We at Microburst Technologies, Inc. take security very seriously, but in
order to ensure that transactions are indeed secure, it is up to you to
setup uShop correctly. This reference page describes how
uShop Security works and how to configure uShop correctly
in order to ensure secure transactions.
- How uShop Security Works
- uShop Security Requirements
- Configuring uShop For Secure Transactions
- The "data" Directory On Your Secure Server
1. How uShop Security Works
In order to ensure that sensitive payment information gets securely from
the customer to the store owner, uShop implements a two step process.
Step 1 is securely getting the order information from the customer to a file
on the secure server. Step 2 is securely getting the order file from the
secure server to the store owner. This process works in correlation with
your secure server's SSL communication protocol and at no time is sensitive
payment information sent via email. This is illustrated in the figures below.
2. uShop Security Requirements
uShop itself does not implement any encryption mechanism, but rather
relies on the standard SSL protocol that is used when communicating with a
secure server. That is, the encryption is handled external to uShop -
by your browser and your secure server. Thus, in order to make transactions
secure, you must have a secure server upon which you can install
uShop's CGI script
3. Configuring uShop For Secure Transactions
In order to configure uShopTM
to handle secure transactions, you must
install the uShopTM
CGI Script on a secure server....and in particular,
be sure that when specifying the script's URL in question #4 of the script
configuration question, that you use the secure URL of the script on your
(beginning with https
). See the
User's Guide for more information about configuring the
uShop CGI Script.
4. The "data" Directory On Your Secure Server
As described in the installation section of the uShopTM
you need to create a "data" directory on your secure server. This directory is where
the order files will be stored on your server, so the ushop.pl script must have
permission to read/write to that directory. The trick is that while the directory must
be readable/writable by the uShop CGI script, this directory must not have
permissions set so that any website visitor can view the contents of your data directory.
That is, it is very important that your data directory is not viewable by regular
For UNIX servers, the ideal permissions on this directory is 700 which indicates that
only the owner has read/write/execute permissions. However, depending on how your server
is setup, CGI scripts when executed from the web may run as 'nobody' or 'www'. In this
case, you may have to use cgi-wrap or increase the permissions on the data directory to 733
or even, 777.
For NT servers, the directory needs to have read/write permissions. You may have to ask
your web hosting provider to give that directory those permissions because regular FTP
programs can't change the permissions of directories on NT servers.
In any case, the
thing to remember is that your data directory must not be
viewable by regular website visitors
. To test this out, try going to the URL of your
data directory, such as the data directory on our website:
You should get some sort of "permission denied" message. If instead you are permitted
to see a listing of your data directory, then contact your web hosting provider to get
your account setup so that your cgi-bin is not viewable by website visitors
. Your web
hosting provider should know how to do this.