Comodo Verification & Encryption

NHWS · October 18, 2012, 5:44am

You may be familiar with the lock symbol that presents on verified websites and I am using Comodo CA Limited for our website’s protection (www.neighbourhoodwatchshop.com.au).

The problem I have is that even though the device has been installed, it does not show up on the web pages that are visible to the world but it does present well when in Admin (https://www.neighbourhoodwatchshop.com.au/admin/index.php?cl=admin_start&stoken=97AB92BE)

As a clue, the Comodo Verification (lock) symbol does appear for a split second when the page is first loaded up but then disappears. I have no idea why this is or what to do. Any suggestions?

Cheers - Don

Hebsacker · October 18, 2012, 7:43am

I see it in the upper right corner - with Opera (left side) and Firefox (right side)

But, for Opera the colors look different, no bright green but a weird gradient.

NHWS · October 18, 2012, 10:01am

Thanks for your post Ray.

I looked at your jpg and think you may be mistaking the additional web page security referred to by Comodo as their “Hacker Proof” security.

For clarity, I am attaching the image that you would see if you logged on as an Administrator. The Lock symbol is quite clearly presented before the URL in the image. The image and words are pre-set by Comodo and one would think that if they present on the admin section, then they should present on the viewers web page or actual web site.

I have loaded an image of the normal web page view for comparison.

Thanks - Don

Hebsacker · October 18, 2012, 10:11am

ah yes - I see…

Did you specify the https details in config.inc.php?

NHWS · October 18, 2012, 2:05pm

I am not sure what you mean.

config.inc.php?

Hebsacker · October 18, 2012, 2:11pm

yes, to be found on root level

there you can / need to specify some paths and other things

those are the important parts:

        $this->sSSLShopURL  = null;            // eShop SSL url, optional
        $this->sAdminSSLURL = null;            // eShop Admin SSL url, optional

should be around line 30

NHWS · October 19, 2012, 6:11am

I feel I am getting closer but still missing a vital part.

This is the code I currently have:

/** @name database information */
    $this-&gt;dbHost = 'localhost'; // database host name
    $this-&gt;dbName = 'neigh_neighbourhoodwatchshop1'; // database name
    $this-&gt;dbUser = 'neigh_ShopAdmin'; // database user name
    $this-&gt;dbPwd = '***********'; // database user password
    $this-&gt;dbType = 'mysql';
    $this-&gt;sShopURL = 'https://www.neighbourhoodwatchshop.com.au'; // eShop base url, required
    $this-&gt;sSSLShopURL  = 'https://www.neighbourhoodwatchshop.com.au';            // eShop SSL url, optional
    $this-&gt;sAdminSSLURL = null;            // eShop Admin SSL url, optional
    $this-&gt;sShopDir = '/home/neigh/public_html';
    $this-&gt;sCompileDir = '/home/neigh/public_html/tmp';

// UTF-8 mode in shop 0 - off, 1 - on
$this-&gt;iUtfMode = 0;

From limited understanding there appears to be duplicate entries for the sShopURL and sSSLShopURL.

Could they be conflicting?

The Admin page works fine and shows of the security lock etc and it has even less pathway changes.

Does any of this make any more sense to you>

Thanks - Don

spurvis · October 21, 2012, 3:12am

Typically sShopURL would use http (not http[B]s[/B]). But I don’t see an issue with using SSL for both if you want the entire shop to run under SSL. But have also never tried it…

marco.steinhaeuser · October 21, 2012, 12:45pm

Hi,

do you guys have access to Quora? A while ago there was an interesting thread about it:
Should an eCommerce site run 100% under SSL?

At the end of the day it turns out that it can take a lot of performance, so best practice is to encode only submitted data in forms to prevent man-in-the-middle attacks.

To be honest, I understand “Hacker proof” a bit differently, namely the possibility if XSS’ses are possible and I couldn’t determine what comodo is doing from their website:

Regards

NHWS · October 22, 2012, 6:30am

Hi Marco

Comodo’s Patent Pending “HackerProof” technology is more about making the customer feel good about the security I suspect. The company has been pushing this technology for awhile and have a dedicated website for their Guardian products: http://www.hackerguardian.com

This website might give you a better insight as to what the product is all about: http://www.hackerguardian.com/help/starting_up_daily_scan.html

Quora is new to me but looks like an interesting resource - Thanks

Cheers - Don