Belinda Johnson wrote: > Well, as expected, I didn't make any friends at BuySharpSigns yesterday. Firstly, do you really need to do business with them? Perhaps it's just my interpretation of their email, but I find it rather rude and quite frankly I'd walk away. > [ ... removed lots of stupidity from "them" ... ] Depending on how they've treated you personally I would consider letting their bank know that don't use SSL as they don't consider the industry standard data encryption methodology good enough. Worse still rather than use something else they use nothing and between the browser and server and respond to questions with FUD or as you Americans might say, BS. SSL is a protocol. It is used with server software and ensures that all communications between the browser and the server are encrypted. So information such as your credit card number can't be seen in transit. You don't need a verisign certificate to encrypt your data. One buys a certificate to help prove who you are, in itself it is not an encryption mechanism, but it helps to prove to others who you are . The seller of the certificate is a trusted third party (Verisign/thawte /whomever) they should make some checks on your domain, and on the company that own the domain. This is so anyone visiting the site can be reasonably sure you are who you say you are. When I bought a cert for my domain I had to send copies of various documents proving that I owned my company. IIRC I had to show my birth certificate, which is cool 'cos it's in Welsh! Anyway, see here https://www.eurodrama.com/ you should get a dialogue box warning about the cert as it hasn't been authenticated by a trusted third party. I generated my own cert. The data will still be encrypted, but you don't really know who I am. (Because a trusted third party doesn't know me.) Now see https://secure.britstream.com no warning, because that cert has been trusted. In fact I use this cert/server for most of my client that doesn't have their own IP and don't really require their own cert/ip https://secure.britstream.com/~corx/ With their system when I complete a form the data will be sent from my browser to their server in plain text. It really doesn't matter that they firewall their own server, anybody with sniffing tools pointed at their domain/IP can "overhear" all the plain text conversation between browser and server, and because of this thread someone right now is doing just that. In fact, even if it was encrypted they could still over hear it, but seeing as it looks like this: qMnpH+RAAW/LHkUFnRZ6xAWy3c5xWVL3WchQ11vnTB2BkihjFSZvLd/RiC63vHMJ even if it's sniffed it means nothing to the snooper. Sessions are just a method of keeping concurrent user-actions separate. Nothing more clever than that. Certainly they have no real impact on the security of the server. While they don't _need_ a Verign/thawte certificate, they do need SSL. Kind regards, Liam Delahunty Mega Products Limited, 10-11 Moor Street, London W1D 5NF t: 020 7434 4201/2 f: 0870 135 8412 m: 07941 589 061 http://www.liamdelahunty.com/ web/ design/ database/ programming http://www.britstream.com/ Hosting/ Domain Names From UKP 7.50 p.a.