We have a 128-bit SSL certificate from GeoTrust.

Is there an SSL logo we can use on our site to reassure shoppers visiting our site that transactions are secure? If yes, what is the logo and associated URL related to e-junkie?



Thanks.

SSL logo is provided to you by your SSL certificate provider?

What??? I don't need an SSL because I'm connecting to e-junkie's cart, correct?



http://www.e-junkie.com/bb/topic/1447

You DO NOT need SSL to use E-junkie.



If you WANT to display an SSL logo on YOUR site, then you should get one.

I don't need an SSL for MY site, because the only secure part of the site is YOUR shopping cart.



So in essence you're saying that WE can't use YOUR SSL on our website, correct? If that is the case, it would be nice if YOU would offer some kind of security logo WE can use for YOUR customers who use YOUR shopping cart.

It's technologically impossible to use one site's SSL certificate on another website. There is no way for us to offer an "security logo" ..we ourselves use the SSL logo that GeoTrust provides.



Since your buyer is not entering any financial information on your site, you don't need SSL or SSL logo anyway.

I think most consumers who know enough about SSL/encryption to actually care about it just look for the padlock icon in their browser, or just look for the Web address URL starting with https: rather than http:, which are both always rock-solid indicators of SSL encryption in use on a page.



FWIW, the SSL logo/icon displayed within a page is really just window-dressing and could rather easily be forged such that only the rather savvy would notice the forgery (it's just an image like any other, after all). Merely displaying such a logo does not guarantee the page it's displayed on is actually encrypted, and displaying our SSL logo on the cart page would only tend to confuse buyers, since clicking on our logo only says "www.e-junkie.com" is secured, rather than your own site domain, although you are in fact using E-junkie's SSL cert when you use the E-junkie cart.

Obviously you don't stay up to date on shopping cart abandonment issues. If you did, you'd know that placing trust/security icons on their websites is one of the major steps ecommerce site owners are advised to take to help reduce the number of people who don't complete a checkout.

I'll admit that, for the sake of a concise discussion, I glossed over the messy details of how those trust/security logos actually work (and how they can be forged, whereas the padlock icon and https: URLs cannot), but speaking as a former corporate Webmaster for a regional ISP and Web host who was personally responsible for all aspects of SSL enrollment and implementation for both that company and all of its eCommerce hosting clients, I assure you I am quite familiar with the issues.



It's true that the SSL CAs (certification authorities, such as GeoTrust) have a vested interest in pushing their brand and logo onto every page they can, so they strongly recommend to merchants that their trust logos should be displayed on their site. In reality, I have yet to encounter a single end-user who looks for those logos, or even knows what those logos are for exactly, let alone how they work, or how to use them to verify the identity of a site. However, every consumer who at least knows and cares about security, privacy and encryption knows to "look for the padlock", and the tech-savvier ones look for the https: URL, but most tend to regard the logo as nothing more significant than a simple branding display, nothing more.



There are several reasons why the logo would not work as-intended within the context of our system, and this gets into how, exactly, those logos actually work:



When the page is rendered, the IMG tag for the SSL CA's logo calls for that image from a URL on the CA's site. The CA's site first confirms that the base URL (i.e., the fully-qualified domain name, or FQDN -- e.g., "www.e-junkie.com") of the page requesting display of the logo is the same FQDN that logo tag is certifying, and that the same FQDN is actually enrolled for an SSL/trust cert with that CA. For instance, the GeoTrust logo at the bottom of this page disappears for me if I use an alternate domain we happen to have that points to the exact same server. Once all that is confirmed, the CA allows the page to display their logo, usually including a fresh date/timestamp indicating when they verified that the page URL matches the certified FQDN which matches their SSL cert enrollment. Thus, our CA's logo could not be displayed on your own site pages, since our domain and business are the ones being certified, not yours.



Now, any forger could just mockup a logo image with some scripting that throws a fresh timestamp over it on every view, so the CAs also expect users to click on the logo, to get a popup window showing what company and URL/FQDN is being certified by that CA, so users can compare the company name and domain name with the outfit they think they've been dealing with; however, even the popup window can be forged, so you're back to the user having to "look for the padlock" and scrutinize the popup's FQDN and https: URL (if that's even displayed in the browser popup) to manually confirm that the icon and popup are not also forged.



In theory, if you were operating every aspect of your own shopping cart software in-house yourself, you would have a consistent domain in your URLs across every phase of the buyer experience -- from shopping to checkout to payment. Buyers could visually confirm that they never left your site, the domain is always the same, and particularly on pages where they are providing financial or other private data, they could verify that same, consistent domain is owned by a legitimate business identity which has registered with that CA to obtain an SSL encryption/trust certificate, which same cert is encrypting that very page where they are providing their sensitive data.



Now, with E-junkie's service, we relieve you of the burden of administering your own shopping cart software installation and maintaining your own SSL cert, since you are using our remotely-hosted cart software which uses our own SSL cert instead of yours. We conceal most of this "cart outsourcing" from your buyers by having the nice cart screen that overlays your own pages, which hands the buyer off to a third-party payment processor (PayPal/Google/etc.), so in most cases our cart is not even handling any sensitive data nor transaction funds -- the payment processor is handling all of that data, and they already have their own SSL cert and CA logos in full effect on their own checkout pages.



The only place where an E-junkie cart page would be accepting sensitive data directly would be for Merchants who are using either PayPal Website Payments Pro or Authorize.Net to accept card payments directly. In those cases, we certainly display our own GeoTrust logo on the payment-info checkout screen; despite the fact that the E-junkie business name and the https://www.e-junkie.com/... URL do not match that of the actual Merchant, at least we can backup the fact that we are indeed using SSL encryption to handle their transaction data, and that our business is indeed confirmed by that CA as a legitimate legal entity which owns that domain.

SoundMavenObviously you don't stay up to date on shopping cart abandonment issues. If you did, you'd know that placing trust/security icons on their websites is one of the major steps ecommerce site owners are advised to take to help reduce the number of people who don't complete a checkout.

We are quite familiar with those issues. If you need to provide "assurance" to your buyer on your website, you can pay hackersafe, or BBB or TrustE or any such company. It's not worth the trouble and money you'll spend though.

Hi,



I didn't know any of this, but today it was recommended that I get SSL certificate/protection to shield transactions going through my site. It seems that this person went to our site, didn't notice https or any other visual cues that the site was protected and decided he could not put his information on the site.



Just a question. Would it be okay and correct for me to place in small print under the shopping cart buttons something like "Shopping cart is SSL encrypted"?

You'd be able to make that claim no matter what. Our cart and the purchasing process is already encrypted so it's not actually necessary to encrypt the rest of your site just to protect a buyer's payment information, although lately there is pressure coming from some big names like Google about getting everyone to encrypt everything... personally I'm not entirely convinced that this isn't just to get more business for people handling the certification though. :)



But at any rate, if you wish to encrypt your website there won't be any problems with our cart, and if you decide not to encrypt your website the actual checkout process is still going to be encrypted and secure because it will either be happening within PayPal or within a secure page we've set up that does have certification. For example, if you click the credit card checkout option on our demo pages you can see the GeoTrust badge already there:

1http://www.e-junkie.com/ej/demo.htm1

Also note that if you decide to make your entire site secure encrypted (i.e., force all pages to load as https:// rather than http://), you may need to update any older E-junkie button codes to change all instances of http:// to https:// instead. Our current Admin panel issues button codes with all-https:// URLs since it launched in Sept. 2015, so you'd only need to update codes you'd pasted prior to that date. A free SSL encryption certificate from Let's Encrypt should be sufficient for your purposes: https://letsencrypt.org/