[ale] cURL/https security question

James P. Kinney III jkinney at localnetsolutions.com
Thu Aug 1 23:40:57 EDT 2002


My understanding of https is that there is a serverkey used to validate
the https server to the client. The client has, by way of the server
certificate, the public key. An agreed upon symmetric encryption key is
then used to encode the data. A symmetric key is fast but not perfect.
Given enough data, a black hat can crack a symmetric key pretty quickly.
So the key has a timeout period that is short. A new is then used until
it times out.

So is the process that CreditCynic uses OK? It is just as good as the
process used to get the card data to your server. 

Keep in mind, most of the credit card data thieves get it by cracking
the server and collecting the stored and unencrypted card data in bulk.
So don't store the card data. Or store it encrypted with key elsewhere.

Better yet, have the CC data on a separate box with 2 NIC's. One NIC
talks only one port, write only to the web server. It collects the
encrypted data. The other port only talks out to the key server through
encrypted line. The key server never stores the data. It only decrypts
for processing then overwrites the temp space and memory.

On Thu, 2002-08-01 at 19:20, jenn at colormaria.com wrote:
> Evaluation of common credit card gateway method needed by those much more
> knowledgable about security than myself.
> 
> Scenario:
> I use CreditCynic (fake company, obviously) to process credit card
> transactions from my shopping cart.  CreditCynic provides me with a php class
> that basically urlencodes all the pertinent credit card info, and uses
> cURL tosend post data over https.  There is no other validation of sender/recipient,
> there isn't any encryption of credit card data using, say, gpg.  Just
> posting theform over https.
> 
> My gut reaction is that this is *bad* but I know it's very commonplace and
> probably the most used method of processing credit cards for smaller
> merchants.
> I know I'm paranoid but I want someone to assist with either why this is
> as badas I think it is, or why lots of people seem to think it's OK.
> 
> Thanks
> jenn
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list