Netscape Security Question

Forum Moderators: phranque

Message Too Old, No Replies

Netscape Security Question

kevinj

2:42 am on Aug 29, 2002 (gmt 0)

I have set up a Verisign certificate on my site's server and have created an https page that contains a form. I fill out the form and submit it to an https confirmation page. If the information is correct, the user will click the submit button to process the transaction. For some reason I am getting this warning from Netscape Browsers when I hit the submit button on the https confirm page:

Warning! Although this document is secure, the information you have submitted is insecure and could be observed by a third party while in transit. If you are submitting passwords, credit card numbers, or other information you would like to keep private, it would be safer for you to cancel the submission.

Does anyone have any idea why this alert box pops up on a page that has an https url?

Thanks.

Grumpus

11:58 am on Aug 29, 2002 (gmt 0)

Are you sending the information to e-mail?

kevinj

12:37 pm on Aug 29, 2002 (gmt 0)

No, I'm not sending it to email. The information is being sent to an asp page that creates a secure socket connection with the credit card processor using the following code:

set xmlhttp = Server.CreateObject ("Microsoft.XMLHTTP")

xmlhttp.open "POST","https://secure.authorize.net/gateway/transact.dll?"&postdata, false
xmlhttp.send ""
strStatus = xmlhttp.Status

strRetVal= xmlhttp.responsetext

set xmlhttp = nothing

Grumpus

1:37 pm on Aug 29, 2002 (gmt 0)

Is the orginal form that they are submitting on YOUR server? You can't jump secure servers during processing as there's no real secure tunnel between the two. You need to stay on the same certificate throughout the transaction. Check with Authorize.net on this, they'll tell you what to do.

kevinj

1:55 pm on Aug 29, 2002 (gmt 0)

Yes the original form is on my server on a secure page and so is the confirmation page. The connection to the transact server on Authorize.net is done with the code above. This is the way Authorize.net specifies the connection. I don't get the message on IE browsers, just on Netscapes.