-2

I test two websites on ssllabs, which one is better for secure payment:

https://www.ssllabs.com/ssltest/analyze.html?d=senpay.vn

https://www.ssllabs.com/ssltest/analyze.html?d=alepay.vn

Soteri
  • 123
  • 7
Thu nGHIEN
  • 5
  • 1
  • We are not going to assess these sites for you as you now seem to want to include PCI-DSS and an assessment of how easy it might be to hack. – schroeder Jan 25 '20 at 14:58

1 Answers1

1

The rating of the SSL configuration only provides a small aspect of rating the security of a site. SSL rating describes only how the transport is protected between the client (browser) and the server and in this area both sides provide about the same currently sufficient protection. As long as the transport protection is sufficient (which it is) it does not really matter if one is a bit more secure in numbers than the other.

What is more important instead is the internal security of these services, i.e. how they protect customer data in their internal network and on storage, how easy they might get hacked, if they sell customer data etc. SSL rating is no reliable indicator how secure and privacy-friendly the majority of the service is. Even a hacker can get a publicly trusted certificate and create a website with a perfect SSL rating - while still serving malware on this site.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • I see, but both two website both have pci ds certification – Thu nGHIEN Jan 25 '20 at 01:32
  • @ThunGHIEN then you need to define what you mean by "security". – schroeder Jan 25 '20 at 10:47
  • @ThunGHIEN: PCI DSS basically says that common best practices related to payment security are implement which is a good step to reducing risks. But is no guarantee for 100% security of payments which does not exist anyway - companies get still hacked despite PCI DSS compliance only it is less likely. And it does not really cover privacy or other non-payment related risks. – Steffen Ullrich Jan 25 '20 at 11:03
  • @schroeder: I mean secure, more challenge for the hacker to steal the sensitive data – Thu nGHIEN Jan 25 '20 at 11:59
  • @ThunGHIEN: "I mean secure, more challenge for the hacker to steal the sensitive data " - Since TLS only cares about transport security and both have sufficiently secure TLS configurations there is no practical difference in security in this area. And again, transport security is only a small part of the security and it is impossible to infer from the TLS rating how the rest of their security is. – Steffen Ullrich Jan 25 '20 at 15:05