开发者

SSL, EV SSL, And URL Rewriting

开发者 https://www.devze.com 2022-12-25 03:27 出处:网络
We extensively use a third party app that we\'ll call thirdparty.com. thirdparty.com and mysite.com have a common navigation and look and feel, so to the u开发者_如何学运维sers, they think they are al

We extensively use a third party app that we'll call thirdparty.com. thirdparty.com and mysite.com have a common navigation and look and feel, so to the u开发者_如何学运维sers, they think they are always on mysite.com.

What we're going to do is start url rewriting 3rd.mysite.com to display thirdparty.com, to make it look even more like a seamless experience. This also gives us access to thirdparty.com's cookie, because it will be written as mysite.com.

thirdparty.com has an SSL cert that they use for a few select transactions (basically just login). When you call https://3rd.mysite.com/login, you get a 404 as mysite.com does not have SSL. So we're going to install an SSL cert to the 3rd.mysite.com subdomain to alleviate this problem.

The question is, if we install a EV SSL certificate, will the user see that, or will it relegate to the cert from thirdparty.com? I can think of reasons for this to work both ways, but am looking for a definitive answer. If they see the SSL cert, then there's no sense wasting money on the EVSSL. If they see the EVSSL, I'd think that would be a big opening for phishing if someone was doing this illegitimately.

Cheers


If user agents see the site as thirdparty.com they are going to require an https certificate for thirdparty.com. So if that's an EV cert, then they are indeed going to see the green glow. Of course, you will want to make sure any communications between thirdparty.com and mysite.com should be appropriately secure.

(BTW: rfc2606 for example domain names.)

Disclaimer: I'm not really competent to answer this question, but this is stackoverflow.

0

精彩评论

暂无评论...
验证码 换一张
取 消