[SOLVED] payment redirect broken for authorize.net

8 years 5 months ago #146715 by wwildman
Exact PHP version: 5.0.89
Exact CB version: 1.2.3
Exact Joomla version: 1.5.22
Any ACL modification components? No
Any SEF components? No
Move or encrypt configuration.php? No
Upgrade from CB version ?? or fresh install? Fresh install
Migrated from Joomla version ?? or fresh install? Fresh install
What browser is issue present in? All browsers tested

Minimal installation; no third-party items. Just Joomla 1.5.22, CB 1.2.3, and CBSubs 1.0.3. Only CBSubs plugin installed is for regulating access to content for registered users. Host is network solutions; also using their ssl certificate, which they install. Payment gateway is authorize.net.

With CBSubs configured to test without ssl (http only), connection to authorize.net works fine and test credit card transactions work as expected. When configured to test transactions via ssl (https but authorize.net still in test mode), all browsers get hung up trying to switch to https. Firefox reports the following:

"controlpanel.networksolutions.com : server does not support RFC 5746, see CVE-2009-3555" (the explanation is at wiki.mozilla.org/Security:Renegotiation ). The vast majority (>99%) of web providers still haven't upgraded servers to deal with this problem so I can't really blame network solutions for the problem.

This is a known problem but none of the suggestions I have found in the CBSubs forums work.

Keep in mind that this is an absolutely minimal test installation with default settings for the latest versions of Joomla, CB, and CBSubs, and nothing else installed. Obviously plenty of people are running on network solutions, and probably a lot of them use joomla, so there should be a clean solution to this problem.

Can provide more information or access if it will help.

Wesley

Post edited by: krileon, at: 2010/11/23 20:22
8 years 5 months ago #146734 by wwildman
Additional information...

Network solutions tech support says this about the problem.

"There are several issues that can cause the error you reported. The most common is due to trying to force HTTPS (SSL) server-side. Our SSL proxy doesn't allow server-side variables to detect HTTPS (secure). All server-side coding will always detect HTTP (non-secure), and for programs that attempt to redirect non-secure connections (http://) to a secure connection (https://) will result in an infinite loop and server error after 30 seconds (newer technology browsers such as Firefox will detect this loop almost immediately and give up before 30 seconds). We cannot change this setting on our servers. ... the security workarounds below are the only ways around this.
1) Assume the connection is secure by making all the links to the sensitive pages https, or
2) use a client-side program (like javascript) to detect if it's secure and redirect if it's not."

Wesley
8 years 5 months ago #146809 by beat
wwildman wrote:

Additional information...

Network solutions tech support says this about the problem.

"There are several issues that can cause the error you reported. The most common is due to trying to force HTTPS (SSL) server-side. Our SSL proxy doesn't allow server-side variables to detect HTTPS (secure). All server-side coding will always detect HTTP (non-secure), and for programs that attempt to redirect non-secure connections (http://) to a secure connection (https://) will result in an infinite loop and server error after 30 seconds (newer technology browsers such as Firefox will detect this loop almost immediately and give up before 30 seconds). We cannot change this setting on our servers. ... the security workarounds below are the only ways around this.
1) Assume the connection is secure by making all the links to the sensitive pages https, or
2) use a client-side program (like javascript) to detect if it's secure and redirect if it's not."

Wesley


Hi wwildman,

This does not look as beeing a CBSubs issue at all, but a hoster issue... :)

Authorize.net AIM needs to be https up to the webserver hosting the site, not only up to the proxies of your hoster. Otherwise unencrypted credit-cards information will be flowing outside of CBSubs, which is not allowed by PCI DSS compliance.

The two workarounds proposed by your hoster are not PCI DSS compliant and will not be allowed by authorize.net for AIM.

1) assuming connection is secure while it IS insecure between the hoster proxies and the webserver is not PCI DSS compliante.

