Is it possible to secure the contact us page or any certain page with SSL?
Is it possible to secure the contact us page or any certain page with SSL?
What's the point? The contact-us message is sent by email, which is the least secure communications method available. So, protecting the Contact-Us page with SSL would be pointless from a security perspective.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
I could see a benefit to this if the contact us page has been extended to collect additional and personal or commercially sensitive information, since it submits back to itself, but only if you have encrypted email between your server and wherever you receive the mail.
In this case you would need to find all instances of zen_href_link(FILENAME_CONTACT_US) and change them to zen_href_link(FILENAME_CONTACT_US, '', 'SSL')
But you'd then need to maintain those changes (and there's quite a few of them) through future upgrades. So I would double check against DrByte's point and make sure that you really do have a sufficiently secure infrastructure and a really valid benefit for doing this before going ahead.
Last edited by kuroi; 23 Apr 2011 at 11:40 AM.
Kuroi Web Design and Development | Twitter
(Questions answered in the forum only - so that any forum member can benefit - not by personal message)
I can't get the Contact US page to work, it crashes, since everything else is SSL. HOW DO I GET IT TO BE SSL.
Read kuroi's post #3Originally Posted by PatriciaWhipp
1 reason would be that it is required by law in The Netherlands that the contact us page should be in SSL.
I came, I saw, I got zenned... :)
Re:
I have 'tpl_modules_shipping_estimator.php' currently hide the user name and address (if logged in) as it's included in the shopping cart page ~ which is not always SSL.
From kuroi #3 i've found varitions for the cart page
to force the cart page to use SSL are the following revisions correct?PHP Code:zen_href_link(FILENAME_SHOPPING_CART)
zen_href_link(FILENAME_SHOPPING_CART, ' ', 'NONSSL')
zen_href_link(FILENAME_SHOPPING_CART, 'action=remove_product&product_id=' . $product['id'])
zen_href_link(FILENAME_SHOPPING_CART, 'action=update_product', $request_type)
PHP Code:zen_href_link(FILENAME_SHOPPING_CART, ' ', 'SSL')
zen_href_link(FILENAME_SHOPPING_CART, ' ', 'SSL')
zen_href_link(FILENAME_SHOPPING_CART, 'action=remove_product&product_id=' . $product['id'], 'SSL')
zen_href_link(FILENAME_SHOPPING_CART, 'action=update_product', $request_type, 'SSL')
I am having a problem with McAfee PCI scan citing my contact us page is not secure. I requested a false positive (no sensitive information passed from this form) and they rejected it with "name and email are still sensitive information and must be ssl" (well, I used quotes by that is not word-for-word:) Anyway, I followed #3 above and made all my links SSL. I had McAfee rescan, and got the same result. I noticed that if you simply remove the "s" from the URL, you get the non-SSL page (which I assume that is why it is still failing). I also did this to my login and checkout page with the same result. It appears we can "guide" a user to SSL, but not "force" it.
Is there a way to FORCE the ssl on a page? I've searched the net and many speak against putting it in an htaccess file. I tried a simple 301 rewrite for that particular page and didn't work anyway (not experienced by the way!). Any help would be appreciated!
Um ... step back a moment.
On the checkout or contact-us screens, it doesn't matter if you arrive at the page in http mode, because all the data entered is only transmitted over https anyway.
This is a basic misunderstanding that many people have:
a) the URL displayed in the browser is the address used to DISPLAY the page
b) the URL in the <form action="URL HERE"> tag inside the page's HTML is what is used to SUBMIT the page.
And Zen Cart always puts an HTTPS URL into the <form action> when the page is set up to be protected by SSL, such as checkout.
So, fudging the URL used to ACCESS or DISPLAY the page is moot. If THAT is what the PCI Scanner is looking at, then it's amateurish and ought not to be in the business of scanning.
So ... if your issue is that the scanner is absolutely bent on the idea of an email address being ultra-sensitive information, then change the zen_draw_form(FILENAME_CONTACT_US) reference in your template and set its 3rd parameter to 'SSL' instead of 'NONSSL' and this whole problem goes away.
But, as I said in my first post in this long thread, the information collected is immediately sent off to the storeowner VIA EMAIL ... and we all know that EMAIL is the LEAST SECURE communication method on the internet. So ... protecting the collection of that info by SSL is entirely moot. Especially since THE PERSON GIVING THEIR EMAIL ADDRESS IS EXPECTING YOU TO EMAIL THEM AT SOME POINT. They WANT to be contacted. And they've opted to receive that contact via email. So clearly they don't object to the use of their information being shared in an email. So ... it goes back to the basic question: why is this considered "ultra sensitive" in the first place?
Anyway, rant over.
I suspect that your scanner is not doing its job correctly.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Thank you for your reply, passionate as it isIf I had an ounce of the knowledge you have on the subject, I might be willing to fight that fight with McAfee. Unfortunately, as a lowly shop owner with minimal knowledge and a measly attempt to stay PCI compliant and avoid trouble, I find myself mostly trying to appease them.
As such, if your comments above will work, I would certainly like to try it, but am a little unclear on the exact place and coding format I need. I found this line in my tpl_contact_us_default file in my template:
<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send')); ?>
But I do not see a NONSSL reference to change to SSL. A little help if you can as to which file and code line I'm looking for to change would greatly be appreciated.
This I agree with, and was my reasoning for requesting a false positive in the first place. Though again, it's not a fight I feel confident in winning. If changing a bit of code somewhere can avoid the fight, I'm willing to go that route and move on. I do thank you for your help. I understand this is a bit of a sensitive discussion with heated opinions on both sides. I'm not strong enough on the subject to pick a side. I just want to be able to submit my little questionnaire and passing pci scan result and move on to the business of shop keeping![]()