I still think forcing SSL is a bad idea. Again, an unsuspecting user will not be a happy camper after taking the time to download and install the application only to find out they can't use it without an SSL cert - like I did. SSL is not necessary on many sites using an application such as EOS, CRE or osC unless you plan on accepting CC's directly on your site. Many are using other payment gateway's and payment processors [e.g. PayPal] which already have SSL in place.
If you request identity information such as billing address, name and telephone number, you need a
secure encrypted channel to send it. You also need good
P3P in place.
As far as security goes, there are other ways to secure a site without the need for an SSL cert. There are not too many cases of someone hijacking usernames and passwords during transmission - there is more to it than that. If that were the case, all sites would be using SSL. Anyone with good knowledge of .htaccess, or those willing to take the time to learn, can secure their sites without the cost of a cert. One of the biggest issues is failure to use the correct permissions on configuration files and not using or improperly using .htaccess - not theft of passwords from the zeros and ones.
Filipek, R. 2005 Card issuers fight online fraud The Free Library (June, 1),
http://www.thefreelibrary.com/Card+issuers+fight+online+fraud-a0133390270 (accessed January 14 2009)
The PCI standard requires Internet retailers to complete a 12-step security audit that must be certified annually and checked every three months. Starting on June 30, retailers that do not comply with the standard will face heavy fines and could be barred from processing credit card transactions. Credit card companies hope the stricter rules will lead to fewer stolen credit card numbers over the Internet. See Jheary 2007 PCI Compliance, the 12 Step Program (Nov, 29),
http://www.networkworld.com/community/node/22442 (accessed January 14 2009)
The standard replaces separate standards and merchant requirements established by individual credit card companies in the past. It incorporates data security best practices from these companies, provides a common compliance document for Internet retailers, and helps establish the responsibilities of anyone using credit card information when data theft occurs.
[ILLUSTRATION OMITTED]
Among the requirements the standard prescribes to safeguard information are:
* Installing and maintaining a firewall system.
* Encrypting transmission of cardholder data and sensitive information across public networks.
* Maintaining secure systems and applications.
* Limiting access to data by businesses to a need-to-know basis.
* Developing a data retention and disposal policy.
* Using and frequently updating antivirus software
.
* Monitoring all access to network resources and cardholder data.
* Testing security systems and processes regularly.
The point I stress, here, is * Encrypting transmission of cardholder data and sensitive information across public networks. your admin pages HAVE to be encrypted because it stores sensitive information and is required by federal law. See RSA.com 2005 A Corporate Minefield: FTC Demands “Reasonable & Appropriate” Measures to Protect Digital Assets (August 04)
http://www.rsa.com/press_release.aspx?id=5991 (accessed January 14, 2009)
I think it would be better to STRESS the use of SSL on an ecommerce site - not forcing its use.
So IMHO it makes sense to develop software that complies with federal and international law. I know we intend to tackle taxation at some point.
