What's Open Source

I'm setting up a web page for my client. I've built websites b4. This is the 1st one I'll set up where I need to setup e-commerce.

I need to know,

Quote:

1. "What is Open Source?"
2. "What other options are there?"
3. "What costs are involved?"
4. "Is it just as secure (or more secure) than the other options?"
5. "Does it use https or http, or my choice?"
6. "Are there any visual differences on the actual site, between Open Source and the other options?"

I appeciate the help I'm getting from this community.
Thanks, Scott.

[stevel]

1. Open Source means that the source is freely available and that it is maintained and contributed by the general community of users. It also tends to mean there is no formal support and documentation is skimpy.

2. There are many commercial shopping cart packages, plus options such as the PayPal shopping cart system which is free (but payments go through PayPal.)

3. Just your time and effort. If you want to use one of the third-party payment processors, you would need to subscribe to their service.

4. It depends. If you are using an external payment processor (such as authorize.net), then all credit card info is handled securely through that other system and presumably they have taken care to secure their databases. The customer data entered into your local database is not encrypted and could be vulnerable to anyone who knows or can guess your MySQL password - but this would also be true of many other shopping cart options. If you use an external payment processor, credit card info is not stored in your local database, which is good.

5. Your choice of http or https. Be warned, though, that PowWeb's current https implementation means that many customers behind a firewall will not be able to access your https pages.

6. Visual appearance is whatever you want it to be. osCommerce is harder than some other options to customize visual appearance. "open source", in and of itself, is not relevant to this question.

Thanks Steve,

Quote:

4. ... The customer data entered into your local database is not encrypted and could be vulnerable to anyone who knows or can guess your MySQL password - but this would also be true of many other shopping cart options. ....

Does this mean that when the person's private info is in transit, that it's not encrypted? Bad news if that's what you mean.

[stevel]

No, the entering of the "personal data" is generally over an SSL-encrypted session, if I recall correctly. But it is stored in the database unencrypted. The info I'm referring to is name, address, e-mail, what they ordered, etc. So if someone had read access to your database, they could get all those details. This really isn't different than any other shopping cart solution that I am aware of.

[stevel]

I am going to suggest that PowWeb, at this time, is not a good place to set up an e-commerce site, only because of the shared SSL implementation and its limitations. If PowWeb fixes that, things would look a lot better.

Quote:

PowWeb, at this time, is not a good place to set up an e-commerce site, only because of the shared SSL implementation and its limitations.

What is shared SSL implementation and what are its limitations? I was really looking forward to using powweb. Now you've got me wondering...

[stevel]

Shared SSL means that the SSL certificate lists powweb.com as the domain, and not your own domain. There is currently no way for you to buy your own SSL certificate and have it "installed" on the server. So to access your site by SSL, you use a URL of the form https://servername.powweb.com:12345/yourfile.html , where 12345 is a unique (for you) port number that is how PowWeb's server associates the incoming request with your web site. If a user tried to access your SSL pages using your domain name, the browser would complain that the security certificate was invalid because the domains don't match.

The problem is that many business firewalls block web access to non-standard ports, thus if you have secure pages hosted on PowWeb, users behind such firewalls will get blocked by their firewall, and you lose the sale.

PowWeb has said that they are working on a new "SSL accelerator" implementation that could, perhaps, avoid both these problems. I have no idea what the timeframe for this is.

Thanks for your honesty. Apart from this whole ordeal you just revealed to me, I really think I like PowWeb.

Is it feasible to host all of the pages on PowWeb except for the Payment pages? (This would be a set up similar to PayPal. When your on a PayPal supported site, and you click on a PayPal link, it takes you to a PayPal page)?

I've spent a lot of time researching PowWeb and expected to use it. It's frustrating to think it's not a feasible site. Now I'm grabbing for straws.

If there is no way feasible to use PowWeb, do you have any recommendations for good e-commerce compatable hosts?

[stevel]

If it were the payment pages only, it would not be a problem. You could use authorize.net or any of a number of other payment processing systems. But if you're using osCommerce, the step of entering customer personal information is done through SSL-protected pages (unless you want to turn that off, which I don't recommend), and the firewall user will get blocked from these. You can play with it and see how it works for you.

If you're going to use PayPal's shopping cart, you can do that here, as it doesn't require SSL on the local server. You wouldn't use osCommerce for that. There are other shopping cart packages that don't use a local server - AmeriCart is one I looked at in the past.

I don't myself have an e-commerce site set up anywhere, so I can't offer recommendations on other hosts. I started to set one up here, but ran into the SSL problem at which point I stopped. Perhaps Jade Dragon or others could comment on this. I'm sort of hoping PowWeb will solve the problem before I feel the need to open the site.

This will work.

I've reviewed the americart.com site. It's a way I can use PowWeb, overcome this whole problem and still have SSL security.

Is there any thing else I should know (or be warned about) before I use PowWeb? Since this is not my own site, but my client's, I can't afford any other unpleasant surprises, especially after registering.

Thanks for all your help.
Scott.

[stevel]

I assume you will NOT be using osCommerce, then... If so, I can't think offhand of any problems to be aware of. You should subscribe to a site monitoring service (I use www.websitepulse.com) so that you are aware of site outages, if any, before your client is! Keep up with the announcements and "Getting Started" sections of this forum to know what's going on.

[Jade Dragon]

I believe stevel is incorrect on the HTTPS set up for powweb. I have requested that one of the admins post the official tech on the https security.

I have used OSC for a client since last Oct 2002 and have had no problems with security.

=)
Jade

[stevel]

I'll be very pleased if I am incorrect here, but I don't think so. I've seen the issue first-hand. Connecting to a web page through a non-standard port is blocked by many corporate and institutional firewalls.

With OSC, the "sign in" process takes place over HTTPS, and by default, you cannot place an order unless you are registered with an account and signed in. As soon as OSC switches to HTTPS to process the sign in process, you'll lose the customers behind corporate firewalls that block non-standard ports.

Jade, you may not have run into this for your customer base, but I have seen it myself as have others with other OSC sites. The only workaround I can see is to disable the use of SSL by OSC.

If PowWeb can change the shared SSL mechanism to one that does not require an explicit port number, then all should be fine.

[James]

I'm the one who told jade about there was no loss of security, and there is not. However, Steve's not suggesting here that there is lost security because of our implementation, hes suggesting that some people may not be able to access your port because of firewalls. Though this is possible, we have not had many complaints about this. Usually ISP's and things usually block incoming requests to only unstandard ports, not outgoing. We do not currently block incoming so for most people this would not be a problem. We are very close to implementing our SSL accellorator to get rid of the port numbers and we will then be blocking all ports that are not standard to increase the security and reliability of our network. When we do this all customers will automatically have an SSL url to access their site, and for a fee we may even be able to install customers very own SSL certs. We have not had much of a request for this as they are quite expensive, though I believe the cost for them is starting to come down like domain registration did.

[stevel]

Please note that I am not referring to ISPs, but rather business networks where the network administrator has installed a firewall and proxy server. Almost all major businesses have these, and most will reject outgoing requests except on particular ports that they want to have "open". My employer does this, as does my previous employer (for whom I'm now a contractor), and I've seen the effect on both networks.

I agree that there is not a loss of security IF you can make the https connection. But if you are running an e-commerce site and depend on an SSL connection to a non-standard port, customers behind a corporate firewall may not be able to shop at your site.