Dutch Webshop Security Question

[NotSeanConnery]

Hi,

My question:
Do I need SSL ?

Payment methods:
iDeal (SSL protected online payment method ) http://en.wikipedia.org/wiki/IDEAL
Paypal
Bankwire

If I do need SSL, what do you guys recommend?

Thanks a million (in advance)
(ps. I know that SSL protection is advised by the Dutch consumer protection organisations)

[marcelm]

Hi,

There is not really a need for SSL, since PayPal and iDeal are already protected that way.
No sensitive data is transfered during the bank wire option so no worry for that one either!

Marcel

[Radu]

I must recommend SSL for many reasons.

1. security - even for instance in paypal case the real payment is handled by paypal website - in most of the cases paypal included sensitive information is still sent in clear text - like customer name and address phone etc...

Other than payment methods when registering the password is sent through the network in clear text if you don't have a ssl cert installed

2. customers will be confident buying on your website if you have a ssl certificate. Most companies that sell ssl certs will offer logos to place on your website assuring your clients you run a secure website and you DO CARE about security and privacy


Hope it's clear enough - questions, let me know

[marcelm]

I'm sorry but for me customer name, address and phone number is not sensitive data, it can be found in any phonebook or package that you ship.

[ramblingrose]

I have to agree with marcelm. When I started with osCommerce I bought an SSL certificate although with offering Paypal and bankwiring there wasn't really a need for it. After a couple of years I didn't renew it because of those reasons and I haven't found any differences in customers behaviour. Once you are handling sensitive data, not adresses and thelike, I certainly would get an SSL certificate.

[Radu]

wheeloftime, you and marcel have a good point, and I need to agree with you.

after all ssl may be a matter of taste and price. nowadays a ssl cert price is starting as low as 10-20$/year or may be free depending on the hosting plan.

if someone hijacks customer data and password may not be critical

in some cases (I've personally met the situation 3 times) on the pcs a trojan can listen to network traffic and steal username/password in case the traffic is not encrypted(no ssl)

in this way even admin password can be stolen if you are infected with a similar trojan (ftp details too if you are not using ssh or secure ftp). it's theoreticaly possible.

so a ssl may not be required but it's recommended

[ramblingrose]

Hi Radu,

Though I have, luckily, no experience with keyloggers on a local machine it is my understanding they intercept your keystrokes on exactly your very own local computer. An SSL certificate will merely encrypt data sent from your hosts server and not from a local computer so it is of no use at all when a local computer gets infected with something nasty. I agree that the prices for SSL certificates are fairly low nowadays and shouldn't be a problem for a serious shop owner.

Kind regards,
Howard

[Radu]

I was talking about network sniffers not keyloggers, you are right about them.