Kunnskapsbase

Kategorier

How safe is this solution?

Posted by bambinou, 10-31-2012, 05:43 PM
Hello, I need some feedback from you please before I (maybe) make a big mistake by joining this people. An affiliate has proposed me to rent cars for holidays on my website, the problem is that the javascript code on my site is taking the credit card payment of the customers directly on my page. 1)My page is not https://, but they are telling me that their code is http:// and secure, would you believe that taking payment on someone's else website is a secure way? For me...not so much. 2)Liability, I believe that if the payment is taken from my website(even with their code and bank accounts), I would still be liable for damages if something goes wrong. 3)I believe that an affiliate should normally give you a kind of widget, then when the customer goes for the purchase, he actually pays on the affiliate's website and not the customer's website, am I correct? Please let me know what you think, if an affiliate could still be very secure even if the payment gateway shows up on your website. Thank you, Ben
Posted by zoid, 10-31-2012, 05:49 PM
In short, stay away from that. In long If it is not https it is not secure in terms of data transfer. Financial and personal information should never be transferred via such a connection. I just hope there is no "fancy" and "secure" javascript encryption coming up at some point. I am not a lawyer, but I would rather tend to say yes. Generally yes. You usually get some identification code which you pass along when the user clicks the link and then you are not involved anymore.
Posted by bambinou, 10-31-2012, 05:53 PM
Thanks for that. My feelings about this thing were the same as yours :-) Many thanks for taking the time to reply. Ben
Posted by FINESEC, 10-31-2012, 06:22 PM
It's possible to encrypt form data in a secure manner using java script and asymmetric key cryptography, but I doubt that they're doing it correctly. Why in the first place wouldn't they use https?
Posted by bambinou, 10-31-2012, 06:30 PM
Hi FINESEC. They are telling me that the payment from my site to their gateway is https:// but I do find strange that an affiliate takes credit card payments directly from your site...I have never seen that before, I just emailed them to say I am not going to accept their code. Thanks Ben
Posted by FINESEC, 10-31-2012, 06:57 PM
It's strange that they would require you to change any code in your site.
Posted by mg-, 10-31-2012, 07:07 PM
Doesn't matter how "secure" someone claims it to be - you have to do it properly in the eyes of both security standards AND customers.. A potential customer will notice the lack of EV, then standard SSL and will lose a lot more potentials because of that, and you are liable as SSL brings insurance with it.. you have no insurance if you aren't using a ssl cert... not to mention most cheap ssl's only have coverage of 10k.. In a business sense it's better to use a low end ssl cert than the most amazing javascript solution. js encryption would be acceptable for things like transmitting sales leads, reports, user/passwords etc... data that is sensitive but not critical on non-ssl sites. =
Posted by foobic, 10-31-2012, 09:36 PM
I've seen a few websites (non-ssl) that use javascript to POST sensitive information to a secure (ssl) gateway - are you sure that isn't what they're doing? It's not something I'm comfortable with because the visitor can only know the submission is secure by examining the source / dom, or by watching the headers, eg. using the FireFox live http headers plugin (by which time it's too late!). But the information should be transmitted encrypted from the client's browser to the gateway, so technically it's secure, I guess...
Posted by zoid, 11-01-2012, 08:28 AM
Well, technically you dont even need Javascript. If the action attribute contains an https link it is already secure. But as you mentioned this can be confusing to the user.
Posted by bambinou, 11-01-2012, 11:00 AM
Thank you all for your reply. But even if it was secured, would you not find it strange that an affiliate take the payments on his own customers on your own website? 1)The customer does not know who the affiliate is 2)No privacy policies nor terms of use on the affiliate widget itself 3)No brands nor business company name on the widget itself, all done behind the scene in a weird contract. I removed myself from this thing anyway, I cannot take the risk of having my customers details being stolen. Customers details secured & safe first. Thanks, Ben
Posted by alyak, 11-01-2012, 12:19 PM
