[ale] cURL/https security question
Jerry Z. Yu
z.yu at voicecom.com
Fri Aug 2 10:30:07 EDT 2002
you are absolutely right, I'd feel much more confortable if both
parties authenticate themselves before the transaction.
if so desired, https can be configured to use client
certificate to authenticate client ("the smaller merchant", the sender),
as a protection for the cc processing gateway. Server serticate, as
mostly commonly used, is the method to authenticate the server itself,
aka, CC gateway, the recipient in this case.
https tunnels plain text as encrypted SSL channel. If security is
your foremost concern, you can of course add PGP/GnuPG to the picture,
so you'd have encryted data in a encrypted tunnel. As PGP is PKI-based
too, so, digital signature can be made on the content, to further
authenticate yourself(your data) to the server, for protection of both
parties.
as for 'why lots of people think it is ok", they either don't know
better, or try to avoid the maintenance hassle [read: cost $$ ] on
either end.
On Thu, 1 Aug 2002 jenn at colormaria.com wrote:
#Evaluation of common credit card gateway method needed by those much more
#knowledgable about security than myself.
#
#Scenario:
#I use CreditCynic (fake company, obviously) to process credit card
#transactions from my shopping cart. CreditCynic provides me with a php class
#that basically urlencodes all the pertinent credit card info, and uses
#cURL tosend post data over https. There is no other validation of sender/recipient,
#there isn't any encryption of credit card data using, say, gpg. Just
#posting theform over https.
#
#My gut reaction is that this is *bad* but I know it's very commonplace and
#probably the most used method of processing credit cards for smaller
#merchants.
#I know I'm paranoid but I want someone to assist with either why this is
#as badas I think it is, or why lots of people seem to think it's OK.
#
#Thanks
#jenn
#
#
#
#---
#This message has been sent through the ALE general discussion list.
#See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
#sent to listmaster at ale dot org.
#
Jerry Z. Yu +1-404-487-8544 (O)
systems engineer z.yu at voicecom.com
is support, voicecom, llc www.voicecom.com
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list