使用不同的证书从一个 https 页面移动到另一个页面
想象一个沼泽标准的注册页面,它捕获一些用户信息,如姓名、地址等。 它上面有一个“立即购买”按钮,可以转移到支付网站(WorldPay)。
现在,要求一切都应该是安全的,这意味着(如果我错了,请纠正我)
A) 我需要在 IIS 上获取并安装 SSL 证书。
B) 然后我需要确保注册页面的安全(看看到底如何做到这一点,但如果有人想让我知道那就太棒了!)
所以,假设注册页面现在是在一个证书下的 https,是否有任何到底有什么原因导致重定向到 WorldPay(在 SSL 下但在不同的证书下)应该出现问题?
我无法想象为什么,我不会通过 AJAX 或任何其他方式执行此操作(请参阅 从 HTTP 页面通过 AJAX 进行 HTTPS 请求),但有时这些东西可能会咬你!
谢谢 邓肯
Imagine a bog-standard Signup page, which captures some user info like Name, Address etc.
It has a Buy Now button on it, which transfers to a payment site (WorldPay).
Now, the requirement is that everything should be secure, so that means (and correct me if I'm wrong)
A) I need to get and install an SSL certificate on IIS.
B) I then need to make the Signup page secure (looking at exactly how to do this but if anyone wants to let me know that would be grand!)
So, presuming that the Signup page is now https under one certificate, is there any reason AT ALL that there should be a problem redirecting to WorldPay (which is under SSL but under a different certificate) ?
I can't imagine why, I'm not going to be doing this over AJAX or anything (see HTTPS request via AJAX from HTTP page), but sometimes these things can bite you!
Thanks
Duncan
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我可以预见的唯一问题是,如果您有来自 https://mysite.com/ 的直接表单 POST到 https:// payment.net/ 您的用户很可能会看到一个警告页面(FF3.5 显示“类似场景中的“不受信任的连接” - 它是为了阻止网络钓鱼攻击)。 一种可能的解决方案是将 mysite.com 表单提交到 mysite.com 域,然后在那里设置一个控制器或类似的东西,将用户重定向到 payment.net。 (但是,您要注意,不要通过在 URL 上公开用户的私人信息来随意处理该信息。)
我的猜测是,您的支付网站需要经常处理这个问题。 我建议联系他们,了解他们是否有处理 SSL、警告等的具体建议。
The only problem that I can forsee is that if you have a direct form POST from https://mysite.com/ to https://payment.net/ your users will most likely see a warning page (FF3.5 shows an "untrusted connection" in a similar scenario - it's there to deter phishing attacks). One possible solution to this would be to submit the mysite.com form to the mysite.com domain, and then have a controller or some such thing there that would redirect the user to payment.net from that. (You want to watch out that you aren't playing loosey-goosey with the user's private information by exposing it on a URL, however.)
My guess is that this question is something that your payment site needs to deal with quite frequently. I'd suggest contacting them to find out if they have specific recommendations for handling SSL, warnings, and so on.
使用相同的协议 (https) 从一个域重定向到下一个域应该不会有问题。 然而,有时病毒软件会将这种重定向检测为“网络钓鱼”,但如果 WorldPay 是值得信赖的来源,那么您应该没问题。 您是否正在尝试将用户数据传递给 WorldPay,或者只是使用 WorldPay 作为您的支付引擎? 切换域时,我不会开始通过 POST/GET 变量传递任何用户信息。
注册页面的答案是,您需要强制使用 https(最好是从代码隐藏),以便用户可以使用 SSL 加密输入其帐户信息并看到可靠的锁定图标;)。
编辑:代码示例
要获取证书:在 IIS 中,转到网站记录的属性,单击安全选项卡,然后单击服务器证书。 完成逐步过程,直到准备好证书请求发送给证书签名机构(GeoTrust、Verisign 等)。一旦您从他们那里取回证书请求,您的证书请求就可以完成,您的 https 也将正常工作。
另外,请检查您的 SSL 软件是否已更新。 这应该满足要求。 不过,我也会联系 WorldPay,以确保您遵守标准。
There shouldn't be a problem with redirecting from one domain to the next using the same protocal (https). However, sometimes virus software can detect this kind of redirection as "phishing", but you should be okay if WorldPay is a trustworthy source. Are you trying to pass user data to WorldPay, or just using WorldPay as your payment engine? I wouldn't start passing any user information through POST/GET vars when switching domains.
The answer to your sign up page is that you need to force https (ideally from code behind) so users can enter their account information with the SSL encryption and see that trusty lock icon ;).
EDIT: CODE EXAMPLE
To get your certificate: In your IIS, go to your properties of the website record, click on the security tab, then server certificates. Complete the step by step process until to have a certificate request ready to send to certificate signing authority (GeoTrust, Verisign etc.) Once you get it back from them, your certificate request can be finished and your https will work.
Also, check that your SSL software is up to date with the latest updates. That should cover the requirements. However, I would contact WorldPay as well just to be sure you are adhering to standards.