[thelist] SSL Question

[Shawn K. Quinn]

On Sun, 2005-04-17 at 05:34 -0400, Hershel Robinson wrote:
> A client of mine wants to accept credit card donations via third party site.
> The third party is a partner site and has put on their site a donation page
> from our site, so it looks exactly like our site. The partner site has SSL.

Good idea: Using SSL for credit card information.

> My client wants to mask the URL so the user doesn't realize he has left our
> site.

Bad idea: Wanting to hide the URL for no good reason.

> If I use a frameset with one frame and load into that frame the third-party
> page, then of course my page is not SSL. Someone who advises my client
> suggested we could use a 30 dollar "Turbo SSL™ Secure Certificate Domain
> Only Validation" certificate from godaddy. We could install that on our site
> and then have a secure page.
> 
> Anyone see anything wrong with this? It appears to be their low-end product,
> but I presume that will be fine for our needs.

Yes, I see one really big thing wrong with this, and that's trying to be
sneaky about telling the user where he/she is really going. There's no
reason your client would need to buy their own SSL certificate until and
unless they wanted to process the transaction themselves.

And rest assured, if I ever see something like this, I'll make sure my
money does not go to any site using it, whether it's a donation or a
purchase. My reasoning is this: if someone wants to hide which site is
processing the donations on their behalf today, they might well want to
hide how the money is being spent tomorrow.

-- 
Shawn K. Quinn <skquinn at speakeasy.net>