homepage Welcome to WebmasterWorld Guest from 54.227.77.237
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Is this a secure (SSL) process
Question on SSL process
lleemon




msg:3500915
 7:06 pm on Nov 9, 2007 (gmt 0)

I am wondering if the following is a secure SSL process where I can be safe the data is encrypted.

I have a page:
http://www.mydomain.com/PrequalifyForm
-this has the basic stuff but also ask for SSN, CC, DOB, etc...

I then post this page to:
https://sub.domain.domain.com/page.do

I personally don't think the posted data is secure buy my co-worker does. Who is right?

Thanks.

[edited by: lorax at 11:41 pm (utc) on Nov. 9, 2007]
[edit reason] delinked example [/edit]

 

ccDan




msg:3501117
 10:59 pm on Nov 9, 2007 (gmt 0)

As I understand it, SSL encrypts the data while en route. Once the data is on your server, it is in whatever state it gets saved in. SSL only protects the transmission of the data, not the end result of the data.

Something like:
Browser (User's Data: 12345) -> SSL Transfer (User's Data: %g#nWqgx*8) -> Your Server (User's Data: 12345)

[edited by: ccDan at 10:59 pm (utc) on Nov. 9, 2007]

ByronM




msg:3501178
 12:24 am on Nov 10, 2007 (gmt 0)

The simple answer is people should know not to trust a page where the data entry isn't encrypted.

Javascript/ajax or any other persistent code could capture everything in the clear before its posted over https unless the entire page is in https to begin with.

in face with PCI requirments your will get in deep doodoo if you don't encrypt all pages that accept and or transfer personal information regarding a payment transaction.

rocknbil




msg:3501682
 7:39 pm on Nov 10, 2007 (gmt 0)

http://www.mydomain.com/PrequalifyForm
I then post this page to:
https://sub.domain.domain.com/page.do

You would be CORRECT. The form itself is not secure. So it transfers as non-secure data to the secure server. If it is intercepted in transit it's already too late.

A basic rundown: when you have an SSL cert, the browser recognizes the certificate authority and "knows" it's public encrypting algorithm. So when it lands on a secure page, it says, OK, encrypt every request sent from this page.

ccDan's post is almost correct. It is vital that a browser knows how to use an SSL's "public key" to encrypt data prior to being sent. Otherwise what would be the point? Any data submitted by a browser could be intercepted and abused. The SSL server maintains the private key to decrypt the data server-side. The inverse is true when a browser requests a page via SSL: the server sends it encrypted and the browser decrypts it into the plain text/html that you see.

When a page is not on a secure server, or the cert is "broken" somehow, any data posted from it is transfered as plain text. So your co-worker is incorrect.

lleemon




msg:3504134
 9:37 pm on Nov 13, 2007 (gmt 0)

Is it not true when connecting to 443 (SSL port) all data transfered to that port is encrypted? Granted any data coming back to this page is not encrypted/SSL.

Tonearm




msg:3506856
 4:15 pm on Nov 16, 2007 (gmt 0)

If an admin page I wrote is in http, but posts to https, the data is secure right?

WW_Watcher




msg:3506886
 4:46 pm on Nov 16, 2007 (gmt 0)

Tonearm

If an admin page I wrote is in http, but posts to https, the data is secure right?

If someone was capturing the stream from the person entering the data to the form on an http connection protocol, they would get everything. Both the form & destination page for storing the data should both be https to get the encription. Edited to add: as stated by ByronM, rocknbil & ccDan (giving credit, where credit is due)

Is the file recieving the data protected from being able to be accessed from everone? Meaning, could I put in the URL to the file and see it? Just because the file is in a directory, served up by https, does not stop anyone from opening it.

WW_Watcher

[edited by: WW_Watcher at 5:09 pm (utc) on Nov. 16, 2007]

Tonearm




msg:3508936
 4:58 pm on Nov 19, 2007 (gmt 0)

WW_Watcher,

I've actually read the exact opposite, that only the destination page need be in https. What would be involved with "capturing the stream from the person entering the data to the form on an http connection protocol"? Would the capturer have to have access to my system or is being on the Internet enough to pull this off?

ByronM




msg:3513543
 1:09 pm on Nov 26, 2007 (gmt 0)


I've actually read the exact opposite, that only the destination page need be in https. What would be involved with "capturing the stream from the person entering the data to the form on an http connection protocol"? Would the capturer have to have access to my system or is being on the Internet enough to pull this off?

Many sites use javascript/ajax for form validation - in doing so the form is consistently transferring information back and forth in the clear unless the form/java script is invoked via HTTPS.

There is absolutely NO reason to have a non HTTPS post to a HTTPS because the transaction isn't secured from the get go.

many sites post https for logins so the initial page is in the clear (and no mixed secure/non secure warnings) but that is about all i would do in such a fashion.

rocknbil




msg:3514236
 6:20 am on Nov 27, 2007 (gmt 0)

I've actually read the exact opposite, that only the destination page need be in https.

Can you point to references? This would absolutely have to be wrong.

What would be involved with "capturing the stream from the person entering the data to the form on an http connection protocol"?

One way is an abuse of port scanning. I'm no hacker so I can't explain the specifics. :-)

The entire idea of SSL is to encrypt data coming from your browser to the server, and vice versa.

It is vital that a browser knows how to use an SSL's "public key" to encrypt data prior to being sent. Otherwise what would be the point?

Remember, you are often transmitting data over thousands of miles of wires, even through the air, sometimes through hundreds of computers. Anywhere in between, someone can attach a covert eavesdropping device and log that data into a file. Think about that. :-)

Corey Bryant




msg:3517380
 6:09 pm on Nov 30, 2007 (gmt 0)

One thing to consider - does it matter? If the consumer happens to see they are entering personal information on an http form, chances are they might think twice. I know I have found items before on sites and when it gets to the point of wanting my credit card data, the form should be called https (perception).

And some users' browsers might throw a warning as well when posting from non-ssl to ssl. If you can call the page in SSL, do it and it might just save you a few customers

-Corey

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved