[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Safely Storing a Credit Card Number using Perl? - off topic



In article <21EA5C7735EFD1119BBF00104B321D5927DB76@DOGBERT>, "Aiken, Greg" <greg@tradesvc.com> writes:
> I was hoping that someone in the group might be able to provide some insight
> into this problem.  I will shortly be deploying a Perl based e-commerce web
> based solution, whereby credit cards will be used to pay for products.  My
> purchase app runs on a shared server environment (ie; multiple web sites &
> developers, sharing same server).

Hmm, do I smell an euphemism for "UNIX system" here ? :-)

> Given that Perl is source code readable, and that anyone on the server could
> theoretically copy & read my programs, how does a Perl programmer securely
> encode/encrypt a sensitive field so that others can't decode/un-encrypt the
> sensitive field?

One of the most important rules of cryptography is to have the security of your
system reside in the secrecy of your *password*, rather your *code*. This
doesn't change in compiled code: If the collection of CC #s is big enough,
you'll easily find people who go to the trouble of reverse engineering assembly
code.

To add to the security woes, if your environment is as open as you describe,
you have to take into account the possibility of somebody attaching a debugger
to your server in mid-run. With a technique like this, it might even be
possible to capture your password if you aren't careful.

I wish I could offer you also constructive advice, but I'm not sufficiently
familiar with e-commerce to do that.

Matthias

-- 
Matthias Neeracher   <neeri@iis.ee.ethz.ch>   http://www.iis.ee.ethz.ch/~neeri
  "We have built a lot of security directly into Java to make it virus-proof.
   And people's concerns about security on the Net tend to be based on age.
   You talk to people in their twenties and they are much less concerned about
   it than older generations. Pretty soon it won't worry them at all."'
                                -- Scott McNealy, _Sunday Times_ 19Nov95

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch