I've been reading this with interest as it coincided with me getting a FreeSSL from geotrust. We use an online CC processor (WorldPay) who collect all the info and money for us. With our new web design their page is in a frame on our site, which means the lock doesn't show up. At the top of the page there's instructions with a link to click to open the page in it's own window so you get the lock if you want it.
Now a few days ago I noticed an order came through our site and the new client bailed at this point, so i emailed them to see why. He said it was because (a) no lock showed and (b) the page asked for the 4 digit security code from his card. He therefore decided we were a risk and just farming credit card numbers. He didn't read the instructions at the top about the getting the lock to show. Now, one of the first questions that was raised in my head is "what risk did he have?". It seems to me that in pretty much 100% of cases the client has zero risk. They can just claim they didn't recieve the goods and visa or whoever will give them their money back. Educating the end-user of this fact I think will remove one of the biggest blocks to users buying online. Virtually all of the risk is with the merchant, not the buyer. As it stands, the buyer has just been educated "lock good - no lock bad" even though from their perspective it makes virtually no difference. The incidence of packet sniffers or man in the middle attacks stealing CC data off the 'net is insignificant. Compared to hacks into servers to steal the data it's close enough to zero as to be zero. The use of certificates as an ID of the merchant is virtually meaningless. Heck, who am I anyway? The great majority of users just care about the lock, and they only care about that because they've been taught to care about the lock. They have all the protection they need, they just don't know it. Having said that, if you can have the encryption, why not have it, but the pain and cost of CA is often just not worth it. Anyway, the end of the ramble is that we got a FreeSSL just so the lock appears for the framed ordering form. Cheers! david
