Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Email Security

Posted on 1997-06-27
1
157 Views
Last Modified: 2013-12-25
I am in the process of setting up online ordering. I have a user submit credit card information for orders over the web through a secure server connection. I have been told that I can then mail it to myself as long as it is not being sent to/through another mail server.  Is this accurate, or do I have to go about retrieving the information from the web server another way.  If so, how would I do it? Thanks.
0
Comment
Question by:tluxon
1 Comment
 
LVL 2

Accepted Solution

by:
mkornell earned 50 total points
ID: 1828611
The basic idea is that you don't want to have a credit card number going over any sort of network transmission (including the Internet) w/o being encrypted.

Having the user submit the cc# via a secure connection is fine, as the communication between his browser and the web server is encrypted.

However, if you then go and email a message to yourself containing the cc#, without encryption, what's the point of using a secure web server?  Someone snooping your network packets could pick up that version of the cc# just as easy as snooping on an unsecure web transaction.

You could have the web server email a message to an account on the same server, in which case it may not go off that machine.  No network packets to snoop on there, right?  Well... maybe.  Depends on the server's mail setup.  Some sites are set up to have all sent mail go to a central mail server for delivery, even if the destination machine is the same as the originating machine.  Bingo - network transmission of that sacred cc#.

You can encrypt them and email them, no problem, using something like PGP.  (You also could use DES, but that's probably not strong enough anymore.)

You could write the orders to a file on the web server, then go get them every so often.  But how are you going to do that?  FTP the file?  Oops.  You just put plaintext cc#s over the wire. Bummer.

Maybe telnet to the machine, read the file and copy the orders down by hand? Bzzzt. You lose. Telnet's over the network, too.

The basic problem is that if you want to keep those cc#s really secure, you can't ever, _ever_ have that information go from one computer (over a network) to another w/o encrypting the communication.  Somebody could be listening.  It might not be at the point where the user sends his or her #, but somewhere down the processing line, too.

So, how are you going to do it?  That really depends on what you do to process the orders, and how the cc# information must flow.  Encrypted email is not a bad way to move things around; you can also move around encrypted files (say, via FTP) w/o security problems.  (Provided, of course, that: a) the encryption is strong enough. b) you keep your keys in a secure place.)

It is not a bad idea to encrypt the cc#s even when not being transmitted.  Computer systems being as vulnerable as they are, it wouldn't take much for a malevolent hacker to just break into your system and snag a file full of cc#s.  Don't forget to close the back door, too.

Caveat:  I'm no security expert, and I can't give you specific advise on what kind of system you need to install.  If your security needs are complex, please consult with someone who really does know this stuff and can build you a system that is secure.

HTH,
--mark;
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
In this tutorial I will show you how to provide a dynamic RTF document on your website generated with data from your database. For this tutorial you will need Microsoft Word or WordPad, WhizBase and Microsoft Access. In this tutorial I will show …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question