Page 1 of 2 12 LastLast
Results 1 to 10 of 30

Hybrid View

  1. #1
    Join Date
    Jan 2010
    Posts
    19
    Plugin Contributions
    0

    help question How to secure contact us page with SSL?

    Is it possible to secure the contact us page or any certain page with SSL?

  2. #2
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: How to secure contact us page with SSL?

    What's the point? The contact-us message is sent by email, which is the least secure communications method available. So, protecting the Contact-Us page with SSL would be pointless from a security perspective.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Apr 2006
    Location
    London, UK
    Posts
    10,569
    Plugin Contributions
    25

    Default Re: How to secure contact us page with SSL?

    I could see a benefit to this if the contact us page has been extended to collect additional and personal or commercially sensitive information, since it submits back to itself, but only if you have encrypted email between your server and wherever you receive the mail.

    In this case you would need to find all instances of zen_href_link(FILENAME_CONTACT_US) and change them to zen_href_link(FILENAME_CONTACT_US, '', 'SSL')

    But you'd then need to maintain those changes (and there's quite a few of them) through future upgrades. So I would double check against DrByte's point and make sure that you really do have a sufficiently secure infrastructure and a really valid benefit for doing this before going ahead.
    Last edited by kuroi; 23 Apr 2011 at 11:40 AM.
    Kuroi Web Design and Development | Twitter

    (Questions answered in the forum only - so that any forum member can benefit - not by personal message)

  4. #4
    Join Date
    Jan 2008
    Posts
    2
    Plugin Contributions
    0

    Default Re: How to secure contact us page with SSL?

    I can't get the Contact US page to work, it crashes, since everything else is SSL. HOW DO I GET IT TO BE SSL.

  5. #5
    Join Date
    Aug 2005
    Location
    Arizona
    Posts
    27,755
    Plugin Contributions
    9

    Default Re: How to secure contact us page with SSL?

    Quote Originally Posted by PatriciaWhipp
    HOW DO I GET IT TO BE SSL
    Read kuroi's post #3

  6. #6
    Join Date
    Jan 2009
    Location
    The Netherlands/Germany
    Posts
    142
    Plugin Contributions
    12

    Default Re: How to secure contact us page with SSL?

    1 reason would be that it is required by law in The Netherlands that the contact us page should be in SSL.
    I came, I saw, I got zenned... :)

  7. #7
    Join Date
    Sep 2010
    Posts
    48
    Plugin Contributions
    1

    Default Re: How to secure contact us page with SSL?

    Re:
    Quote Originally Posted by JC.M View Post
    Is it possible to secure the contact us page or any certain page with SSL?
    Quote Originally Posted by kuroi View Post
    In this case you would need to find all instances of zen_href_link(FILENAME_CONTACT_US) and change them to zen_href_link(FILENAME_CONTACT_US, '', 'SSL')
    I have 'tpl_modules_shipping_estimator.php' currently hide the user name and address (if logged in) as it's included in the shopping cart page ~ which is not always SSL.

    From kuroi #3 i've found varitions for the cart page
    PHP Code:
    zen_href_link(FILENAME_SHOPPING_CART)
    zen_href_link(FILENAME_SHOPPING_CART' ''NONSSL')
    zen_href_link(FILENAME_SHOPPING_CART'action=remove_product&product_id=' $product['id'])
    zen_href_link(FILENAME_SHOPPING_CART'action=update_product'$request_type
    to force the cart page to use SSL are the following revisions correct?
    PHP Code:
    zen_href_link(FILENAME_SHOPPING_CART' ''SSL')
    zen_href_link(FILENAME_SHOPPING_CART' ''SSL')
    zen_href_link(FILENAME_SHOPPING_CART'action=remove_product&product_id=' $product['id'], 'SSL')
    zen_href_link(FILENAME_SHOPPING_CART'action=update_product'$request_type'SSL'

  8. #8
    Join Date
    Oct 2006
    Posts
    62
    Plugin Contributions
    0

    Default Re: How to secure contact us page with SSL?

    I am having a problem with McAfee PCI scan citing my contact us page is not secure. I requested a false positive (no sensitive information passed from this form) and they rejected it with "name and email are still sensitive information and must be ssl" (well, I used quotes by that is not word-for-word:) Anyway, I followed #3 above and made all my links SSL. I had McAfee rescan, and got the same result. I noticed that if you simply remove the "s" from the URL, you get the non-SSL page (which I assume that is why it is still failing). I also did this to my login and checkout page with the same result. It appears we can "guide" a user to SSL, but not "force" it.

