SECURITY ISSUE: Fix the HTTPS issues with your website (mcssl)
My website is secure, using https, and I am also using https product links.
2-Step (My referred method)
When a visitor clicks one of these links, it is taken to a NON-SECURE mcssl page (mcssl is removing the https by redirecting to a www). I tested to see if it were possible for this page to "be" secure, by adding an https:// to the front of that url and it DOES show the green secure Lock. So, why does mcssl specifically remove the secure url if it is able to be secure.
I was told by customer service that using 1-step product links instead of 2-step links will remedy this, since the 1-Step form collects customer info so that page HAS to be secure. Well, they ARE CORRECT, that page is secure, however.. when a customer clicks a secure product link on my secure website, mcssl redicrects to a NON-SECURE url first, then redirects to the secure 1-step page. So, even though the page they eventually land on is secure, there was a brief moment of vulnerability.
If this is a new customer, I realize they haven't input credit card info etc, yet so it may not seem critical. But, here are a few areas of concern.
1. Security - Browsers are smart (and so are people). Visitors get alerts from their browsers and mobile devices when "secure" pages send then to "non-secure" pages. Which, as we all know, in the checkout process, seeing one of these alerts, causes fear and presents serious risk... which is LAST thing I assume you would want, as a Shopping Cart company.
1. API limitations - If this communication (between your customer's stores & your payment system) breaks a "secure-connection" then your api will never be able to seamlessly connect for returning customer.
**Example. We offer a subscription product, which means our customers' information is stored on our website to give them access to content based on their orders through 1SC. If a member is logged in and wishes to upgrade their service, they should be able to simply click upgrade (choose an option, confirm the cost) the hit submit, without needing to go back trough the entire checkout process. Since the secured-transfer of information is broken (as mentioned above, mcssl is for some reason specifically removing this secure link) your API will not be able to pass this type of info. This is simply one of many variations of possible options that could help provide better, more secure options for its customers.
Please let me know if you'd like more details.
Lamp Post Homeschool commented
Adding HTTPS TO www.mcssl.com will fix this problem. It only works on mcssl.com without the www.
The other solution is to take the www. off of product links to the shopping cart.
I am putting in a support ticket for this issue. IT is a very easy fix and your customers will love it.
Singing Success Inc. commented
ps. This effects ALL of your customers, since the non-secure mcssl page is universal and shared for all of your members. Removing the https (redirecting to www) should be a very simple bug fix but may have MASSIVE improvements/results from correcting it.