Page MenuHomePhabricator
Create Task
Maniphest T27916

SSL cert being lost at captchta page
Closed, ResolvedPublic
Actions

Description

Were getting reports of missing ssl certs post captcha trigger. Detail below:

"Hello, I tried to donate via my MasterCard but when I entered my credit card info a dialog came up saying some information will not be submitted securely and the SSL certificate on the page was lost. The page was then asking me to verify the words but since the SSL certificate was lost I was not comfortable submitting my credit card information again. I value Wikipedia so I will mail a check instead."

"When the page is first loaded, the verification image is not shown, only is shown after clicking the donation button but shows again the form to enter data and deletes my credit card number, security code
and valid until, so so it makes me angry. i hope you improve the page so the verification number is shown from the very beginning."

Version: unspecified
Severity: enhancement

Details

Reference
bz25916

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:19 PM
bzimport added a project: MediaWiki-extensions-DonationInterface.
bzimport set Reference to bz25916.
Tfinc created this task.Nov 14 2010, 5:04 AM
Awjrichards added a comment.Nov 15 2010, 8:04 PM

I have confirmed that there is some SSL issue when a user is presented with a captcha on the credit card form. It appears that communication pulling the captcha interface from reCaptcha is /not/ happening in SSL, which will cause some browser configurations to complain and even to potentially not show non-SSL content.

Awjrichards added a comment.Nov 15 2010, 9:10 PM

I've now fully identified the issue. The code currently uses $wgProto to determine whether or not to communicate with reCaptcha in HTTPS or HTTP. Becase we are terminating SSL before MediaWiki sees the traffic (on our payments cluster), the protocol is being set to regular HTTP. I am going to add a configurable variable in the DonationInterface to explicitly set whether or not to use HTTPS and update the reCaptcha code to rely on that instead.

Awjrichards added a comment.Nov 15 2010, 10:09 PM

This is resolved in r76717 of trunk, will be merging to deploy later today with Kaldari's changes

Awjrichards added a comment.Nov 16 2010, 7:22 PM

This was deployed at 11:20am PST on 11/16/2010. Judging by the minfraud logs on the payments cluster, users are seeing captchas and succesfully passing them.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL