SSL Problem

[lhungil]

It appears that putting the defines in the configure.php only work on a Windows server. On a Linux server you need to put the redirect in the .HTACCESS file. Refer to the GoDadday article below. ...

This is not true. No modification of the .htaccess file is required to enable SSL for Zen Cart. If you want to override the wisely created default of only using SSL when necessary and allowing SSL for any page... And instead always use SSL... Just update your configure.php files (set both HTTP and HTTPS prefixes to "https://mysite.com/").

Forcing SSL for all pages is not recommended, and Zen Cart makes all pages available via SSL by default (as long as SSL is configured correctly on the server and in the settings).

Additionally using a forced "redirect" such as stated in that article can potentially result in lost data (post data is not resent by most browsers when a encountering a "redirect"). While it is rare for POST data to be sent with a non SSL request, some 3rd party add-ons and software have been known to use FORMs pointing to non-SSL URLS.

[stevesh]

A little offtopic, but......



Much to my chagrin, I recently read somewhere that Google have plans to give SSL enabled sites higher rankings than non-SSL sites.

Has anyone else heard about this?

Cheers
RodG

Yup - that was the article/blog post I was referring to. It didn't explain why Google thought that was the thing to do. The tone was that securing every site is a self-evident good idea. I'm not seeing it myself.

[stevesh]

The forum won't let me post a link. Here's the text of the post:

HTTPS as a ranking signal
Posted: Wednesday, August 06, 2014

Webmaster level: all

Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Google Drive, for example, automatically have a secure connection to Google.

Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites.

We want to go even further. At Google I/O a few months ago, we called for “HTTPS everywhere” on the web.

We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging.

For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

Lock


In the coming weeks, we’ll publish detailed best practices (it's in our help center now) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started:

Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
Use 2048-bit key certificates
Use relative URLs for resources that reside on the same secure domain
Use protocol relative URLs for all other domains
Check out our Site move article for more guidelines on how to change your website’s address
Don’t block your HTTPS site from crawling using robots.txt
Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.

If your website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool. If you are concerned about TLS and your site’s performance, have a look at Is TLS fast yet?. And of course, if you have any questions or concerns, please feel free to post in our Webmaster Help Forums.

We hope to see more websites using HTTPS in the future. Let’s all make the web more secure!

[RodG]

The forum won't let me post a link. Here's the text of the post:

HTTPS as a ranking signal
Posted: Wednesday, August 06, 2014

It's not the same article I read... This one provides a little more info.

At least I wasn't imagining what I'd seen.

Cheers
RodG