In article <21EA5C7735EFD1119BBF00104B321D5927DB76@DOGBERT>, "Aiken, Greg" <greg@tradesvc.com> writes: > I was hoping that someone in the group might be able to provide some insight > into this problem. I will shortly be deploying a Perl based e-commerce web > based solution, whereby credit cards will be used to pay for products. My > purchase app runs on a shared server environment (ie; multiple web sites & > developers, sharing same server). Hmm, do I smell an euphemism for "UNIX system" here ? :-) > Given that Perl is source code readable, and that anyone on the server could > theoretically copy & read my programs, how does a Perl programmer securely > encode/encrypt a sensitive field so that others can't decode/un-encrypt the > sensitive field? One of the most important rules of cryptography is to have the security of your system reside in the secrecy of your *password*, rather your *code*. This doesn't change in compiled code: If the collection of CC #s is big enough, you'll easily find people who go to the trouble of reverse engineering assembly code. To add to the security woes, if your environment is as open as you describe, you have to take into account the possibility of somebody attaching a debugger to your server in mid-run. With a technique like this, it might even be possible to capture your password if you aren't careful. I wish I could offer you also constructive advice, but I'm not sufficiently familiar with e-commerce to do that. Matthias -- Matthias Neeracher <neeri@iis.ee.ethz.ch> http://www.iis.ee.ethz.ch/~neeri "We have built a lot of security directly into Java to make it virus-proof. And people's concerns about security on the Net tend to be based on age. You talk to people in their twenties and they are much less concerned about it than older generations. Pretty soon it won't worry them at all."' -- Scott McNealy, _Sunday Times_ 19Nov95 ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch