Many storeowners are uncertain whether they should add SSL to their site, citing various reasons, including cost and complexity of setup.
Here are the things to consider:
SSL encrypts communications between your customer's browser and your webserver. This means nobody can snoop on what they're transmitting to you (such as someone spying on internet traffic in a cafe or wifi hotspot, or library)
If your site is collecting credit card info directly in a page inside your store (ie: not redirecting to a bank or payment gateway site to collect card info for payment) then YES you absolutely MUST use SSL to protect your customers' payment information.
If you have SSL enabled in your hosting account (that's something you arrange with your hosting company directly), then you can tell Zen Cart to use your SSL URL ... and then Zen Cart will automatically use that SSL URL when presenting pages dealing with sensitive information like login, account-creation, password changes, checkout, and even your admin pages.
Zen Cart will not use SSL on pages that don't deal with sensitive information (such as a customer browsing your available products), since SSL isn't needed there. It will intelligently use SSL only on sensitive pages.
If your payment-collection is ALWAYS handled offsite via another gateway that uses SSL on its site, then *your* site does not "technically" require SSL insomuch as it's not handling credit card details. BUT ... if you don't have SSL enabled on your site then some spy could still steal your customers' passwords and names and addresses and email addresses when they fill in various fields on your store's site. They could then use that information to login to their accounts and impersonate them. While they couldn't make purchases using their private banking/creditcard data (since ZC doesn't store any banking/card data), they could request a cancellation of an order, or initiate communications with you under the customer's name while not actually being the customer, etc.
So, if you added SSL to your site then you would prevent the ability for such identity theft.
Yes, there are typically 2 kinds of costs associated with SSL:
1. Certificate itself (A dedicated certificate specific to your site is recommended)
2. Installation/activation of the certificate in your hosting account
Your hosting account needs to be able to offer SSL. With many hosting companies this typically means you'll need a plan that offers a dedicated IP address. Many plans include this for free, or offer it for a couple dollars per month.
iSO Network now hosts your site on a server which is SNI enabled, in other words you do NOT need a dedicated IP address in order for SSL to work properly.
SNI stands for Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process. This allows a server to connect multiple SSL Certificates to one IP address and gate.
When someone visits your website, their webbrowser/client makes a connection with the webserver and sends it the name and domainname of the webpage. When making an SSL/TLS-connection, this process gets a little more complicated. The browser will require a digital certificate from the server, before it even knows what page the browser wishes to access. It will then compare the name on the certificate from the server with the name of the page it is trying to make a connection with.
If the names match, the connection will be made as normal. When the names do not match, however, the visitor will not see your website but a warning message, possibly followed by a disconnection from the website, as a failed connection could indicate a man-in-the-middle attack. To prevent this, websites that use SSL are required to have their own IP address. This allows the webserver to use the IP address to check which website the visitor wants to connect with and send the right certificate to the browser or client.
Because the number of IP addresses is limited, requiring every website to have its own IP address can cause problems in the long term. Server Name Indication (SNI) is the solution to this problem. Browsers that support SNI will immediately communicate the name of the website the visitor wants to connect with during the initialisation of the secured connection, so that the server knows which certificate to send back. This allows browsers/clients and servers supporting SNI to connect multiple certificates for multiple domainnames to one IP address. In that case, a visitor to your website or webshop will not notice any difference.
A dedicated certificate is strongly recommended, both for branding and technical reasons. A dedicated certificate will use the same URL as your store does, thus branding it the same as your store. No confusion to customers. Also, a dedicated certificate will work out-of-the-box with no special setup required beyond the basics. Simply tell Zen Cart the SSL URL and flip the enable-ssl setting on and you're done.
While it's possible to use a shared certificate, this can be confusing to your customers when the URL of your store suddenly changes to your hosting company's URL when on protected pages. This becomes a branding/identity issue. Plus sometimes shared certificates are configured in very weird ways with some cheaper-cost hosting companies, and cannot be made to work with the industry standards embraced by Zen Cart (specifically if the shared-SSL server/certificate is on a separate server from where your actual store's files are located). But a shared certificate could let you run multiple stores from one IP address, if you didn't care about the branding issue.
Installing an SSL certificate is a subject specific to your hosting account. Work with your hosting company or follow their FAQ documentation to buy and install an SSL certificate in your hosting account.
Last but not least make sure you can visit your site using your SSL URL without getting server errors.