![[home]](/images/house.gif)
![[contact]](/images/email.gif)
(877) 370-9288
e-commerce + security
We understand that shopping online can feel less than secure. We want you to be excited about your new purchase, not worried about security or hidden costs. At Venus Envy, your privacy is assured, your credit information is secure, and all your costs are up front.
No hidden costs
We find that too many online stores are vague about things like taxes and shipping prices.
When you make a purchase from our online catalogue, you are able to choose from a variety of clearly-priced shipping options. We calculate the taxes for you, and the amount you see is the amount you are charged. Because all our prices are in Canadian dollars, American customers are offered a currency converter using live rates to see the equivalent in USD.
Honesty + reliability
This page describes many of the secure programming techniques that we use to protect your privacy. But of course, the computer science of online security is only part of the issue of feeling secure when making purchases in cyberspace. There's also the question of knowing who you're dealing with. Venus Envy is an incorporated company based in Halifax, Nova Scotia. We have retail stores in Halifax and in Ottawa, Ontario, and have been in business since 1998. Follow the links from our home page for more information, including photos of our stores and a selection of the press (all good!) we have received over the years.
You can get the scoop from elsewhere as well: there is a 2002 review of our website at Jane's Guide, and a description of the Ottawa store at ottawaplus.com
Secure Server
This web site uses a secure server to collect your personal billing and shipping information. All our pages that deal with your personal data reside on a secure server, meaning that all communication between your browser and our server is encrypted by the highest current standard for e-commerce — 128-bit SSL encryption. How secure is this encryption? According to the W3C Web Security FAQ: "To crack a message encrypted with such a key by brute force would take significantly longer than the age of the universe using conventional technology."
You might want to check out this concise and informative page on secure web sites at the University of Iowa.
Our secure server is identified in your web browser by the "secure connection" indicator (usually a lock icon in the status bar) and on the page itself by a picture of padlock in the right column. You'll also see that the URL (web address) of our secure pages begins with "https" rather than "http" (the trailing "s" indicates a secure connection). For that matter, the secure server's address is https://secure.venusenvy.ca/ whereas our regular server is at http://venusenvy.ca/.
Because the catalogue pages run on a non-secure server and the shopping cart and checkout page run on a secure server, your web browser may give you warnings as you pass between them. This shouldn't be cause for alarm. We split the site between two servers because connections with secure servers are considerably slower (about 20% the speed) than with non-secure servers; in the interest of keeping out site speedy we use this security feature only where it really matters.
Encryption
A secure server encrypts data in transit. We also use encryption to protect your data on both ends of the web browser / web server interaction. Any information we provide to your web client (such as cookies) is encrypted to prevent any interception or misuse, and your sensitive information is also encrypted in storage on our web server to protect it here.
When we store customers' information, we encrypt or hash key elements such as credit card numbers and passwords. Credit card numbers, for instance, are encrypted using the Blowfish algorithm and one of a number of secret keys; passwords are stored in "salted hash" form: the password is hashed using the MD5 algorithm, then combined with some random data (the "salt") and hashed again with SHA256. We don't even know — and can't find out — what a customer's password is!
We keep track of guest and customer shopping carts using session cookies. This is the most secure of the three methods to do so (the other methods involve using URL query strings and hidden form fields, both of which pose major security and privacy risks). We use a robust multiple-hashing scheme using SHA256 to set and validate this cookie data.
If you register and choose to be automatically signed in on return visits, then we store some relevant data in your web browser in the form of a cookie. We apply a robust method of verification and encryption (again involving Blowfish and SHA256) to make sure this data cannot be misused or misappropriated. Moreover, the information stored in the cookie cannot be used on its own to compromise your sign-in name and password.
All of the important cookie data we send to your brower is transmitted only over the secure SSL connection described above. This means that it's all but impossible for an attacker to intercept the data. And our use of encryption and hashing makes sure that the cookies will be useless even if they are somehow stolen from your computer.
Application security
The programs that make this site function have been designed from the ground up with security in mind. This means, among other things, that they perform extensive input validation and output filtering to protect against common attacks such as SQL injection and cross-site scripting. We have also implemented a "fail-safe" design, meaning that even if an attacker forces a script error to occur (another method of attack), the results will not reveal any customer data or other information that would be valuable to the attacker.
Some of the respources that our web designer has found useful in planning our application security include:
- The Open Web Application Security Project
- Ferguson, Niels and Bruce Schneier. Practical Cryptography (Wiley, 2003)
- Garfinkel, Simpson. Web Security, Privacy, and Commerce (O'Reilly, 2002)
- Husbey, Sverre H. Innocent Code: A Security Wake-up Call for Web Programmers (Wiley, 2004)
- Scambray, Joel and Mike Shema. Hacking Web Applications Exposed (McGraw-Hill, 2002)
- Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World (Wiley, 2004)
The University of Ottawa's Couple Research Lab is looking for participants for their online study on same-sex couple relationships! This study aims to better understand personal and relationship factors that contribute to well being and distress in same-sex couples.
To be eligible, you must be 18 years old or more, have a good knowledge of English and be in a same-sex couple relationship for at least 12 months. In order to thank you for your participation, you will be entered in a draw for gift certificates to a music store.
Venus Envy is a work in progress. Please let us know if you have any questions, comments, or concerns that can help us improve our web site or our stores.
© 2006-2009 venus envy, inc.
(some of our content is licensed for non-commercial use)
