SSL alert message

dotty

Does anybody know a way to prevent an alert box from poping up when a user moves to a shared ssl?

The alert box tells them that the URL on the ssl is different to the URL on the site and this freaks people.

Maybe someone might know how to cheat the system into thinking that the URL is the same!!

🙂

AstroTeg

Originally posted by dotty

The alert box tells them that the URL on the ssl is different to the URL on the site and this freaks people.

That's right. This should freak people out. This is part of what SSL is supposed to do: Its a trusted and encrypted communcation path between a client and its host.

The idea is, if I'm buying stuff on buysite.com (silly names used as an example), I won't trust using pr0npay.com's SSL cert to make my payment (assuming pr0npay.com is on the same server, same IP and owns the SSL certificate). Here, the 2 domain names don't match. Each SSL certificate is keyed to the domain name. If a domain is using another domain's SSL, the user needs to be aware of this because this is not jiggy.

The right way to do SSL (a few approaches):

Setup the domain name on its own IP address (1 cert per IP address per domain). Get IP. Get SSL cert using domain name and IP address. Install cert and then https://yourdomain.com will work without popups.
Properly configure 1 domain with SSL (see #1). The domain should have a generic name otherwise people will get freaked out. For example, lets say you have a shopping cart on "yourstore.com". You want it to use SSL, but you can't afford it so you use your buddy's site which has SSL. You're buddy's site's domain name is "pr0n.com". You would have to walk the user through the cart process, and when they're about to enter their credit card info, you MUST redirect the user to pr0n.com's web site. You have some big issues to deal with here:
How are you going to transmit the checkout info to pr0n.com? If you do post/get, the user can modify this so keep this in mind (hint: let [man]curl[/man] hold a private conversation with pr0n.com)
pr0n.com should setup some nice pages that look somewhat like your site. If not, the user might freak and ditch payment.
How will pr0n.com tell your server everything went ok or not ok? (see hint in #1)
Check for session hijacking and other nasty things. The switch over to another server for payment can open security risks for yourself and those making payment.

I don't recommend the 2nd method. It can be done and I worked in a shop that did this. The difference was we managed EVERYTHING - the payment site and all the client sites that talked to the payment server as well as maintained the private network between them.

Basically, there's no easy way to cheat SSL. Its not designed to be cheated. Just fess up and pay the extra couple bucks for the IP and SSL cert and you'll be much happier (as well as your customers).