Important NOT where data entered , but HOW it transferred . Possible they are right . Need check exacly way they do this . let say there can be form in which is https of point to https ... </td></tr></table><hr /><table><tr><td>Posted by <strong>foobic</strong>, <u>11-01-2012, 08:55 PM</u></td></tr><tr><td>All technical details aside, if you don't trust this company don't do business with them. You have far more to lose than to gain. </td></tr></table><hr /><table><tr><td>Posted by <strong>css4me</strong>, <u>11-08-2012, 06:04 AM</u></td></tr><tr><td>You should not believe anyone for taking payment on someone elses website. It is not a secure way. </td></tr></table><hr /> </blockquote> <div class="hidden-print"> <div class="panel panel-default"> <div class="panel-heading"> <h3 class="panel-title"> Var dette svaret til hjelp? </h3> </div> <div class="panel-body"> <form action="knowledgebase.php?action=displayarticle&id=82" method="post"> <input type="hidden" name="token" value="988195df4005bb56a931dd9e411c7a951308a376" /> <input type="hidden" name="useful" value="vote"> <button type="submit" name="vote" value="yes" class="btn btn-success"><i class="fa fa-thumbs-o-up"></i> Ja</button> <button type="submit" name="vote" value="no" class="btn btn-default"><i class="fa fa-thumbs-o-down"></i> Nei</button> </form> </div> </div> <a href="#" class="btn btn-success btn-block" onclick="window.print();return false"><i class="fa fa-print"> </i>Print</a> </div> <h3 class="kb-alsoread"> Les også disse </h3> <div class="kbarticles"> <div> <a href="knowledgebase.php?action=displayarticle&id=126"> <i class="glyphicon glyphicon-file"></i> URL Rewrite </a> <p>Posted by beachcompcom, 03-08-2010, 04:34 PMHi folks, I'm new to IIS7/Url rewrites. Im trying...</p> </div> <div> <a href="knowledgebase.php?action=displayarticle&id=217"> <i class="glyphicon glyphicon-file"></i> How to automaticaly download all files in a folder via FTP? </a> <p>Posted by viettechorg, 05-07-2007, 03:41 AMHello there, I am having trouble with moving my files...</p> </div> <div> <a href="knowledgebase.php?action=displayarticle&id=170"> <i class="glyphicon glyphicon-file"></i> disable php functions? </a> <p>Posted by Calibaba, 09-15-2007, 06:28 PMDoes the below look good for a private server (linux,...</p> </div> <div> <a href="knowledgebase.php?action=displayarticle&id=92"> <i class="glyphicon glyphicon-file"></i> Can some explain this in a simple way? </a> <p>Posted by subhash, 02-21-2011, 07:52 AMHello Guys, Can some body explain what exactly is...</p> </div> <div> <a href="knowledgebase.php?action=displayarticle&id=3"> <i class="glyphicon glyphicon-file"></i> M2M Host Offers Discount Across All Web Hosting Plan This Christmas! </a> <p>Posted by livechatdir, 12-17-2009, 08:49 PM M2M Host, the leading web hosting company...</p> </div> </div> </div> <div class="col-md-3 pull-md-left sidebar"> <div menuItemName="Support" class="panel panel-default"> <div class="panel-heading"> <h3 class="panel-title"> <i class="fa fa-support"></i>  Support </h3> </div> <div class="list-group"> <a menuItemName="Support Tickets" href="supporttickets.php" class="list-group-item" id="Secondary_Sidebar-Support-Support_Tickets"> <i class="fa fa-ticket fa-fw"></i>  Brukerstøtte </a> <a menuItemName="Announcements" href="announcements.php" class="list-group-item" id="Secondary_Sidebar-Support-Announcements"> <i class="fa fa-list fa-fw"></i>  Driftsmeldinger </a> <a menuItemName="Knowledgebase" href="knowledgebase.php" class="list-group-item active" id="Secondary_Sidebar-Support-Knowledgebase"> <i class="fa fa-info-circle fa-fw"></i>  Kunnskapsbase </a> <a menuItemName="Downloads" href="downloads.php" class="list-group-item" id="Secondary_Sidebar-Support-Downloads"> <i class="fa fa-download fa-fw"></i>  Nedlastinger </a> <a menuItemName="Network Status" href="serverstatus.php" class="list-group-item" id="Secondary_Sidebar-Support-Network_Status"> <i class="fa fa-rocket fa-fw"></i>  Nettverksstatus </a> <a menuItemName="Open Ticket" href="submitticket.php" class="list-group-item" id="Secondary_Sidebar-Support-Open_Ticket"> <i class="fa fa-comments fa-fw"></i>  Ny henvendelse </a> </div> </div> </div> </div> <div class="clearfix"></div> </section> <section id="footer"> <p>Copyright © 2024 SVUNA Solutions. All Rights Reserved.</p> </section> <script src="/assets/js/bootstrap.min.js"></script> <script src="/assets/js/jquery-ui.min.js"></script> <script type="text/javascript"> var csrfToken = '988195df4005bb56a931dd9e411c7a951308a376'; </script> <script src="/templates/six/js/whmcs.js"></script>  <script type="text/javascript"> var Tawk_API=Tawk_API||{}, Tawk_LoadStart=new Date(); (function(){ var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0]; s1.async=true; s1.src='https://embed.tawk.to/5ac0c2324b401e45400e3e83/default'; s1.charset='UTF-8'; s1.setAttribute('crossorigin','*'); s0.parentNode.insertBefore(s1,s0); })(); </script>  </body> </html>