Jump to content

Recommended Posts

I had no idea where to place this, but spending a few hours on google I could not find a guaranteed answer to the question.

 

If you use Domain Forwarding / Masking on a website that has https://, can that break encryption?

My domain is hosted on GoDaddy, and allows the option for either http:// and https://.  I chose https:// but I don't really know how Domain Forwarding and Masking work.

 

If someone was to submit a credit card number under the masked domain, would the information travel to the mask domain first then be re-routed to the hidden domain?

 

My understanding looks like this!

Me --> www.mask.com --> www.originaldomain.com || www.originaldomain.com --> Me

 

I set my domain up, but if it breaks encryption I do not want to use it.  I do not have an SSL Cert on the domain, but the site it is forwarding to does.

 

Thank you for any replies.  I'd prefer if someone could give me a 100% definite answer with some sort of link to an official statement that verifies this.

Link to comment
https://forums.phpfreaks.com/topic/240367-domain-masking-and-ssl-encryption/
Share on other sites

I appreciate the resources on understanding how SSL / TLS works, but I have still not found any correct answer for this particular question.

 

I know Domain Forwarding works like a 302 or a 301 which just sends the client to the actual page mentioned.  I can still access portions of the page which require url query strings, so it seems like the domain on the other end is still reading as SSL.

 

My question was:  Does this break Encryption?

 

http://www.mask.com will be redirecting people to https://www.original.com and keep the https there as original has a secure cert.

 

I have a brief understanding of how SSL or TLS works, but I have no idea how it works in combination with a mask/forwarded url.

 

I will still be awaiting this answer before I start publishing the masked domain to people instead of the original.

 

The reason I am wanting to know is because the original is https://subdomain.maindomain.com/ and isn't hosted by me.  This is hosted by another company who doesn't want to allow individual people to use their own domains due to the Certificate they have.  They want to make sure that the secure portions of their site is secure, and I don't blame them.

 

I still want to use my own domain, but not if it is going to break encryption.

I'm not really sure I understand the (potential) attack vector you're worried about. Are you saying that requests made to resource A (no SSL) will result in a 301 response redirecting to resource B using SSL? You only have a security issue if the user makes a request with confidential information to resource A.

 

Example 1:

User sends a GET request to http://www.example.com/ and gets redirected to https://www.example.com/. User fills a form that submits via POST to https://www.example.com/login.php. This is no problem. The login credentials are protected by the SSL layer.

 

Example 2:

User sends a POST request to http://www.example.com/login.php with login information, and gets redirected to https://www.example.com/login.php submitting the same data via POST (note that RFC 2616 actually prohibits automatic redirection in this case, but no (or very few) browsers actually honors this). This is a problem, because the first time the information was transmitted, it was unencrypted.

 

If none of those examples describe your scenario, try using a packet sniffer to look at what data is being transmitted when you make the requests.

I never thought about getting a packet sniffer, although I should really consider doing that.

 

I think I just found my answer when I went to look at the source code of the masked domain.  The other page is placed into an iFrame within the mask domain.  I've read a few issues with this, so I do not really want to risk customers inputting credit card information through an iFrame whether it is secure or not, if my website isn't secure either.

 

Thank you for the suggestion of getting a packet sniffer.

 

I figure I wasn't explaining correctly, but you would go to http://www.example.com and be redirected to https://subdomain.someothersite.com, although with Masking it keeps you on http://www.example.com and just puts https://subdomain.someothersite.com in the iFrame.  I knew forwarding was either a 301 or a 302, which would still put you on the https site, but I wasn't 100% sure about how masking worked.

 

But yeah I do not want to risk the iFrame option, which is why I took the site I originally had the iFrame in offline!

  • 8 months later...
Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.