[ale] cURL/https security question

Jerry Z. Yu z.yu at voicecom.com
Fri Aug 2 10:30:07 EDT 2002


	you are absolutely right, I'd feel much more confortable if both 
parties authenticate themselves before the transaction.
	if so desired, https can be configured to use client 
certificate to authenticate client ("the smaller merchant", the sender), 
as a protection for the cc processing gateway.  Server serticate, as 
mostly commonly used, is the method to authenticate the server itself, 
aka, CC gateway, the recipient in this case.
	https tunnels plain text as encrypted SSL channel. If security is 
your foremost concern, you can of course add PGP/GnuPG to the picture, 
so you'd have encryted data in a encrypted tunnel. As PGP is PKI-based 
too, so, digital signature can be made on the content, to further 
authenticate yourself(your data) to the server, for protection of both 
parties.
	
as for 'why lots of people think it is ok", they either don't know 
better, or try to avoid the maintenance hassle [read: cost $$ ] on 
either end.
	


On Thu, 1 Aug 2002 jenn at colormaria.com wrote:

#Evaluation of common credit card gateway method needed by those much more
#knowledgable about security than myself.
#
#Scenario:
#I use CreditCynic (fake company, obviously) to process credit card
#transactions from my shopping cart.  CreditCynic provides me with a php class
#that basically urlencodes all the pertinent credit card info, and uses
#cURL tosend post data over https.  There is no other validation of sender/recipient,
#there isn't any encryption of credit card data using, say, gpg.  Just
#posting theform over https.
#
#My gut reaction is that this is *bad* but I know it's very commonplace and
#probably the most used method of processing credit cards for smaller
#merchants.
#I know I'm paranoid but I want someone to assist with either why this is
#as badas I think it is, or why lots of people seem to think it's OK.
#
#Thanks
#jenn
#
#
#
#---
#This message has been sent through the ALE general discussion list.
#See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
#sent to listmaster at ale dot org.
#

Jerry Z. Yu					+1-404-487-8544 (O)
systems engineer				z.yu at voicecom.com
is support, voicecom, llc			www.voicecom.com


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list