[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Safely Storing a Credit Card Number using Perl? - off topic

To: mac-perl@iis.ee.ethz.ch
Subject: Re: [MacPerl] Safely Storing a Credit Card Number using Perl? - off topic
From: Matthias Neeracher <neeri@iis.ee.ethz.ch>
Date: 02 Feb 1999 20:37:20 +0100
In-Reply-To: "Aiken, Greg"'s message of "Tue, 2 Feb 1999 08:15:31 -0800"
References: <21EA5C7735EFD1119BBF00104B321D5927DB76@DOGBERT>

In article <21EA5C7735EFD1119BBF00104B321D5927DB76@DOGBERT>, "Aiken, Greg" <greg@tradesvc.com> writes:
> I was hoping that someone in the group might be able to provide some insight
> into this problem.  I will shortly be deploying a Perl based e-commerce web
> based solution, whereby credit cards will be used to pay for products.  My
> purchase app runs on a shared server environment (ie; multiple web sites &
> developers, sharing same server).

Hmm, do I smell an euphemism for "UNIX system" here ? :-)

> Given that Perl is source code readable, and that anyone on the server could
> theoretically copy & read my programs, how does a Perl programmer securely
> encode/encrypt a sensitive field so that others can't decode/un-encrypt the
> sensitive field?

One of the most important rules of cryptography is to have the security of your
system reside in the secrecy of your *password*, rather your *code*. This
doesn't change in compiled code: If the collection of CC #s is big enough,
you'll easily find people who go to the trouble of reverse engineering assembly
code.

To add to the security woes, if your environment is as open as you describe,
you have to take into account the possibility of somebody attaching a debugger
to your server in mid-run. With a technique like this, it might even be
possible to capture your password if you aren't careful.

I wish I could offer you also constructive advice, but I'm not sufficiently
familiar with e-commerce to do that.

Matthias

-- 
Matthias Neeracher   <neeri@iis.ee.ethz.ch>   http://www.iis.ee.ethz.ch/~neeri
  "We have built a lot of security directly into Java to make it virus-proof.
   And people's concerns about security on the Net tend to be based on age.
   You talk to people in their twenties and they are much less concerned about
   it than older generations. Pretty soon it won't worry them at all."'
                                -- Scott McNealy, _Sunday Times_ 19Nov95

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

References:
- [MacPerl] Safely Storing a Credit Card Number using Perl? - off topic
  - From: "Aiken, Greg" <greg@tradesvc.com>

Prev by Date: Re: [MacPerl] January Posts
Next by Date: Re: [MacPerl] Mac/MacPerl users but not mac-specific (Vicki rant alert)
Prev by thread: [MacPerl] Safely Storing a Credit Card Number using Perl? - off topic
Next by thread: [MacPerl] Mac OS 7.5.3 is Free
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net