[ale] cURL/https security question

jenn at colormaria.com jenn at colormaria.com
Thu Aug 1 19:20:08 EDT 2002


Evaluation of common credit card gateway method needed by those much more
knowledgable about security than myself.

Scenario:
I use CreditCynic (fake company, obviously) to process credit card
transactions from my shopping cart.  CreditCynic provides me with a php class
that basically urlencodes all the pertinent credit card info, and uses
cURL tosend post data over https.  There is no other validation of sender/recipient,
there isn't any encryption of credit card data using, say, gpg.  Just
posting theform over https.

My gut reaction is that this is *bad* but I know it's very commonplace and
probably the most used method of processing credit cards for smaller
merchants.
I know I'm paranoid but I want someone to assist with either why this is
as badas I think it is, or why lots of people seem to think it's OK.

Thanks
jenn



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list