If you're going to run an online store or ecommerce Web site, you should be aware of HTTPS - or HyperText Transfer Protocol with Secure Sockets Layer. HTTPS is a protocol to transfer encrypted data over the Web.
There are two primary differences between an HTTPS and an HTTP connection work:
- HTTPS connects on port 443, while HTTP is on port 80
- HTTPS encrypts the data sent and received with SSL, while HTTP sends it all as plain text
Most Web customers know that they should look for the https in the URL and the lock icon in their browser when they are making a transaction. So if your storefront is not using HTTPS, you will lose customers. But even still, it is common to find Web sites that collect money including credit card data over a plain HTTP connection. This is very bad.
As I said above, HTTP sends the data collected over the Internet in plain text. This means that if you have a form asking for a credit card number, that credit card number can be intercepted by anyone with a packet sniffer. Since there are many free sniffer software tools, this could be anyone at all. By collecting credit card information over an HTTP (not HTTPS) connection, you are broadcasting that credit card information to the world. And the only way your customer will learn it was stolen is when it's maxed out by a thief.
What You Need to Host Secure Pages
There are only a couple things you need in order to host secure pages on your Web site:
- A Web server such as Apache with mod_ssl that supports SSL encryption
- A Unique IP address - this is what the certificate providers use to validate the secure certificate
- An SSL Certificate from an SSL certificate provider
If you aren't sure about the first two items, you should contact your Web hosting provider. They will be able to tell you if you can use HTTPS on your Web site.
After You've Got Your HTTPS Certificate
Your hosting provider will need to set up the certificate in your Web server so that every time a page is accessed via the https:// protocol, it hits the secure server. Once that is set up, you can start building your Web pages that need to be secure.
Here are some tips for using HTTPS:
- Point to all Web forms on the https:// server. Whenever you link to Web forms on your Web site, get in the habit of linking to them with the full server URL including the https:// designation. This will insure that they always are secured.
- Use relative paths to images on secured pages. If you use a full path (http://www...) for your images, and those images are not on the secure server, your customers will get error messages that say things like: "Insecure data found. Continue?" This can be disconcerting, and many people will stop the purchase process when they see that. If you use relative paths, your images will be loaded from the same secure server as the rest of the page.
- Secure only the pages that request and collect data. It is possible to run your entire Web site on https://, but it slows down the connection and some SSL providers charge you on the bandwidth secured. You should only secure those pages that collect data.