Security problem

[hotdog1983]

Hi, this is a bit complicated (for me at least). I'm noob in security.

 

I'm making a reseller website and on my website there are user Signup and Login links which will redirect the user to my wholesaler's form pages.

 

I can also place the forms on my own website and send the form values over to the wholesaler's php.

 

So basically, I will be just putting up a website and won't be collecting any user information on my database.

 

The issue is, the signup and login forms on the wholesaler's website are not secured. No SSL and no encryption.

 

Is it possible to put my own secure form pages with SSL or encryptions? I want to make my site more trustworthy and I think it's my responsibility to protect customers credentials as well.

 

But my feeling says that if I use SSL or encryptions on my form pages, the values must be decoded before they are sent to the wholesalers php, aren't they?

 

So do I need to set up a server on my hosting to receive the encrypted data, decode them, and transfer them to the wholesaler's website?

 

Is there any way that I can protect my customers from things like eavesdropping when they sign up for my website and I redirect the data to the wholesaler's part without having need to set up my own database? Or is it gonna make no difference because the wholesaler's form pages are not secured?

 

I'm completely lost here.

Geniuses please enlighten me.

[JonnoTheDev]

Simple.

Process the form data on your own server and once validated send it over to the 3rd party script using cURL. i.e

 

1. User lands on https://www.foobar.com/signup.php

2. User completes form and clicks submit

3. Form data is sent to https://www.foobar.com/signup.php

4. Form data is validated

5. If form data validates send POST request to http://www.3rdparty.com/xyz.php containing form data using cURL

 

SSL encrypts data sent from the client web browser to the server receiving the request. Sending data via a request from server A to server B does not use SSL.

[hotdog1983]

Thanks a lot for your help. I've been posting this question around on quite a few

websites and you are the only one who replied. I really appreciate it.

I'm just starting to learn php by the way.

 

Just a few more questions if you don't mind.

My understanding is that after my clients signup from my website.

 

Form data (SSL) -> My server -> Validate -> cURL (Unencrypted) -> www.3rdparty.com/signup.php

And the clients will stay on my website.

Is this correct?

 

- How about the Login process?

  I want my clients to login from my website (SSL enabled) and also have them land on www.3rdparty.com/interface as well. Can I also use cURL in this case?

 

- I shouldn't worry about cURL travelling without encryption from my server to the 3rdparty's server, or should I?

 

 

Thanks again.

[AMcHarg]

You can't send encrypted data to the wholesalers forms and expect their forms to handle the data properly.  Decrypting the data would ultimately defeat the purpose of encrypting it in the first place.

 

Linking to the wholesaler's login forms would be much better for you, rather than trying to make it look like they are logging into the wholesaler on your own site.

 

If your wholesalers are not protecting your customers information then you should decide if you want to use those wholesalers in the first place; do you even trust them?

[JonnoTheDev]

Form data (SSL) -> My server -> Validate -> cURL (Unencrypted) -> www.3rdparty.com/signup.php

And the clients will stay on my website.

Is this correct?

Correct, unless you redirect the user off your website after sending the data to the 3rd party.

 

I want my clients to login from my website (SSL enabled) and also have them land on www.3rdparty.com/interface as well. Can I also use cURL in this case?

cURL is use to make HTTP GET or POST requests, not for user redirection. You would use PHP headers to do this.

 

I shouldn't worry about cURL travelling without encryption from my server to the 3rdparty's server, or should I?

Not really. If the target URL is not https then this is not your concern.

 

[mentalist]

Basically you will need to buy a / some SSL certificates.

[Pikachu2000]

Duplicate topics have been merged into this thread.

[hotdog1983]

Thanks a lot for your help!!