help please!

Cheers!

[nichomach]

SSL means that the session with the browser is encrypted; that just means that traffic between your site and the punter is protected from eavesdropping (well, as well as 128-bit encryption can make it, I guess). That's distinct from whatever security measures you put into your site once the punter's using it. To put it another way, if you left your customers' credit card details in a plain text file with no permissions set on your site, SSL wouldn't stop nasty cracker person from reading that file, but it would protect them from being eavesdropped on while they did.

Can I ask why you'd want to reinvent the wheel? There're a lot of online payment services you could use - NoChex, WorldPay etc.

[Bazzlad]

Thanks for that.
Cleared it up a little - Them giving me the data is protected, what I do with it afterwards is down to me.

The reason I'm re-inventing the wheel is because I don't want to take a payment. I just need the details for a credit check.

[ikonia]

keep in mind there are rules on what and how you store the data. There are also rules and guidelines for using shared servers (no idea if you are or not but your post sounds like it is).

Where is your target audience based UK/USA/Asia etc again, I assume UK, but just be aware some countries only allow X level of encyption, some none at all, so make sure you don't break their laws if your targeting or expecting overseas guests.

[Bazzlad]

All UK based, and I'll look at the rules for storing data.

Cheers!

[directhex]

ssl relies on a chain of trust - your web browser won't know that foocorp.com is who it says it is, but it does know that verisign know what they're doing (nobody laugh), so if your web browser visits foocorp.com, and foocorp.com's certificate is signed by a trusted party like verisign, then there's an established chain of trust, and you can safely proceed

trust can break down in one of the following scenarios:
* you visit foocorp.com, but the certificate they give you is for barltd.org.uk - they're not who they say they are, trust is lost
* the certificate is expired, or hasn't started yet - they might no longer be who they say they are, trust is lost
* the certificate you get is signed by somebody you don't trust (e.g. foocorp.com signed it themselves) - you don't know who to ultimately believe, and trust is lost

browsers give ssl popup warnings on the three events above

[TiG]

Yep the new regulations for storing credit card details are now in force. Most people are still in breach but they include both eletronic and physical security. All stored passwords must be encrypted, and suggestions is that you should always use something like a hosted service now. I.e just post your details to an online agency like CommIdea etc.

https://www.pcisecuritystandards.org/tech/

Link to the standards above.

TiG

[Bazzlad]

Cheers mate,
An encrypted email seems the easier way than storing it on a server now!!!
Will look into PGP and PHP - wish I did ASP, could write it in an encrypted PDF then.