un-secure payment pages

[Andy1735]

This is still happening. We had a customer try to pay invoice 16467. He reported he his page where he was to enter payment had "http://" in the header rather than "https://", and his browser did not show him the little "lock" icon to indicate he was safe. He did pay anyway but only because he talked to me directly and knew we were not trying to scam him.

I was able to replicate this a couple times simply by fooling around navigating back and forth between the shopping cart and product pages. I thought this was going to be fixed when we were moved to another server?

This is unacceptable as-is. We need a solution asap. We are getting one or two reports a week from existing customers that they are getting warnings about site security, and how many abandoned carts are happening because potential customers do not feel secure in entering payment info?

[Paige]

Andy, can you let me know how you were able to replicate this?

I agree this is a problem and needs to be addressed. A few of our clients have implemented whole site SSL since Google is favoring that, this could be a good patch for your problem.

Let me know

[Andy1735]

Thanks :)

Right now I am able to replicate this by logging in, and then using any link that doesn't has "http://" in it such as an external link. I can also do this simply by removing the "s" so the url is "http://" Once visiting a regular http:// link everything is lacking "https://" including payment pages

[Andy1735]

and, for reference, if I remove the "s" from https:// and reload from other sites like gmail, the page reloads with "https://" in it so it remains secure.

Whole site SSL sounds good to me as long as there isn't a performance hit?

[Paige]

I have just enforced this on your site, there is no performance issue, it is actually highly recommended

[Andy1735]

Awesome. Thanks!!

[Andy1735]

Adding to this thread. A user reported this message:

This webpage is not available

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

A secure connection cannot be established because this site uses an unsupported protocol.

[Andy1735]

Shane is seeing this on his computer as well.

[Paige]

This is actually the opposite of what is happening, your site is too secure for their computer.

Windows XP has stopped supporting the newest security updates, meaning we had the choice to either support old computers and have all new computers have the error OR have all old computers have the error. Soon everyone using XP (or older) will be having security problems through out the entire internet when server administrators slowly get up to date.

We strive to be one step ahead of all security standards to protect you and your customers. These are rolling out on a weekly basis now days with all the latest security threats.

We recommend if your customer is not planning on upgrading their computer for them to use Firefox, Firefox uses their own cipher suite (instead of the Windows one) so it is always up to date with the latest standards.

[Andy1735]

Kinda figured it was XP related, haha. Thanks!