Curl / Https

HP400

If I am posting to a secure(https) url from a non-secure website would that be a security risk? Using curl to post data for credit card processing.

bokehman

No. The SSL connection is at a lower layer than the POST data. i.e. The SSL connection is established before POST data is sent.

My answer relates to sending a form from a client to a server. I don't where you get the idea cURL would be involved in this process.

MarkR

Yes it would be a security risk, and it also probably violates the policy of the payment service provider.

bokehman: The OP is referring to a server-server https post, NOT via a form from a web browser.

I frequently use non-secure sites to post to a HTTPS site from a payment provider, but only in a development environment, where I don't have live data, nor do I connect over an untrusted network.

Mark

bokehman

I can't think of any reason why someone thinking of doing e-commerce wouldn't fork out $20 for an SSL certificate.

MarkR

SSL certificates cost more than $20. Also, there is a cost associated with installing, maintaining them.

Mark

bokehman

MarkR wrote:
SSL certificates cost more than $20. Also, there is a cost associated with installing, maintaining them.

They start at $16 from GoDaddy.Com and if you are being charged for installation maybe you should think about changig hosts. The only previso is a unique IP for each individual certificate.

MarkR

bokehman wrote:
They start at $16 from GoDaddy.Com and if you are being charged for installation maybe you should think about changig hosts.

I'm talking about the cost of my own time to set the stuff up. It usually takes me quite a while.

I have no idea what GoDaddy.com offer for $16, but I'm pretty sure it has absolutely no authentication whatsoever in it, I can't see how they can authenticate anybody for $16, even in the USA.

Mark

bokehman

All their certificates are authenticated before issue, but so what if they were not? They would provide exactly the same level of encryption. And setting up an SSL certificate and key is simply a matter of of putting them in the certificate directory, (normally apache2/conf) and adding another SSL virtual host to ssl.conf. About 60 seconds work in total.

Weedpacket

bokehman wrote:
They would provide exactly the same level of encryption.

But no security. All it assures the user is that they have an encrypted communication channel with someone. To use Bruce Schneier's analogy; you're invited into a darkened soundproofed room and sat down at a table with someone else. You're assured that no-one will be able to hear or see what goes on inside this room, so do you feel free to spill all your secrets to this other person?

bokehman

Weedpacket wrote:
But no security.

Since the question was being asked by the webmaster himself I'm sure he knows if he's a villian or not. From my point of view though it looks as if he is trying to protect his clients, and certainly not from himself.

Weedpacket

But the question was about security. Besides, it still doesn't help: what if his site is hijacked by a phisher with their own GoDaddy-supplied certificate?

bokehman

Weedpacket wrote:
what if his site is hijacked by a phisher with their own GoDaddy-supplied certificate?

Well:

This is a "what if" scenario not a real one.
The common names on the certificate would not match so the browser would raise an error
A certificate is a public document anyway.
Switching the certificate would not change the encryption level
If the server was comprimised swapping SSL certificates would not be the method used to harvest details. A simple include($remote_file); would be much more effective.

MarkR

bokehman wrote:
Well:

The common names on the certificate would not match so the browser would raise an error

No, because for $16, Godaddy can't afford to tell the difference between a phisher and an upstanding member of society.

16USD is not enough to do even the most CURSORY checks that the applicant actually owns the domain etc, hasn't forged their details etc.

[*]A certificate is a public document anyway.

But the phisher would have their own private key.

[*]If the server was comprimised swapping SSL certificates would not be the method used to harvest details. A simple include($remote_file); would be much more effective.

True, if the server was compromised, the SSL certificate would be compromised too (and should be revoked by the provider as soon as they find out).

Mark

bokehman

I don't see how any of that is connected to the origial question.

Weedpacket

Well you brought it up.