Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By xopher on
Is it possible to use the Authorize.net module in conjunction with the e-commerce modules without having SSL on a site?
The connection to Authorize.net and the response is done over SSL, is that not enough? Why must the cart itself and checkout be done over SSL?
Any clarification is appreciated.
Thanks.
Comments
Browser To Site
The browser must transmit a credit card number to the website... If that's not secure anyone can sniff it while it navigates to the merchant website.
--
Please read the handbook, search the forums, then ask...
http://drupal.etopian.net (Drupal Support)
Agreed
I'm not sure you understood what I asked. I understand that the credit card needs to be encrypted. The connection from my site TO authorize.net and back is secure by way of the url I submit the form to (https:secure.authorize.net) So the question remains, if I'm not STORING credit cards in the users profile, and the credit card is submitted to authorize.net over a secure connection, why must my shopping cart and check out pages be secure?
If someone tells me that the form where the information is ENTERED must be secure, to transfer the data securely to the Authorize.net servers, that would answer my question. I'm just having difficulty seeing why this would be required... by virtue of the fact that the form ACTION goes to an https address, I'm thinking that submission happens over a secure connection.
I've set up SSL on my site, so this isn't a pressing concern, I'm trying to understand the specifics.
I'm someone...
The form where the consumer enters his cc number MUST be secure. If not, then as his browser sends this info to you, before you send it to authorize.net, it would not be secure.
There's no way I would enter my personal info into a form that wasn't secure, and I would not think too highly of a merchant who doesn't take the basic steps to protect my information.
You may want to check with http://developer.authorize.net to see their policy, but I would think that they would insist on a ssl cert on your site.
Authorize.net module...
Just to be aware of the authorize.net module... Please read this post from the security team... I really suggest that you subscribe to the security announcements!
--
Paul Malenke
paul.malenke@gmail.com
AfterDeathGraphics.com
Shop the AfterDeath Graphics Store