If I am posting to a secure(https) url from a non-secure website would that be a security risk? Using curl to post data for credit card processing.

No. The SSL connection is at a lower layer than the POST data. i.e. The SSL connection is established before POST data is sent.

My answer relates to sending a form from a client to a server. I don't where you get the idea cURL would be involved in this process.

Yes it would be a security risk, and it also probably violates the policy of the payment service provider.

bokehman: The OP is referring to a server-server https post, NOT via a form from a web browser.

I frequently use non-secure sites to post to a HTTPS site from a payment provider, but only in a development environment, where I don't have live data, nor do I connect over an untrusted network.

Mark

I can't think of any reason why someone thinking of doing e-commerce wouldn't fork out $20 for an SSL certificate.

SSL certificates cost more than $20. Also, there is a cost associated with installing, maintaining them.

Mark

MarkR wrote:

SSL certificates cost more than $20. Also, there is a cost associated with installing, maintaining them.

They start at $16 from GoDaddy.Com and if you are being charged for installation maybe you should think about changig hosts. The only previso is a unique IP for each individual certificate.

bokehman wrote:

They start at $16 from GoDaddy.Com and if you are being charged for installation maybe you should think about changig hosts.

I'm talking about the cost of my own time to set the stuff up. It usually takes me quite a while.

I have no idea what GoDaddy.com offer for $16, but I'm pretty sure it has absolutely no authentication whatsoever in it, I can't see how they can authenticate anybody for $16, even in the USA.

Mark

All their certificates are authenticated before issue, but so what if they were not? They would provide exactly the same level of encryption. And setting up an SSL certificate and key is simply a matter of of putting them in the certificate directory, (normally apache2/conf) and adding another SSL virtual host to ssl.conf. About 60 seconds work in total.

Weedpacket wrote:

But no security.

Since the question was being asked by the webmaster himself I'm sure he knows if he's a villian or not. From my point of view though it looks as if he is trying to protect his clients, and certainly not from himself.

But the question was about security. Besides, it still doesn't help: what if his site is hijacked by a phisher with their own GoDaddy-supplied certificate?

Weedpacket wrote:

what if his site is hijacked by a phisher with their own GoDaddy-supplied certificate?

Well:

1. This is a "what if" scenario not a real one.

2. The common names on the certificate would not match so the browser would raise an error

3. A certificate is a public document anyway.

4. Switching the certificate would not change the encryption level

5. If the server was comprimised swapping SSL certificates would not be the method used to harvest details. A simple include($remote_file); would be much more effective.

bokehman wrote:

Well:

1. The common names on the certificate would not match so the browser would raise an error

No, because for $16, Godaddy can't afford to tell the difference between a phisher and an upstanding member of society.

16USD is not enough to do even the most CURSORY checks that the applicant actually owns the domain etc, hasn't forged their details etc.

[*]A certificate is a public document anyway.

But the phisher would have their own private key.

[*]If the server was comprimised swapping SSL certificates would not be the method used to harvest details. A simple include($remote_file); would be much more effective.

True, if the server was compromised, the SSL certificate would be compromised too (and should be revoked by the provider as soon as they find out).

Mark

I don't see how any of that is connected to the origial question.

Well you brought it up.