Do I really need SSL for E-commerce site, talking about legal issue *IF* I don't care about my customers' security. For example, I've found the site www.compucare.com has no secure server bebause they don't care about their customers.

I know if I don't feel safe, I shouldn't order at their site at all, but how many online users actually know there has to have a little "lock" icon on their browser to make order? Does compucare.com violate anythig by not having SSL server? Give me your input pls.

This depends on your bank or credit card processor. Depending on your processor, it may be a requirement for you to take credit cards via SSL. On the other hand, it might not.

Even the big ecommerce stores like Amazon.com allow you to pay via credit card without using SSL, as some people are still using old browsers/proxy servers which make the use of SSL impossible.

Is the information processed on your site? If so, absolutely.

Is the information processed on your gateway's site under their SSL, then you can get by without.

I can say this if you go advertising the fact that you are not using SSL for orders processed on your site. Crackers are going to have a field day with your clients!! You wont have any bandwidth left to use because they will have so many packet sniffers running it will suck the pipe dry!! My advice spend the $79.00 and protect your clients!!

Originally posted by DigitalXWeb
I can say this if you go advertising the fact that you are not using SSL for orders processed on your site. Crackers are going to have a field day with your clients!!

That's not really true, as the credit card information will still be stored securely. Anyway many sellers including Amazon.com advertise the fact that you can pay without going through SSL, and their site still seems to be up and running.

I think it would be a minimal common courtesy to inform your customers if they will be sending private data over the network unencrypted.

It is possible for hackers to read your customers' info before it goes into your secure database. If hackers discover that you're not encrypting your connection, rest assured that one of them somewhere do everything he can to intercept your traffic and steal as many of your customers' credit card numbers as possible.

Legally, if someone intercepts your customers' data, is that your responsibility? If you have any question, you'd better provide yourself and your customers with an extra layer of protection, or it will end up costing you big $$$ in the long run with lawsuits. At the very least, you should inform your customers if you aren't encrypting their information. But if you really don't want any problems in the first place, get an SSL certificate, and encrypt your data.

Originally posted by bigmattyh
I think it would be a minimal common courtesy to inform your customers if they will be sending private data over the network unencrypted.


Agreed.

[i]It is possible for hackers to read your customers' info before it goes into your secure database. If hackers discover that you're not encrypting your connection, rest assured that one of them somewhere do everything he can to intercept your traffic and steal as many of your customers' credit card numbers as possible.[/B]

Possible, yes. In the real world? If you are on your own switched ethernet port, or in your own facility, this would be damn near impossible.

Look at it this way: While Amazon processes most of their customers via SSL, they also process a small percentage without SSL, and as they've got a huge customer base, this really adds up. Have you heard of crackers stealing their customer CC information while the data was in transit? I haven't. In fact, I ordered some books from them from a public computer which didn't support SSL not too long ago, and had to use the unsecure order link.

Suffice to say that my credit card didn't get stolen, and I haven't heard of a case of this happening yet.

The real concern to me seems to be the actual storage of credit card information. This is really where crackers get ahold of numbers -- where they force their way into a server containing CC information, and copy it.

Now don't get me wrong, I think an extra layer of security does not hurt. In fact, it's a good thing. I'm just saying that "if I don't use SSL crackers will find a way to steal it" doens't always hold true in the real world.

Oh yeah -- I'm not saying it's very likely, but it is technically possible. I'm just thinking that if you don't fork over the relatively small fee for a certificate -- or at the least, generate your own -- you're leaving you and your customers exposed.

I think as a legal issue -- and I'm not sure what the case law is -- if, even in the improbable event that a cracker can steal your internet traffic, you can probably be held liable for not providing adequate warning. I just don't see why anyone wouldn't. It would probably end up costing you more in the long run not to.

I, for one, would never input my credit card information to a merchant without these things:

1. Phone Number
2. Real Address (no po box)
3. SSL Cert
4. Have to know company


I think alot of people are like me, correct me if I am wrong.


