The business executives at my company are wondering why all web pages aren’t showing the “green bar” (EV cert) that they paid so much money for (ie, not all pages are under https :D), and although I tried to explain to them that SSL is only required for pages where some type of sensitive data is being passed (login, checkout, etc), they still want me to make it so that when a visitor lands on our website they will see the “green bar”.
Is there any reason that we should avoid setting up our unsecure_base_url to be under ssl? (besides the fact that it causes unneeded load on the webserver)
I’d explain to them that using SSL for all pages is complete insanity . The protocol is substantially slower that HTTP, it will crush SE ranking as Google will be ranking sites by page load speed in 2010.
Your green bar also won’t appear if any of the content isn’t fetched via HTTPS - that also includes dynamic JS requests - so if your template isn’t 100% correct, I’d imagine some content is being grabbed via HTTP rendering the page as insecure and subsequently dropping the “green bar”.
Studies have shown marginal increased conversion via displays of site seals - but with newer browsers offering multiple variants of coloured address bars (blue standard ssl / green extended ssl) - your average user won’t understand the difference. I’d approach a panel of prospective customers and see if they even knew how to verify if the page was secure or not!
Ultimately, there is absolutely nothing to be gained from running the entire store in SSL - but A LOT to lose. You could always test it to show them, make 2 store views and use a simple PHP modulus operand to assign 50% of people to each (with their store session set in a cookie). Then track via google analytics. The resultant conversion data for both stores after around 2 weeks should be proof enough as to which way to proceed.
We’ ll get a wrist slapping for this - but your the developer (I’m assuming!), it is your advice they follow, not the other way around
I would have to agree that its crazy to run your entire site under SSL. As you noted it crushes the server, and instead of actually making your customers feel “secure” it will simply piss them off as the site will be so slow they will simply leave in frustration.
My suggestion is that you create a “landing page” that offers a detailed explanation of your security implementations. You could also make a banner that sits atop the customers profile page and on all checkout pages as well to further this effort. I have run a Joomla based ecommerce site for 6 years now and I can assure you that as explained by the last post, the EV cert is actually a waste of money. I had it for one year and it made NO difference at all in sales compared to the 4 years prior...but it sure COST me more and in so doing lowered my profit margins. Some users in older versions of Firefox and in some themes will not even see it at all anyway as noted.
The most important issue is to ensure that when a page is suppose to be encrypted that all images and contact are actually encrypted so that your customers do not get the dreaded......(IE) This page contains non-secure content do you wish to continue message....wish I can tell you from experience will drive customers away in droves. The issue can be dealt with by ensuring that you do not cache SSL pages, which is a bad idea anyway.
@Sonasi , I really don’t agree with your statement that “Green bar doesn’t help much but lead to lose more”. If you’re an online seller and having store your customers trust is must as well as installing EV SSL help them to understand data is being transferred over the web is secured, It doesn’t matter what brand of ev ssl. Contact the support staff of respecting ev ssl provider to help you out in this case, if problem has been already solved than post what was the actual reason behind it.
Magento I have implemented SSL and it works perfectly.
It is inappropriate to put in all the store Magento SSL (SEO, time, processing, ..)
but my question is ...
if you want to put a page on SSL (type “Contact") Could do? Do you know how?
I think this flexibility with the use of SSL is important.
Well, inspite of you offering an explanation if your client still insists on having an SSL for all the pages, you don’t have any option other than do so. If the client encounters issues with indexing and crawling as suggested by others, you may revert it back and cover only the crucial pages of the site. After all we need to follow the principle “Customer is God”
Trying to understand my options and how to implement them....
So if I decided I want the Green or Blue highlighting that EV SSL produces in the browser on every page, how do I configure magento to use HTTPS for all website resources? And If I decided that I only want to us the SSL encription for the payment screens, how do I configure that?
I think a good balance for me is to have the browser display the GREEN EV SSL on only the home page and all payment pages .. IE collection of user information,Credit card info. How would I do that?
Thank you in advance for time to answer my questions
John
SSL is required on eCommerce website. Say for example if you would ask to enter Credit Card or PIN number of your Debit Card then what you will do? You will definitely not enter your PIN or Credit Card Number reasons why it is not secure, so SSL is required on eCommerce website.
One more question arise that Do you need SSL on all pages of ecommerce website? The answer is yes, because if they ask for your personal information they you will not provide if it is not secure.
Can someone please provide some new information—as the previous posted asked, how do you make a particular page (especially the contact page) secured? What do I put in local.xml?