2) client-side verification with Javascript puts the control of security in users (and hackers) hands, instead of keeping it safely encrypted inside CBSubs, which is encrypted and checked at each execution, and which communicates encrypted with the browser and with Authorize.net directly, and thus following highest standards PCI DSS rules and making your application possible to be PCI DSS certified.

Your hoster's security specialists are certainly aware of the above, and you should talk with them about a hosting plan that can be PCI DSS compliant for E-Commerce applications, means does the https encryption/decryption directly in a secure way on the server running the php script, and thus allowing the PHP script to verify that the encryption is really secure. :)

Hope the above helps clarifying the hosting issue you have. You can forward the reply to your hoster, and we are happy to clarify the Visa and MasterCard PCI DSS security requirements for E-Commerce.

Beat - Community Builder Team Member

Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks :)
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
8 years 5 months ago #146840 by wwildman
Beat,

Thanks for this. I am in a bind now.

Being new to the world of credit cards and CBSubs, I hunted through all the info on CBSubs prior to purchasing it to determine whether PCI compliance on the host was a requirement and saw this requirement listed nowhere. Apparently I just need already to know that it is a requirement. Seems like it should be listed as a requirement just as the host's PHP version etc. are listed.

In any event, my host (Network Solutions, one of the very largest) does not have PCI compliance on either of the sorts of hosting platforms (shared hosting and virtual private server) that can support a CMS such as Joomla. It does have an e-commerce platform but you have to use their software and they do not support the use of a CMS, and so CBSubs can't work there either. So Network Solutions, as large a hosting service as it is, appears to be incompatible with the requirements of CBSubs. I either have to change hosts (but that is a serious business, and who will support subscription-type CMS websites?) or give up on Joomla and CBSubs.

I feel strongly that what I thought was my very thorough research should have turned up this issue before now. Do you have any advice for what to do next?

Wesley
8 years 5 months ago #146851 by beat
Hi Wesley,

- CBSubs does not have a requirement of being PCI DSS:

E.g. Paypal and Yellownet psps do not have this requirement. That requirement comes from Authorize.net using authorize.net Advanced integration (AIM).

CBSubs 1.1 will have additional gateways, which do not require PCI DSS compliance.

Even if for Authorize.net AIM the PCI DSS requirement does not come from CBSubs, it is a good point to make Authorize.net customers more aware of this requirement. Also it could be useful to make customers aware that appart from Paypal, any other payment solution requires time (between 1 week and 2 months) to be setup at the Payment Service Provider and might require additional prerequisites.

- If you want to be PCI DSS certified, It's not the hoster nor a particular site but your site (and the server on which the site runs) and your company/yourself that needs to undergo the certification. Obviously the hoster and CBSubs must be certifiable (CBSubs and JoomlaPolis Business Quality hosting are both certifiable).

As authorize.net requirements are not met by your hoster today, your options obviously are:

- If you are not married with Authorize.net, change PSP. Very very shortly upcoming CBSubs 1.1 will give you more options there. :)

- If you are not married with your hoster, simply change hoster. There are plenty of hosters around, but you should go for an E-commerce business-class hosting. We do provide business class hosting as well (see "Hosting" menu at top), and obviously meet Joomla, CB and CBSubs prerequisites, as well as a very high webserver security level.

- Any other payment solution for authorize.net AIM will require you for PCI DSS certification, so that won't work around that issue.


EDIT: fixed typo

Post edited by: beat, at: 2010/11/23 10:34

Beat - Community Builder Team Member

Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks :)
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
8 years 5 months ago #146866 by wwildman
Beat,

Thanks; this is all clear now. I don't know what to do but I do know my choices.

Although these things must seem terribly obvious to you, having everything spelled out like this really helps newbies to the world of e-commerce. I dare say it would really help you make more sales if you could walk people through such basic issues more patiently and clearly somewhere on the pages describing CBSubs.

Thanks again,

Wesley
Moderators: beatnantkrileon
Time to create page: 0.394 seconds
Facebook Twitter Google LinkedIn