We at Microburst Technologies, Inc. take security very seriously, but in order to ensure that transactions are indeed secure, it is up to you to setup uShop correctly. This reference page describes how uShop Security works and how to configure uShop correctly in order to ensure secure transactions.
- How uShop Security Works
- uShop Security Requirements
- Configuring uShop For Secure Transactions
- The "data" Directory On Your Secure Server
1. How uShop Security Works
In order to ensure that sensitive payment information gets securely from the customer to the store owner, uShop implements a two step process. Step 1 is securely getting the order information from the customer to a file on the secure server. Step 2 is securely getting the order file from the secure server to the store owner. This process works in correlation with your secure server's SSL communication protocol and at no time is sensitive payment information sent via email. This is illustrated in the figures below.
2. uShop Security Requirements
uShop itself does not implement any encryption mechanism, but rather relies on the standard SSL protocol that is used when communicating with a secure server. That is, the encryption is handled external to uShop - by your browser and your secure server. Thus, in order to make transactions secure, you must have a secure server upon which you can install uShop's CGI script.
3. Configuring uShop For Secure Transactions
In order to configure uShopTM to handle secure transactions, you must install the uShopTM CGI Script on a secure server....and in particular, be sure that when specifying the script's URL in question #4 of the script configuration question, that you use the secure URL of the script on your secure server (beginning with https). See the uShopTM User's Guide for more information about configuring the uShop CGI Script.
4. The "data" Directory On Your Secure Server
As described in the installation section of the uShopTM User's Guide, you need to create a "data" directory on your secure server. This directory is where the order files will be stored on your server, so the ushop.pl script must have permission to read/write to that directory. The trick is that while the directory must be readable/writable by the uShop CGI script, this directory must not have permissions set so that any website visitor can view the contents of your data directory. That is, it is very important that your data directory is not viewable by regular website visitors.
For UNIX servers, the ideal permissions on this directory is 700 which indicates that only the owner has read/write/execute permissions. However, depending on how your server is setup, CGI scripts when executed from the web may run as 'nobody' or 'www'. In this case, you may have to use cgi-wrap or increase the permissions on the data directory to 733 or even, 777.
For NT servers, the directory needs to have read/write permissions. You may have to ask your web hosting provider to give that directory those permissions because regular FTP programs can't change the permissions of directories on NT servers.
In any case, the thing to remember is that your data directory must not be viewable by regular website visitors. To test this out, try going to the URL of your data directory, such as the data directory on our website:
http://www.uburst.com/cgi-bin/ushop/data/
You should get some sort of "permission denied" message. If instead you are permitted to see a listing of your data directory, then contact your web hosting provider to get your account setup so that your cgi-bin is not viewable by website visitors. Your web hosting provider should know how to do this.
