Announcement

Collapse
No announcement yet.

Security of posting to SSL from non-SSL page

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security of posting to SSL from non-SSL page

    Hello, a client is looking to implement FaaS for their donations.

    I have a question / possible concern going from a NON-SSL page to an SSL POST request. We would be posting to FaaS which is SSL from our non-SSL form, which seems to be the normal implementation.


    So this raises a few questions for me
    1. There will be no HTTPS visible when the user submits the form. The user may not know that the form is secure.

    2. The site could be vulnerable to MITM (man in the middle) attacks


    Please see the following for an explanation of number 2

    http://stackoverflow.com/questions/6130436/is-posted-information-from-non-ssl-to-an-ssl-secure


    There seems to be some contention about the possibility of the second item, so before raising any red flags, I want to consider the probability of occurrence and accepted practice in this instance.

    Any insights would be greatly appreciated

  • #2
    Good day!

    The FaaS processor does not process any transaction in production mode that is not being posted from a secure page. The referring URL has to be secure or the end user will get the following error:
    Click image for larger version

Name:	2354-SecureFaaS.jpg
Views:	1
Size:	44.0 KB
ID:	15643

    During the development we don't require SSL if the OrderMode is set to TEST (http://manual.clickandpledge.com/For...tml#Order_Mode)

    In TEST mode the test credit card is the only card that works. Once the OrderMode is set to Production the FaaS processor will return the above ALERT if the referring URL is not secure (https://)

    I hope that answers your question.

    & yes you are right- if the posting URL is not secure the man-in-the-middle attack is quite possible as the communication may be intercepted before hitting the secure server and in the middle data is not encrypted- which of course makes perfect sense.
    Regards,
    Click & Pledge Support Department

    On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

    Join us @ the educational webinars: https://clickandpledge.com/webinars/
    Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
    Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

    Comment


    • #3
      Ok, then to be totally clear, we are responsible for securing the FORM PAGE on our site and the form will use the remote cert when submitting the data.

      Comment


      • #4
        Good day!

        YES - you need to secure your own page as it is your server and site.

        Please let us know if we can be of any further assistance.
        Regards,
        Click & Pledge Support Department

        On Salesforce? Help us by rating our app: Click & Pledge Donor Management on AppExchange

        Join us @ the educational webinars: https://clickandpledge.com/webinars/
        Live Support available Join between 3:00 - 3:30 p.m. ET Monday - Thursday: https://clickandpledge.com/webinars/
        Are you on Salesforce? Join us at the Power of Us Hub: https://powerofus.force.com/0F980000000CjpC

        Comment

        Working...
        X