<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
If there has to be a cost, which is only reasonable since it's a
commerce application, ideally it ought to be a one time (shareware)
cost, with a free setup/testing period. <br>
<br>
My modestly limited experience (30k/year selling disc golf targets for
several years) via Shop Factory ecommerce is there may be some
additional items of security concern or perhaps options for webware
development that may be I missed in the presentation. <br>
<br>
When someone bought something via Shop Factory, (<a
href="http://shopfactory.com/">shopfactory.com</a>)<br>
<br>
* The purchase info (including credit card info) is sent to me via pgp
encrypted email. <br>
* This email, when decrypted, contained the purchase info, including
credit card info. <br>
* I'm not sure how ShopFactory deals with PayPal or similar systems --
I avoided the extra overhead in using these 3rd party payment systems,
which can be significant for smaller operations. <br>
* No customer's purchase or private info is ever stored at the site. <br>
* There is a cookie option that stored their shopping info on a
customers own computer, if they were set up for accepting cookies. If
they didn't accept cookies, they'd just have to reenter their info each
visit. <br>
* There was NO option in the earlier versions of Shopfactory to set up
a user account for returning customers. <br>
* Shopfactory had a currency conversion option. You click on the
currency icon to change currency's at the site during your visit.<br>
* There were various ways to set up various shop wide discount sales
and promotions. <br>
* There are ways to manage items offered for sale via excel data files.
This makes managing and updating data very easy. <br>
* There were various options for determining shipping costs. <br>
<br>
FYI, my current dental clinic site (drfredc.com) uses a Shopfactory
ecommerce solution as a means for prospective patients to estimate
their costs for various procedures so they check prices against their
current/past dentist. It operates as a portal (window) in my pmwiki
site via includeurl to the shopfactory folder/url. I get lots of
positive comments from new patients about the site. I'd love to be
able to change it over to a pmwiki estore for various reasons,
particularly if management could be done via an excel (or
OpenOffice.calc) file. For this sort of application, security isn't
that big of an issue, since it never gets to the point of someone
putting in an order via credit card. <br>
<br>
Always, Fred C<br>
<br>
marcus wrote:
<blockquote cite="mid:480BBFC9.4060806@wordit.com" type="cite">
<pre wrap="">I have been working on the security issues involved with using an
ecommerce solution in pmwiki. Peter and I have been discussing these
before completing the recipe, which I see as doable otherwise.
Here are the three vulnerable areas I can recognise, and below are
suggested solutions.Comments would be appreciated. This involves storage
data files only. Files which store visitor adresses and phone numbers
while orders are being processed. Only these files, which could be using
CSV to store info used by the online shop.
1) Wiki pages
2) Server intrusion/crack
3) Interception between server and browser
-------------------------------
Solutions:
1) Provide a way that scripts can read/write to pages for data storage,
but pmwiki will not display them. This could be achieved in a similar
way that the Draft feature handles filenames (notice pmwiki will not
display the Draft files directly because they contain a comma), or we
could use Group.Page.Data. pmwiki would not display those. This is not
absolutely necessary if 2) is well implemented, but it would be another
layer of security.
2) Server-side encryption and decryption, e.g. GnuPG (gpg) or openssl
command line apps. Shared password stored in file readable only by
owner, and piped to application.
3) SSL (<a class="moz-txt-link-freetext" href="https://">https://</a>). It turns out SSL is quite low cost now. You can get
certificates for $15 per year. My host provides a dedicated IP (SSL
requirement) for $2/mo.
The only cost free alternative would be to SSL would be Javascript
encryption (also decrypted on client in browser). The problem is that JS
may be blocked by firewalls, or disabled in browsers. Many people have
programs scrutinising JS code and they may block the script. So you
cannot rely on a JS solution.
I think if a secure ecommerce solution is achieveable in pmwiki it would
make it even more popular. I've been using OSCommerce for a few years
and there's just so much bulk to that and similar applications.
Thanks for any comments, suggestions, code.
Marcus
_______________________________________________
pmwiki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a>
<a class="moz-txt-link-freetext" href="http://www.pmichaud.com/mailman/listinfo/pmwiki-users">http://www.pmichaud.com/mailman/listinfo/pmwiki-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Always, Dr Fred C
<a class="moz-txt-link-abbreviated" href="mailto:drfredc@drfredc.com">drfredc@drfredc.com</a></pre>
</body>
</html>