1.2.1. SSL
'Secure sockets layer' allows encrypted secure communication between a browser and your web site. This must be setup on your site itself (rather than through Kartris). Kartris cannot use shared SSL; the secure certificate must be for your domain itself where your site is running, and be properly applied through the Microsoft IIS web server (and not via some external layer as some hosts such as GoDaddy do).
1.2.1.1. Checking for SSL
The first step is to check your site has SSL enabled. To do this, simply go to the front page of your site and then edit the address in the browser so it uses HTTPS instead of HTTP. For example,
https://www.demo.xyz/
If you see an error in your browser that the site is untrusted, or that the connection was interrupted, or any other browser error, then SSL is NOT running properly on your site. You should contact the host or your developer if you believe it should be.
Only once you have verified that SSL is installed and working should you attempt to activate the SSL support within Kartris.
https://www.demo.xyz/
If you see an error in your browser that the site is untrusted, or that the connection was interrupted, or any other browser error, then SSL is NOT running properly on your site. You should contact the host or your developer if you believe it should be.
Only once you have verified that SSL is installed and working should you attempt to activate the SSL support within Kartris.
1.2.1.2. Activating Kartris's SSL support
Once logged in to the back end, find the general.security.ssl config setting. There are three possible settings ('always on SSL was introduced in Kartris v2.7000).
- 'n' = off
- 'y' = on for pages where sensitive data is transferred (login, checkout, back end, any page when user is logged in)
- 'a' = always on, SSL for all pages
Scope of SSL
SSL puts an additional overhead on a web server and a user's browser, and so in the past it has tended to be used only in places where sensitive data is transferred, especially for credit card transactions. There was seen as little point applying SSL to all traffic such as when a casual visitor is browsing the site, or a search engine is spidering it.
However, in recent years, SSL has become more widespread. Many web sites such as Google use SSL by default, and the revelations by Edward Snowden of pervasive internet surveillance by western security agencies have further highlighted the issues of eavesdropping and user-privacy. In summer 2014, Google indicated that it would start to give slight preference in its results to sites running SSL, which is likely to see a surge in the take up of 'always on' SSL.
SSL puts an additional overhead on a web server and a user's browser, and so in the past it has tended to be used only in places where sensitive data is transferred, especially for credit card transactions. There was seen as little point applying SSL to all traffic such as when a casual visitor is browsing the site, or a search engine is spidering it.
However, in recent years, SSL has become more widespread. Many web sites such as Google use SSL by default, and the revelations by Edward Snowden of pervasive internet surveillance by western security agencies have further highlighted the issues of eavesdropping and user-privacy. In summer 2014, Google indicated that it would start to give slight preference in its results to sites running SSL, which is likely to see a surge in the take up of 'always on' SSL.