Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Time to get secure (if you haven't already)


frankl

Recommended Posts

From January 2017, the Chrome web browser will start labeling sites which collect passwords or credit card details as Not Secure.

 

If you run osCommerce and you don't have a secure certificate for your domain you are in danger of losing sales. In fact, you will lose sales unless you act.

 

In the future, Chrome will mark entire HTTP sites as non-secure, so now would be a good time to ensure your domain is future proof and make your whole site HTTPS. The argument that "my site will be slower" is outdated and not relevant, with HTTPS page load times being negligibly slower (if at all). Once HTTP/2 becomes commonplace HTTPS will be incredibly fast.

 

Cheap SSL certificates that work in all browsers are available from places like RapidSSL ($69 per year) or Comodo ($76.95 a year). You can also get free SSL certificates from LetsEncrypt, with many hosting providers being able to install and manage the LetsEncrypt certificate for you.

 

If you haven't considered HTTPS important before, you must now. Take action before the New Year and avoid being left behind.

 

post-3583-0-97033400-1479422124_thumb.png

 

 

 

 

osCommerce user since 2003! :thumbsup:

Link to comment
Share on other sites

  • Replies 140
  • Created
  • Last Reply

Tk for this information, it's important for some people to think a migration with a good provider or to integrate the ssl.


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Link to comment
Share on other sites

Hi there

how will chrome handle sites which are mixed eg checkout secured  create account secure?

Doug

 

From the article - "Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure."

 

So if those pages are secure you have nothing to worry about for now. However, the Chrome development team says "Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS," so it's wise to make a plan to go fully secure on your website. For ecommerce this is essential.

osCommerce user since 2003! :thumbsup:

Link to comment
Share on other sites

When I was using OSC 2.2RC2a I ran the whole site on HTTPS, the advice at the time was that this was overkill so when I upgraded to 2.3.4 I only use HTTPS on the account, login and checkout pages as per the default OSC behavour with SSL enabled.

 

My Site has been crawled and appears quite well on google searches - often on the first page of results

 

My question is: what is now the best way to go back to having the complete-site on HTTPS (config files? .htaccess redirects?) and how, if at all, this will affect my current ranking and appearance on google searches?

 

Many Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Good question. If most of your pages are currently indexed as http, will their https replacements be considered different pages (starting over with regards to ranking), or the same pages? It looks like eventually we'll have to go 100% HTTPS, but how much pain will there be during the transition?

Link to comment
Share on other sites

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites


RewriteCond %{HTTPS} !on

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

I moved to all SSL all the time (like all nude, but without nudity) back in June and it was pretty easy and simple.  Gave me a little bump on Google organic but i bounce around some.  I did have to create a new property on Webmaster tools for it to work correctly, but that was no problem.  I also put a redirect in .htaccess to redirect to https. 

 

It also seems to help with Adwords if you use that.  Making your ad better can rank you higher while paying less per click. 

 

I did it when my sales were slow anyway, so think about your slowest month to make the change.  I always had a SSL cert since I started in 2002.  One lost sale can cost more than a cert.

I'm not really a dog.

Link to comment
Share on other sites

@@John W

 

I did it when my sales were slow anyway, so think about your slowest month to make the change.  I always had a SSL cert since I started in 2002.  One lost sale can cost more than a cert.

 

Good advise John...I was thinking of just allowing it to happen when I convert to 2.4 since that will likely rough up my rankings anyway. I understand that site wide SSL will be the standard in 2.4. Doing it at a slow time of the year is good thinking too.

 

Dan

Link to comment
Share on other sites

@@Gergely Please expand?

I changed all osc configuration constant to HTTPS some years ago. (Harald asked the same configuration change in this forum some weeks later)

 

All old linked pages and images (internet backlinks) redirected to HTTPS with htaccess. Seo power wont lose with 301.

301 rewrite redirections are about 1-2 week in google indexes (depends on site size and setted google index speed).

 

Addwords and every another marketing tools should use https links of course.

I hint htaccess code example for it. (only for backlinks)

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

Well, I can't imagine any store running without SSL. $69 for SSL? Are you talking about the extended validation ones? I just bought one yesterday for $9. Now, $69 for an extended EV SSL would be a good deal...the cheapest I ever pay was around $200...

 

 

From January 2017, the Chrome web browser will start labeling sites which collect passwords or credit card details as Not Secure.

 

If you run osCommerce and you don't have a secure certificate for your domain you are in danger of losing sales. In fact, you will lose sales unless you act.

 

In the future, Chrome will mark entire HTTP sites as non-secure, so now would be a good time to ensure your domain is future proof and make your whole site HTTPS. The argument that "my site will be slower" is outdated and not relevant, with HTTPS page load times being negligibly slower (if at all). Once HTTP/2 becomes commonplace HTTPS will be incredibly fast.

 

Cheap SSL certificates that work in all browsers are available from places like RapidSSL ($69 per year) or Comodo ($76.95 a year). You can also get free SSL certificates from LetsEncrypt, with many hosting providers being able to install and manage the LetsEncrypt certificate for you.

