<Begin SoapBox>

As a Security Consultant, the Point to point encryption of eCommerce solutions is essential to maintaining the security and integrity of a web based eCommerce solution.

Case in point are the 40+ Million Credit Cards that the FBI (Justice Department) now has charged 11 people with Identity Fraud, and hacking of Computer Systems.

As a Security professional, I am telling you that WarDriving (the remote exploiting of Wireless communications), key stroke loggers, and network sniffing are just some of the techniques employed in gaining access to the personal information.  Some, if not all, of this could have been avoided with the use of better security (wireless security certainly), and encryption technologies (like SSL).

Employing security from the design up, is significantly easier to implement than after a breach has been encountered.

</End SoapBox>

That being said, I am anxiously awaiting the release of the 7.5 WebGui code, with Shopping Carts.  Having spoken with Sr. developer - Doug Black, I agree that the intent of the WebGui design is to not store the Credit Card information in the system, and permit the processing to occur (even recurring charges) at the payment gateway.

While I also employ a Fresside Billing system (design by Ivan Kohler - developer of the CPAN Business::OnlinePayments modules), which exclusively uses SSL (https connections) for all of the connections, whether it's a remote gateway, or credit card processor.

My hope is that WebGui intends to use Best Practices and employ a rigid use of SSL connectivity in anything involving the Shopping Carts, or eCommerce interfaces.

Hey guys,

Can you test this and let me know - cause I think this could be a problem (or I just may have my SSL set up wrong!).

Standard WRE site, add SSL.

Add a page that should be visible with SSL only using 'encrypt content' (https://<MY-DOMAIN>/home/test-ssl).

Try viewing the page without SSL by removing the 's' off the end of the 'https' in the URL and you get redirected to the SSL version.

Login, turn Admin on and go to edit the page. Now, remove the 's' and make the URL non-ssl again and try it. (http://<MY-DOMAIN>/home/test-ssl?func=edit)

It looks like I can edit an SSL-only page without SSL - I think that would be a problem. This is 7.5.10.

Thoughts?

It occurs to me that this probably occurs whenever a func=?? or op=?? is used.

I am going to investigate a little further and then write the RFE.

Thanks, Paul W

It occurs to me that this probably occurs whenever a func=?? or op=?? is used.

I am going to investigate a little further and then write the RFE.

 

Hey Paul,

Did you ever write an RFE for this feature request? I'm seeing a similar behavior on 7.3 which I need to address--if I'm logged in as an admin user (without admin mode on) and go to a page that is supposed to be encrypted, I do not get redirected to the encrypted page. This is a problem as I have content in wiki's that are secured by group to Admins only but the site is not redirecting me to the ssl mode which I'd prefer to use.

William

----
Knowmad Technologies
http://www.knowmad.com

No - I never got round to writing the feature request. I got bogged down
in classifying the problem AND the solution.

Hi Paul,

Thanks for putting the RFE together. I upgraded my site to latest stable and the problem I was having went away. I will throw some karam against your RFE as I agree that it should stay encrypted when in admin mode.

William

----
Knowmad Technologies
http://www.knowmad.com