Moving from one https page to another with a different certificate

Question

Hello

Imagine a bog-standard Signup page, which captures some user info like Name, Address etc. It has a Buy Now button on it, which transfers to a payment site (WorldPay).

Now, the requirement is that everything should be secure, so that means (and correct me if I'm wrong)

A) I need to get and install an SSL certificate on IIS.

B) I then need to make the Signup page secure (looking at exactly how to do this but if anyone wants to let me know that would be grand!)

So, presuming that the Signup page is now https under one certificate, is there any reason AT ALL that there should be a problem redirecting to WorldPay (which is under SSL but under a different certificate) ?

I can't imagine why, I'm not going to be doing this over AJAX or anything (see http://stackoverflow.com/questions/1012777/https-request-via-ajax-from-http-page), but sometimes these things can bite you!

Thanks Duncan

Answer 1

The only problem that I can forsee is that if you have a direct form POST from https://mysite.com/ to https://payment.net/ your users will most likely see a warning page (FF3.5 shows an "untrusted connection" in a similar scenario - it's there to deter phishing attacks). One possible solution to this would be to submit the mysite.com form to the mysite.com domain, and then have a controller or some such thing there that would redirect the user to payment.net from that. (You want to watch out that you aren't playing loosey-goosey with the user's private information by exposing it on a URL, however.)

My guess is that this question is something that your payment site needs to deal with quite frequently. I'd suggest contacting them to find out if they have specific recommendations for handling SSL, warnings, and so on.

Answer 2

There shouldn't be a problem with redirecting from one domain to the next using the same protocal (https). However, sometimes virus software can detect this kind of redirection as "phishing", but you should be okay if WorldPay is a trustworthy source. Are you trying to pass user data to WorldPay, or just using WorldPay as your payment engine? I wouldn't start passing any user information through POST/GET vars when switching domains.

The answer to your sign up page is that you need to force https (ideally from code behind) so users can enter their account information with the SSL encryption and see that trusty lock icon ;).

EDIT: CODE EXAMPLE

 if (HttpContext.Current.Request.Url.AbsoluteUri.ToLower().StartsWith("http://"))
{
   Response.Redirect(HttpContext.Current.Request.Url.AbsoluteUri.Replace("http://", "https://"));
}

To get your certificate: In your IIS, go to your properties of the website record, click on the security tab, then server certificates. Complete the step by step process until to have a certificate request ready to send to certificate signing authority (GeoTrust, Verisign etc.) Once you get it back from them, your certificate request can be finished and your https will work.

Also, check that your SSL software is up to date with the latest updates. That should cover the requirements. However, I would contact WorldPay as well just to be sure you are adhering to standards.