    Is there a way to FORCE the ssl on a page? I've searched the net and many speak against putting it in an htaccess file. I tried a simple 301 rewrite for that particular page and didn't work anyway (not experienced by the way!). Any help would be appreciated!

  9. #9
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: How to secure contact us page with SSL?

    Quote Originally Posted by tstamplis View Post
    I noticed that if you simply remove the "s" from the URL, you get the non-SSL page (which I assume that is why it is still failing). I also did this to my login and checkout page with the same result. It appears we can "guide" a user to SSL, but not "force" it.
    Um ... step back a moment.

    On the checkout or contact-us screens, it doesn't matter if you arrive at the page in http mode, because all the data entered is only transmitted over https anyway.

    This is a basic misunderstanding that many people have:
    a) the URL displayed in the browser is the address used to DISPLAY the page
    b) the URL in the <form action="URL HERE"> tag inside the page's HTML is what is used to SUBMIT the page.

    And Zen Cart always puts an HTTPS URL into the <form action> when the page is set up to be protected by SSL, such as checkout.

    So, fudging the URL used to ACCESS or DISPLAY the page is moot. If THAT is what the PCI Scanner is looking at, then it's amateurish and ought not to be in the business of scanning.

    So ... if your issue is that the scanner is absolutely bent on the idea of an email address being ultra-sensitive information, then change the zen_draw_form(FILENAME_CONTACT_US) reference in your template and set its 3rd parameter to 'SSL' instead of 'NONSSL' and this whole problem goes away.

    But, as I said in my first post in this long thread, the information collected is immediately sent off to the storeowner VIA EMAIL ... and we all know that EMAIL is the LEAST SECURE communication method on the internet. So ... protecting the collection of that info by SSL is entirely moot. Especially since THE PERSON GIVING THEIR EMAIL ADDRESS IS EXPECTING YOU TO EMAIL THEM AT SOME POINT. They WANT to be contacted. And they've opted to receive that contact via email. So clearly they don't object to the use of their information being shared in an email. So ... it goes back to the basic question: why is this considered "ultra sensitive" in the first place?
    Anyway, rant over.

    I suspect that your scanner is not doing its job correctly.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  10. #10
    Join Date
    Oct 2006
    Posts
    62
    Plugin Contributions
    0

    Default Re: How to secure contact us page with SSL?

    Quote Originally Posted by DrByte View Post
    So ... if your issue is that the scanner is absolutely bent on the idea of an email address being ultra-sensitive information, then change the zen_draw_form(FILENAME_CONTACT_US) reference in your template and set its 3rd parameter to 'SSL' instead of 'NONSSL' and this whole problem goes away.
    Thank you for your reply, passionate as it is If I had an ounce of the knowledge you have on the subject, I might be willing to fight that fight with McAfee. Unfortunately, as a lowly shop owner with minimal knowledge and a measly attempt to stay PCI compliant and avoid trouble, I find myself mostly trying to appease them.

    As such, if your comments above will work, I would certainly like to try it, but am a little unclear on the exact place and coding format I need. I found this line in my tpl_contact_us_default file in my template:

    <?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send')); ?>

    But I do not see a NONSSL reference to change to SSL. A little help if you can as to which file and code line I'm looking for to change would greatly be appreciated.

    Quote Originally Posted by DrByte View Post
    But, as I said in my first post in this long thread, the information collected is immediately sent off to the storeowner VIA EMAIL ... and we all know that EMAIL is the LEAST SECURE communication method on the internet. So ... protecting the collection of that info by SSL is entirely moot. Especially since THE PERSON GIVING THEIR EMAIL ADDRESS IS EXPECTING YOU TO EMAIL THEM AT SOME POINT. They WANT to be contacted. And they've opted to receive that contact via email. So clearly they don't object to the use of their information being shared in an email. So ... it goes back to the basic question: why is this considered "ultra sensitive" in the first place?
    Anyway, rant over.

    I suspect that your scanner is not doing its job correctly.
    This I agree with, and was my reasoning for requesting a false positive in the first place. Though again, it's not a fight I feel confident in winning. If changing a bit of code somewhere can avoid the fight, I'm willing to go that route and move on. I do thank you for your help. I understand this is a bit of a sensitive discussion with heated opinions on both sides. I'm not strong enough on the subject to pick a side. I just want to be able to submit my little questionnaire and passing pci scan result and move on to the business of shop keeping

 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. How to make a page secure(ssl)
    By actorxfactor in forum General Questions
    Replies: 6
    Last Post: 12 Mar 2008, 11:26 AM
  2. Replies: 2
    Last Post: 7 Jun 2006, 02:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg