?
Solved

Email Security

Posted on 1997-06-27
1
Medium Priority
?
161 Views
Last Modified: 2013-12-25
I am in the process of setting up online ordering. I have a user submit credit card information for orders over the web through a secure server connection. I have been told that I can then mail it to myself as long as it is not being sent to/through another mail server.  Is this accurate, or do I have to go about retrieving the information from the web server another way.  If so, how would I do it? Thanks.
0
Comment
Question by:tluxon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 2

Accepted Solution

by:
mkornell earned 150 total points
ID: 1828611
The basic idea is that you don't want to have a credit card number going over any sort of network transmission (including the Internet) w/o being encrypted.

Having the user submit the cc# via a secure connection is fine, as the communication between his browser and the web server is encrypted.

However, if you then go and email a message to yourself containing the cc#, without encryption, what's the point of using a secure web server?  Someone snooping your network packets could pick up that version of the cc# just as easy as snooping on an unsecure web transaction.

You could have the web server email a message to an account on the same server, in which case it may not go off that machine.  No network packets to snoop on there, right?  Well... maybe.  Depends on the server's mail setup.  Some sites are set up to have all sent mail go to a central mail server for delivery, even if the destination machine is the same as the originating machine.  Bingo - network transmission of that sacred cc#.

You can encrypt them and email them, no problem, using something like PGP.  (You also could use DES, but that's probably not strong enough anymore.)

You could write the orders to a file on the web server, then go get them every so often.  But how are you going to do that?  FTP the file?  Oops.  You just put plaintext cc#s over the wire. Bummer.

Maybe telnet to the machine, read the file and copy the orders down by hand? Bzzzt. You lose. Telnet's over the network, too.

The basic problem is that if you want to keep those cc#s really secure, you can't ever, _ever_ have that information go from one computer (over a network) to another w/o encrypting the communication.  Somebody could be listening.  It might not be at the point where the user sends his or her #, but somewhere down the processing line, too.

So, how are you going to do it?  That really depends on what you do to process the orders, and how the cc# information must flow.  Encrypted email is not a bad way to move things around; you can also move around encrypted files (say, via FTP) w/o security problems.  (Provided, of course, that: a) the encryption is strong enough. b) you keep your keys in a secure place.)

It is not a bad idea to encrypt the cc#s even when not being transmitted.  Computer systems being as vulnerable as they are, it wouldn't take much for a malevolent hacker to just break into your system and snag a file full of cc#s.  Don't forget to close the back door, too.

Caveat:  I'm no security expert, and I can't give you specific advise on what kind of system you need to install.  If your security needs are complex, please consult with someone who really does know this stuff and can build you a system that is secure.

HTH,
--mark;
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This tutorial will give you a fast look what you can do with WhizBase. I expect you already know how to work with HTML at least, and that you understand the basics of the internet and how the internet works. WhizBase is a server-s…
I hope you'll find this tutorial useful and interesting. So let's try to extend Tcl with a new package.  For anyone more deeply interested please check out the book "Practical Programming in Tcl and Tk". It's really one of the best written books abo…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question