https and ssl

[Corey Bryant]

Thanks for the info Corey,

But I still have some some confusion,

How does this SSL certificate make a page become https?

It does not really make it https - you point to https in your URL so that you call the page in a secure manner. The cert establishes a secure connection between the server and the browser and encrypts the transfer

1) I need to ask my host provider to set me up with https. If this assumption is true then how do I make only certain pages https and others just http?

You need an SSL cert. To get an SSL cert from Geotrust, etc - you need to have a CSR. I do not think that if you are on a Windows platform you can generate your own CSR, you can ask your hosting company to generate one for you.

2) I need to have my host provider install a CSR and my purchased certificate.

The hosting provider will generate the CSR and then give that to the SSL provider (Geotrust, Verisign) and then the SSL provider will generate an SSL cert based on that CSR

3) Many of these shopping cart demos that I look at have sensitive info being collected on http pages not https - This would lead me to believe that this is insecure.

That is a correct assumption. If it does not have the secure icon lock in the lower right hand corner (on IE) then the page is not secure.

4) An https page protects info from the users browser to the server that is hosting the page. If this is true what about tramsmitting the info to the Payment Processing server and receiving the results back.

Everything should be transmitted using HTTPS. You will post information to the electronic payment gateway (LinkPoint, Verisign's Payflow, Authorizenet.com) and they will post information to the transaction processor (First Data / Nova) and they will either authorize the transaction or post to the issuing bank and then give you the answer back if the transaction was approved or not.

5) In order to do any eccomerce I need to get set up with a merchant account which involves substantial fees - ( anything over 10 dollars is substantial to me ). I am assuming that this merchant account must be issued by the Payment processor. Does this involve me setting up some sort of merchant account at a bank?

You need a merchant account and if you are in the United States there are usually no set up fees involved for a merchant account. For an electronic payment gateway - there might be a set up fee involved. And then there are usually discount rates and transaction rates. LinkPoint does not have a transaction rate while Verisign's payflow gives you 1,000 free transactions and Authorizenet.com usually charges about $.10

6) From what I am seeing, even if I try to do most of the programming myself, I am still facing many monthly fees and setup fees.

a) setup and monthly fees to have https

b) merchant account setup and monthly fees

c) SSL cert fee

d) fees to install CSR and SSL cert

e) fees to get set up with a payment processor ( ie Authorize.net )

Yes definitely fees of some type since they are in business to sell you these services.