Following on from parts one and two in my blog post series on the subject of website security, covering both what it is and what to look for to determine acceptable security. The final part of the series discusses how to make your site pages secure and some of the potential problems when operating secure web pages.
I am running a website that that needs to be secure, what do I need to know?
Firstly, based on the above, you need a secure certificate to enable SSL and create the https addresses with the padlock icon being displayed. This will give your customers the peace of mind that required for them to carry out a transaction on your website.
How do I obtain a secure certificate?
There are many different companies that supply secure certificates and there are a number of different Certificate types available. Generally the options are as follows:
A certificate that only validates the ownership of the domain name
A certificate that the verifies the company that has acquired the certificate and the domain name
An “Extended Validation” (EV) certificate that does the same as the previous two and also make the browser address bar go secure.
The costs of each of the three options increases based on the level of verification required and the purchase price will also vary dependant on the company that is issuing the certificate.
A request for a new certificate can be made directly with a certificate provider or one of their agents/resellers. EAOM currently recommend and resell certificates issued by Thawte
As a website publisher what do I need to be aware of?
Don’t always think that obtaining the necessary SSL certificate and having this attached to the appropriate pages within the website will give your customers the confidence they require. There can be issues caused, which will in turn cause confusion and uncertainty (ultimately put some people off making a purchase) when some of the elements of a secure page are not coming from a secure location.
Ultimately, a web page is made up of the main document and a collection of component parts (assets). If the comment parts are not coming from a secure location even if they are included on a secured page there will be a certificate issue and the customer will see a warning.
Again, like the padlock, this warning will appear differently dependant on browser and version, the sentiment of the message is the same!
Seeing anything like this along the way during the checkout process is bound to cause uncertainty and could be a barrier when trying to make a sale.
Any images or scripts that rely on a separate file, which are being included within your secured page must also be secure. This may mean that you have to either secure the source URLs (web addresses) of the files or (if possible) place the assets on the domain that you have already secured. The latter may not always be any option. However, most providers of 3rd party scripts will appreciate that you will need to include them on your secure pages, so should give you the ability to do this.
For example, this is a script that is required for track Google AdWords. It would normally be placed on the Order confirmation page (order receipt page) of your eCommerce website and this would usually be a secure page:
<!-- Google Code for Purchase a Product Conversion Page --><script type="text/javascript">/* <![CDATA[ */var google_conversion_id = 999999999;var google_conversion_language = "en";var google_conversion_format = "3";var google_conversion_color = "ffffff";var google_conversion_label = "ypgDCPr-9gIQnqSd1gM";var google_conversion_value = 0;/* ]]> */</script><script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"></script><noscript><div style="display:inline;"><img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/986141214/?label=ypgDCPr-9gIQnqSd1gM&guid=ON&script=0"/></div></noscript>
In the source code supplied by Google (AdWords) the files that are linked to come from a none secure location. If the tracking is being attached to the page by your website developers, then (if they are worth their salt) they should be aware of any potential issues and adjust the code accordingly. However, if you are responsible for attaching the scripts yourself using your website content management system, you will need to adjust any URLs to link to images or external scripts using an https (secured) version of the URLs.
e.g.
https://www.googleadservices.com/pagead/conversion.js
https://www.googleadservices.com/pagead/conversion/986141214/?label=ypgDCPr-9gIQnqSd1gM&guid=ON&script=0
Before you attempt to use these external links in your content, you will be able to test if they are capable of being secure by placing them directly in your web browsers address bar.
In a nutshell, there is little point going to the lengths of getting all of the necessary security in place only to compromise customer confidence when they see warnings or errors that can be prevented.
Part 3 (and final) Summary
Hopefully from reading the last three blog posts about website security you are now aware of what security is, some of the terminology, how to check secure pages, how to acquire a secure certificate to make you site secure and also check it’s successful operation.
The series will discuss what web site security is and the technologies involved, the user experience and what and end user would (or should) be looking for to give them piece of mind that a web site is secure and finally some of the specific things that need to be considered (including potential pitfalls) when running a secure web site.
[More] 