Jim

Amen

Thanks avara, I forgot about the option for non-SSL in Amazon since there still 0.1% doesn't support it.

Paying about 100 bucks a year is not big deal, but seeing the site like compucare.com with tons of product yet they are so cheap to buy one, and they don't state that at all, make me consider to not having it :). Hey I'm not them, and $100 does matter to me, specially I'm not sure if my site will make any profit.

How about expired SSL? If a merchant fail to renew their SSL on time, the browser will pop up a warning, but the lock icon and other things are still working probably, is that safe? I've seen one but couldn't remember the address.

Originally posted by Nam
How about expired SSL? If a merchant fail to renew their SSL on time, the browser will pop up a warning, but the lock icon and other things are still working probably, is that safe? I've seen one but couldn't remember the address.
The encryption will still work. But if the info doesn't all match up, your users' browsers will see a warning. This warning might scare some people off.

Originally posted by avara


That's not really true, as the credit card information will still be stored securely. Anyway many sellers including Amazon.com advertise the fact that you can pay without going through SSL, and their site still seems to be up and running.

I agree it will not be an easy task but with the newest generation of crackers and the latest tools available, this sure does puts the odds in their favor. The key is whether or not they know how to use them and what to do with the packets after they are captured. Personally I would not purchase anything without SSL. That's just me though.

In this case if the money is the issue at least go with a self signed one.

As for the legal issues in regards to this, you can not be held accountable if you have a notice stating that the transaction will not be secure, otherwise they could sue you for neglect. This is the law in PA whether it applies to other states or not I am not sure.

If you are serious about your business, go get SSL, or use a hosting service that offers free or self generated SSL, or a shared SSL should $100 a year sound too much to you.

I wonder how many people order with credit cards over their cordless or cellular phone without batting an eye, but they hesitate about sending it over that mysterious Internet thing with 128bit encryption.

Anyway, here's a good article:

http://www.rawlogic.com/thefaqs.html

The one that says: "Q: I worry about giving my credit card information over the Internet, how can I guarantee that it's safe?"

i'd bet that 1% of orders still uses PGP or something like that internally.

If you're havng the results emailed to you unencrpted, and if that leaves your box for one second, thats a security violation.

As my own merchant, I can tell you that my license would be revoked for that.

I must have some sort of excryption for the card information. As a business, I don't see why you wouldn't want to.

First, people are trusting you with their money - if you can't show some common courtesy
Second, why wouldn't you as a business not want to make sure your orders are secure and that you'll get your money. If someone were to hack it and get their information, they could possibly charge on it, forcing the customer to cancel that card, and for you to loose your money.
Third, if you really don't want to spend the small ammount of cash for an SSL, I'd at least have the way the data's submited encrypted w/ GPG


One side of business is selling yourself to the customer. Lets say you're a web host - why would a customer go with you when there are 10 other hosts with almost identical packages who do offer SSL?

Originally posted by avara

Possible, yes. In the real world? If you are on your own switched ethernet port, or in your own facility, this would be damn near impossible.

Look at it this way: While Amazon processes most of their customers via SSL, they also process a small percentage without SSL, and as they've got a huge customer base, this really adds up. Have you heard of crackers stealing their customer CC information while the data was in transit? I haven't. In fact, I ordered some books from them from a public computer which didn't support SSL not too long ago, and had to use the unsecure order link.


I think that's a little optimistic. People hack into servers all the time and get credit card information, etc. And it does not have to be at the server level. A technically aware (or lucky) person can often sniff other users on a cable network, etc.

As for Amazon, I see two difference:

1. They have a team of people dedicated to just the security of their servers. So, they are pulling off and encrypting the non-SSL submitted information as quickly as possible -- and protecting against attacks on the server.

2. They are giving the people to use non-SSL connections. If you cannot use SSL, or do not want to, that is your option. Your site would not be giving people that option.