[UPHPU] Is https enough?
Lamont Peterson
peregrine at openbrainstem.net
Wed Jun 13 09:05:43 MDT 2007
On Wednesday 13 June 2007 01:35am, Brandon Stout wrote:
> Orson Jones wrote:
> > https is perfectly fine. The thing that worries, is what happens after it
> > hits the server. (is it stored in an unencrypted format, is it stored
> > longer than necessary, is it transmitted elsewhere securely? etc.)
> >
> > Orson
>
> I agree. However, if encrypted properly in the database, is there a
> "longer than necessary"? Once on their server, perhaps it's less secure
> to have to request the card number again than to keep the number
> encrypted on the server.
Remember, there is no such thing as being secure. It's all just trade-offs
and risk management. So, for each application, one has to decide if the
trade-offs are better one way or the other. It might well be better for one
application to keep the encrypted card numbers in the DB but not worth it for
another to have to deal with those encryption keys.
--
Lamont Peterson <peregrine at OpenBrainstem.net>
Founder [ http://blog.OpenBrainstem.net/peregrine/ ]
GPG Key fingerprint: 0E35 93C5 4249 49F0 EC7B 4DDD BE46 4732 6460 CCB5
___ ____ _ _
/ _ \ _ __ ___ _ __ | __ ) _ __ __ _(_)_ __ ___| |_ ___ _ __ ___
| | | | '_ \ / _ \ '_ \| _ \| '__/ _` | | '_ \/ __| __/ _ \ '_ ` _ \
| |_| | |_) | __/ | | | |_) | | | (_| | | | | \__ \ || __/ | | | | |
\___/| .__/ \___|_| |_|____/|_| \__,_|_|_| |_|___/\__\___|_| |_| |_|
|_| Intelligent Open Source Software Engineering
[ http://www.OpenBrainstem.net/ ]
More information about the UPHPU
mailing list