 

If you haven't considered HTTPS important before, you must now. Take action before the New Year and avoid being left behind.

 

attachicon.gifdelete blog image 2.png

Link to comment
Share on other sites

@@Gergely Thank you :)

 

So if I understand correctly if I add that to my .htaccess it will redirect all requests to HTTPS and give 301's

 

So there will be a slight blip on google rankings which should settle agfter a couple of weeks or so?

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

I didn't drop at all from doing this, but bumped up a couple.  This is how I did it in my .htaccess but I also want everything as www since I've had that so long.  I had it done differently at first but that way could glitch.  This works perfectly for me since June.

RewriteEngine On

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

I'm not really a dog.

Link to comment
Share on other sites

Letsencrypt has an API, so my wishful thinking goes like this;

 

new install of osc, looks to see if the hosting has SSL.

If no...link into the letsencrypt API and set up a SSL Cert.

 

Boom.  shopowner has a new shop utilising SSL.

 

I have not looked into it, and I expect it is far more complicated than I've made out.

Link to comment
Share on other sites

 

 

So if I understand correctly if I add that to my .htaccess it will redirect all requests to HTTPS and give 301's

 

So there will be a slight blip on google rankings which should settle agfter a couple of weeks or so?

 

Use the code @@Gergely posted and all old links (including internal links) will redirect to https, and you won't lose any link juice.

 

I swapped over to full https nearly 2 years ago, and experienced a bumpy ride in Google rankings for a few weeks but came back slightly higher in rankings.

osCommerce user since 2003! :thumbsup:

Link to comment
Share on other sites

@@burt

 

The best I could do was an admin page to grab a free letsencrypt secure certificate. I can't see any way to automatically install a secure certificate on a server using a PHP script (can it be done??)

 

I have done a live test, got the certificate and private key using this script, and installed it on a server successfully.

 

Notes:

  • Currently the page uses the sandbox Letsencrypt server, no actual secure certificate will be issued. You can comment out line 8 and uncomment line 7 in Lescript.php if you want to do live testing.
  • Will use the email address from Admin -> Configuration -> My Store -> E-Maill address to register you. This is the email address where updates will be sent.
  • Certificates fetched will be for the domain the script is run on, both www and non-www versions.
  • If successful, your certificates will be found in admin/.certificate/{domain_name}

Upload 2 files in zip file to admin (unzipped folders are organised this way) then navigate to letsencrypt.php

 

letsencrypt.zip

osCommerce user since 2003! :thumbsup:

Link to comment
Share on other sites

I updated to https about 4 months ago - for the reasons Frank gave above - and have encountered no problems. Good all round benefits with no obvious negatives.

Just a word of warning regarding Facebook. We had 85,000 likes and didn't want to lose them because of a URL change. That may well have happened unless we followed FB advice which was basically this:

1. Exclude Facebook crawlers from the redirect.
2. Set og:url to the http version of the page

I did that and haven't lost any likes. Yet.

It amazes me that a company that can produce HHVM cannot, or will not, make life easier for their users. The solution here can't be anything but short term.

Link to comment
Share on other sites

@@frankl@@John W@@Gergely

 

Hi guys

 

For us absolute novices which is the best to use, or does it not matter

 

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]
or
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 

 

Many thanks

Grandpa

Link to comment
Share on other sites

Hi @@grandpaj,

 

Do you want to have www in your domain?  The second part of mine takes care of that in case someone comes without www in the domain.  It may be old school, but I think it's best to have one way or the other.  My site has been up since 2002 and my clientele has a lot of older ladies 45-65, so I opted for that early on.  That's also how I have my SSL cert.  

 

On a side note Grandpa, did you feel the earthquake?

I'm not really a dog.

Link to comment
Share on other sites

The first code fragment does two separate things: it changes HTTP to HTTPS, and then it changes non-www to www. The second fragment only changes HTTP to HTTPS, leaving the domain alone. Although the current discussion is about always using HTTPS, that's mixing in a second item: it's generally considered good form (for SEO purposes) to use one or the other (www or non-www) domain and change the "wrong" one, so you would want to use the first choice (assuming you want www consistently). If you want the non-www domain form consistently, you would have to modify that code to detect www. and remove it.

 

Something not explicitly mentioned in this thread is that simply redirecting HTTP to HTTPS is only part of the solution. Obviously you need to obtain an SSL certificate for your site (extra cost), or HTTPS won't work for you. I say this so that naive users won't think that redirecting to HTTPS is all they need to do. Also, take care that the SSL certificate is issued in the domain form that you intend to use: www or non-www. It generally won't work if it's issued for one and you try to use the other!

Link to comment
Share on other sites

@@MrPhil

 

Hi Phil

 

Many thanks for your reply

 

The site does have its own SSL Cert ,pretty sure www. so what I understand is I should use

 

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1[R=301,L]

 

Kind regards

Grandpa

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...