[UPHPU] Is https enough?
phpninja
phpninja at gmail.com
Mon Jun 11 12:43:51 MDT 2007
HTTPS is there basically to stop someone from sniffing network traffic on
port 80. If someone gets local root on your box they can setup a port
sniffer and see every bit of plaintext that comes across a port. With SSL if
someone has root on your box and trys to sniff port 443 or whatever port it
is running on they will see nothing but crypto garabage, and not the credi
card transactions.
Reguardless if you store a cc or not, if someone has access to your box
without you knowing it and they are sniffing your connection they can still
get the credit card information on the wire.
-phpninja
On 6/11/07, Victor Villa <vvilla at gmail.com> wrote:
>
> >Is https enough to mostly protect the transmission of credit card data?
>
>
> Very tricky question. Is HTTP enough for CC use. Yes. No doubt in my
> mind.
> https secures the channel that the CC num and details are passed through.
> The REAL security question, is what happens with that CC after it passes
> securely. Is it stored on an exposed database? Is the CC emailed to
> somebody?
>
> That's actually why I don't store CCs. I run the transaction, let the CC
> portal (authorize.net) track the CC and I keep the last 6 digits. Enough
> for our records, not enough to be of value if stolen.
>
> Hope that helps
>
> mj/v
>
>
> _______________________________________________
>
> UPHPU mailing list
> UPHPU at uphpu.org
> http://uphpu.org/mailman/listinfo/uphpu
> IRC: #uphpu on irc.freenode.net
>
More information about the UPHPU
mailing list