Announcement

Collapse
No announcement yet.

Security of posting to SSL from non-SSL page

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • CnP.Support
    replied
    Good day!

    YES - you need to secure your own page as it is your server and site.

    Please let us know if we can be of any further assistance.

    Leave a comment:

  • jeremyj
    replied
    Ok, then to be totally clear, we are responsible for securing the FORM PAGE on our site and the form will use the remote cert when submitting the data.

    Leave a comment:

  • CnP.Support
    replied
    Good day!

    The FaaS processor does not process any transaction in production mode that is not being posted from a secure page. The referring URL has to be secure or the end user will get the following error:
    Click image for larger version Name: 2354-SecureFaaS.jpg Views: 1 Size: 44.0 KB ID: 15643

    During the development we don't require SSL if the OrderMode is set to TEST (http://manual.clickandpledge.com/For...tml#Order_Mode)

    In TEST mode the test credit card is the only card that works. Once the OrderMode is set to Production the FaaS processor will return the above ALERT if the referring URL is not secure (https://)

    I hope that answers your question.

    & yes you are right- if the posting URL is not secure the man-in-the-middle attack is quite possible as the communication may be intercepted before hitting the secure server and in the middle data is not encrypted- which of course makes perfect sense.

    Leave a comment:

  • jeremyj
    started a topic Security of posting to SSL from non-SSL page

    Security of posting to SSL from non-SSL page

    Hello, a client is looking to implement FaaS for their donations.

    I have a question / possible concern going from a NON-SSL page to an SSL POST request. We would be posting to FaaS which is SSL from our non-SSL form, which seems to be the normal implementation.


    So this raises a few questions for me
    1. There will be no HTTPS visible when the user submits the form. The user may not know that the form is secure.

    2. The site could be vulnerable to MITM (man in the middle) attacks


    Please see the following for an explanation of number 2

    http://stackoverflow.com/questions/6130436/is-posted-information-from-non-ssl-to-an-ssl-secure


    There seems to be some contention about the possibility of the second item, so before raising any red flags, I want to consider the probability of occurrence and accepted practice in this instance.

    Any insights would be greatly appreciated
    Tags: None
Previous template Next
Working...
X