I’m working on a project at home that will, eventually, go live. I contacted the hosting service that I think I’d like to use, to ask a few questions, one of which was whether or not the shared SSL will still trigger an alert in browsers (because the SSL is for the hosting service, not my FQDN.) The response was “Yes, it will still trigger an alert.”
Other than purchasing an SSL cert, is there a way to prevent this? This project is for a NFP organisation, and they don’t have the funds to purchase or maintain their own fully-recognised cert; nor can they afford virtual or private hosting.
If you use an SLL certificate then it serves two purposes.
It encrypts the data being passed between the browser and the server.
It confirms that the server is the correct one and that you are not sending your details to some other site.
It is for the second of these that it will always pop up an alert if the certificate domain and the actual domain do not match. This is the case regardless of the type of hosting used.
Fortunately there is no way to prevent the alert in this ituation as that would negate the main purpose of having a certificate in the first place and allow anyone to set up a spoof site to collect bank account details and clean out people’s bank account.
I kind of thought so… and don’t get me wrong, I do understand the security reason for it. But this does mean that every time someone needs to submit a form (which I always force through TLS/SSL), the user’s browser will indicate that the site may not be who it claims to be, even though it is legitimate.
I’ll pass the news on to the client. Thanks, @felgall.
If you don’t want the form to have that test performed then you don’t use SSL as that is the primary purpose of SSL. Admittedly then you also lose out on its secondary purpose of encrypting the transmission.
…this means that every time someone needs to submit a form (which I
always force through TLS/SSL), the browser will indicate that the site may not be who it claims to be despite being legitimate.
How far along are you with using the host? Options might exist for one of the free SSL CERTs. Have you looked into using these with the host (or one that would allow a free CERT)? It might alleviate some of the usability concerns with the messages being displayed in the browser.
I’m curious about how you’re instigating your form submissions… Are you designating the SSL endpoints in each form’s action value or have you used a server-side approach to reroute to the shared SSL endpoint?
[quote=“Wolf_22, post:5, topic:193391”]
How far along are you with using the host? Options might exist for one of the free SSL CERTs.
[/quote]I’ve never worked with this particular host, before. But the price is quite nice, so I wanted to give them a shot. CF hosting for US$8 per month. I’ll have to go back and re-read the specs. I don’t remember a dedicated FREE SSL cert being offered. Just shared SSL. If I can get a free cert elsewhere that won’t trigger the alert, I can do that.
[quote=“Wolf_22, post:5, topic:193391”]
Are you designating the SSL endpoints in each form’s action value or have you used a server-side approach to reroute to the shared SSL endpoint?
[/quote]Form loads in HTTP, and the action points to HTTPS. Although, considering how things have become, I’ll probably load the form in HTTPS, too, from now on!
I’ll have to go back and re-read the specs. I don’t remember a dedicated FREE SSL cert being offered. Just shared SSL. If I can get a free cert elsewhere that won’t trigger the alert, I can do that.