#DateFormat(Now(), 'mmmm dd, yyyy')#
Your E-ComTips Newsletter
#service# ID number #sid#
Good morning #SpanExcluding(name, ' ')#,
| |
WHAT'S NEW?
We don't like to run articles contrary to public opinion but this month,
we're going to do it twice.
You can't go to an Internet news site these days without reading at least
one article about spam e-mail. The current solutions to stopping spam
are hurting our ability to send out this newsletter. We'll illustrate the
problem.
Information security is always a top concern of ours. This month we're
going to review the SSL protocol and what it really does for you.
If you're thinking of upgrading your website, take a lighthearted look at
how some people know when the time has come.
redesign time
Team....ImagineNation |
E-ComTips
|
Using the E-Commerce Internet ...information security |
SSL: Myths and Magic
About once a week we get asked if we use SSL certificates. The answer may
come as a surprise to our e-commerce friends, considering that we process
hundreds of credit card transactions every month.
SSL stands for Secure Socket Layer. To a man, except to the real techies,
SSL means secure e-commerce transactions on the Internet. So, what's a
secure e-commerce transaction and what do the techies know that you don't
know? Well, in order to understand that, lets first look at a few SSL
details.
Internet connections make use of various data elements to establish a
communication channel between a host server and a client computer. These
data elements are grouped into functional categories called layers. The
communication takes place via a socket connection. This is simply a
specific virtual connection between computers. A variety of techniques,
know as protocols, using variations in the data elements, can be applied
to establish a connection. One of these protocols uses a Secure Socket
Layer. This is a technique used to encrypt information moving from a host
computer to a browser and from a browser to the host computer. That is,
information in transit on the Internet is encrypted when using this
protocol. You can sometimes know you're using the SSL protocol by the
"https;" at the beginning of a web address or by the little yellow padlock
icon that appears in the lower left corner of a browser.
To use the SSL protocol, the host computer must be equipped with an SSL
Certificate and a browser must support the protocol. All current browsers
do. The certificate is actually a small software program that resides on
the host computer of a particular domain. The program encrypts the
information traveling between your browser and the host computer when
the SSL protocol is invoked. The certificate also identifies the domain
for which the software was issued. Private companies sell these
certificates to domains wishing to use the SSL protocol.
The magic in SSL is the remarkable job that the certificate companies have
done to convince nearly everyone that an SSL site is a secure site. This
has been a great benefit to e-commerce sites. Consumers get that warm
fuzzy feeling when they see the little yellow lock in their browser,
knowing everything is OK, just before submitting their credit card
information. The truth is that the only time information using SSL is
secure is when the data passes between browser and host. That is, when the
data is in transit on the Internet.
The other piece of magic with an SSL certificate is that it is intended to
verify that a website is who they say they are. To make this happen, the
certificate company must confirm information like domain ownership before
selling the SSL Certificate to an applicant. The confirmation process is
not well defined however, resulting in known cases of certificates being
issued to bogus websites, ostensibly belonging to well known companies.
Another diluting factor affecting the value of the certificate is the use
of machine wide certificates. This is the practice of applying one SSL
certificates to all websites residing in a shared hosting environment on
a single computer. There is no way that this certificate can validate
website ownership. You know the certificate is being shared if your ISP
offers free SSL capability with domain hosting. To even begin to
authenticate a domain, the certificate must be issued to a specific IP
address assigned to a specific domain.
So, by now you probably know the answer to our opening question. We do not
use the SSL protocol with our services. We do, however, use other
proprietary techniques to protect a customer's sensitive information,
including triple DES encryption of sensitive information stored in
databases which themselves are password protected and not directly
connected to the Internet. We also use a whole range of other techniques
to manage, protect, and validate customer information.
The point of mentioning what we do and the point of this article is not
to bash the SSL protocol but, to expose the myth that SSL somehow provides
the security necessary to protect your customer. If you want to use SSL
to make customers happy, sure, go ahead; but, don't think for minute that
you're protecting their information. Here's a challenge: Cite just one
case where credit card numbers have been stolen by a hacker intercepting
the data in transit on the Internet.
Managing and protecting information is a much more complex process than
just having an SSL Certificate. If you are serious about protecting your
customer and securing your website, you can start by reading a four part
article titled, "The Nuts and Bolts of Information Security" at
http://imaginenation.com/Articles/SecurityInfo/index.htm . This is by
no means a definitive work but it can provide the conscientious merchant
with a guideline for getting started at protecting a customer's sensitive
information.
The Staff
Team ....ImagineNation
|
|
|
Recent Changes
Improvements Upgrades Stories |
Taking credit cards is never free but, with an
IAMS
account, we keep your cost down and the utility up.
|
|
Newsletters vs. Spam E-Mail
By now everyone must know that spam is unsolicited bulk e-mail. It's
usually sent to advertise products or services and can include viruses
and other objectionable material. While this newsletter is sent in bulk,
it is not spam because it is not unsolicited. Further, the primary purpose
is to be informative, even though we do sprinkle in a few ads of our own.
Today, even the viability of newsletters is being threatened by the spam
situation and the solutions being imposed to solve the problem.
When we send this E-ComTips newsletter, almost one third of our subscribers
will not receive it. Mostly, this is because the delivery is either being
prevented by inappropriate filtering and blocking at the ISP or because the
recipient mailbox is already full with messages that weren't requested.
Last year at this time, the undeliverable numbers were around 6%.
While we fully agree that spam mail is undesirably and even harmful at
times, we don't agree with the current techniques used to prevent it. We
view these filtering and blocking methods as the equivalent of the
postman making delivery decisions. Picture the postman standing at your
mailbox, reading your letters, and deciding which ones he's going to let
you have and which ones he's going to throw away. This isn't made any
better just because you may have given him instructions. You'll never
know if he gets it right!
What's needed are better techniques to stop spam at the source. Legislation
isn't going to do it. Spammers are too wily and mostly operate out of
foreign jurisdictions. It will take new technology. We look forward to
that day. Until then, delivering newsletters like this E-ComTips remains in
jeopardy.
Team ....ImagineNation
|
|
Tips 'n Tricks
HTML tags shown here use the caret (^) instead of
braces <> for proper rendering.
Brackets are represented by the curly bracket symbols ({}). |
PeddleGold
Instantly e-commerce enable your entire website with this robust, award winning storefront:
webPeddle.net
Demo
|
|
Did you know you can set up multiple instances of the PeddleGold storefront
from the same website or additional websites and still use the same IAMS
Console for order management and credit card processing? This
can result in considerable cost savings over having a separate processing
system for each store. The only caveat is that all stores will have to use
the same store name and service ID.
For a lot of operations, however, this may not be a problem; in fact it
can be an asset. For instance, you may have a website called
generalstore.com and want a store called The General Store. As the name
implies, you are offering products in a variety of categories. Your home
page can have links to a PeddleGold store for each of the product
categories.
Just create new folder names for each of the stores and upload the same
files to each folder. For instance, folders PeddleGold, PeddleGold1,
PeddleGold2, etc. The only necessary changes will be to the database
files, db.js. Of course you'll probably want to change the
storefront.htm file as well to reflect the various product categories.
Now you've created a department store and still have the ability to manage
orders from a single location. Use the html attribute, target="new" in
the category links and a customer can enter any store without losing your
home page.
|
|
ImagineNation © 1996 - 2003
Suffering from overload? List Removal
|
E-ComTips is brought to you by ImagineNation
because you are listed as a user of one of our storefront products or have
subscribed to receive the Newsletter itself. To remove your address from our list, go to
List Remove
and, if your correct address and service ID are not showing when you get there,
enter the correct values manually. Please do not reply to this newsletter
return e-mail address. Replies here are not processed. Use the
Mail Form
at ImagineNation to correspond. This e-mail address is: #email# and the ID is #sid# |
|
|
|