HTTPS Only

Following modern best security and SEO practices (as dictated by Google), Kiva Logic only allows https traffic.

CloudFlare

Kiva Logic uses CloudFlare as a Web Application Firewall and as a Global CDN. A few crypto settings that we always use:

images/alwaysusehttps.jpg

  • we use CloudFlare set to only use https
  • we use Opportunistic Encryption (automatic https rewrites) for any content that may be referencing an image or something from http

Transport Layer Security (TLS)

images/tls13.jpg

images/min-tls.jpg

To encourage people to use more modern browsers, we enable the use of TLS 1.3, and by request, we can set the minimum allowed TLS version for each of our customers by request. For example, if you no longer want to allow TLS 1.0 connections, we can set the minimum allowable TLS to 1.1.

Payment Processing

images/hostedbystripe.jpg

We use Hosted Payment forms, which means that when customers enter or update their payment information, it is in a form that is generated by and connected directly to the payment gateway. It is not hosted by our servers. This way, no payment data ever actually touches any of the Kiva Logic servers or infrastructure.

When a customers submits payment information, it is processed directly by the payment gateway, then the payment gateway simply returns a token back to use for future payment processing. We do not have access to payment data, only tokens that tell our payment gateways which account we are billing, and they handle all the actual payment processing.

For more information, see Stripe developer documentation: https://stripe.com/docs/payments/checkout

SSL Report

images/qualsys-report.jpg

Using the Qualys SSL Labs SSL Report, you can see how well (or not well) a website handles https. The above image shows a recent report we ran on one of our favorite customers domain. You can run the test your self by visiting the Qualys SSL Server Test.

HTTP / HTTPS Header Check

images/headercheck.jpg

Another useful tool to see what headers are returned if you try to access a site by http is run by webconfs.com. This test will show if a connection is allowed using http if you simply enter the domain name, or if it will forward the user to an https version.

In the above image, we check the domain moinkbox.com. The results show that there is a permanent 301 redirect to https://moinkbox.com, which tells us that http is not allowed.

Check out HTTP/HTTPS Header Check by Webconfs.com

SSL Installation Diagnostics Tool

Another SSL certificate checker is an excellent tool by digicert called the DigiCert SSL Installation Diagnostics Tool. Click the above image for a larger version, which you can see that all SSL Certificate tests have passed successfully.

Command Line HTTP/HTTPS Check

images/wgetexample.jpg

If you run a linux machine, you can also use the command 'wget -p http://somewebsite.com' to see the headers and redirects. In the example above, we can see that by trying to load http://moinkbox.com, we see the 301 redirect to https, and a further redirect to use https://www.

Chrome no longer displays http/https

images/lockicon.jpg

As of 2019, the Chrome browser is no longer displaying 'http' or 'https' in the browser URL bar. This has led to a slight increase in customer service emails simply because customers or potential customers are used to seeing 'https' and may be unaware that Chrome has decided to hide this in the URL.

images/clicktoseehttps.jpg

If you actually copy and paste the url or click to edit the url, THEN Chrome will show you whether the URL contains http or https. They are trying tog et people used to just seeing a lock icon or not instead of looking for http/https.

You can read more about Chrome removing https/www on ghack.net here

We disagree with this decision by Google, but over time it may become more familiar to people. As of now, it usually just makes people confused.

Firefox & Chrome No Longer Displaying EV Certificate info

Another major change that is happening (starting with Chrome 77 released in September 2019) is that both Chrome AND Firefox no longer plan on displaying Extended Validation certificate information. Read more here.

PCI Compliance

We use hosted forms from the payment gateways that Kiva Logic is integrated with, so no credit card actually ever touches our servers. This qualifies our customers for the easiest and most basic level of PCI Compliance: SAQ A. This is also the most secure way to handle sensitive payment data.

Learn More about Kiva Logic & PCI Compliance:

Questions or comments?

If you have any questions or comments, we're happy to answer- just shoot us an email. If you can provide a copy/paste of the URL in question, or screenshot, or anything else, that would also be very helpful.

If you believe you've found an error/bug/issue, please follow our responsible disclosure policy.