Security - Encryption?

j_browne · - Joined: 26 Mar 2004 Posts: 13

i have a form to enter the name, credit card number (with error checking) etc.
but i don't want to submit info if it can be snooped.
is there a secure way i can encrypt the credit card number at least?
i do not want to use a paypal type system because these are not immediate payments, rather the info will be transmitted to an internal payment processing system.
i see that abyss does not do SSL or SHTTP so can someone point me to how user names/passwords are encyrpted and how secure it is?

cheers :)

j_browne · - Joined: 26 Mar 2004 Posts: 13

Ok I see how username:password is encrypted using md5, and how that is not going to work in this case as it can not be decrypted.

How much of a risk is it to post a credit card number from a form with no encryption? Can this information be snooped?

Is there a workaround when using Abyss or do I need to change web servers and SSL or SHTTP?

iNaNimAtE · Posted: Sat Mar 27, 2004 8:07 pm Post subject:

I think unless you are a good programmer, there is no workaround. I guess you'll have to wait until the new version.
_________________
Bienvenidos!

aprelium · - Joined: 22 Mar 2002 Posts: 6800

j_browne,

Transferring critical data on an SSL connection is mandatory nowadays. So you need an SSL enabled web server (this will be available in the next version of Abyss). But this isn't the only requirement. Your card # processing system must also be secure.
_________________
Support Team
Aprelium - http://www.aprelium.com

jmoschetti45 · - Joined: 29 Oct 2003 Posts: 95 Location: MI USA

Yes I am also in need of the SSL support for my future credit card processing. Does anyone know when the preview or the final version will be out?
_________________
http://jmoschetti45.com

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

In the meantime, you can use STunnel to add SSL support to any app you want...

http://www.stunnel.org/

I've been using it happily with a self signed (ie untrusted, unpaid for) SSL certificate and Abyss for sometime now so my whole website is viewed via HTTPS. Paranoia never hurt anyone...

In your case, you'd need to buy an SSL certificate from a proper vendor rather than self sign, or everytime anyone views the page they will get the "This certificate is invalid" popup from their browser. Unencrypted credit card details is a big no-no - I can't imagine many potential customers would be very impressed by either an unencrypted form or knowing that their payment details are being transmitted insecurely. There are also issues with you storing their data.

TRUSTAbyss · - Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA

STunnel never worked for me , can you write a tutorial ?

jmoschetti45 · - Joined: 29 Oct 2003 Posts: 95 Location: MI USA

I would like one too. It just frusterated me too much and I gave up.
_________________
http://jmoschetti45.com

j_browne · - Joined: 26 Mar 2004 Posts: 13

:x well i'm officially frustrated out of my brain trying to find a free web server that has ssl AND php support for winxp. will try stunnel.org though...

i'm only developing on my winxp machine.
the host site already has ssl etc running but it's too hard to develop on the crappy server all the time.
for now i've given up and am doing the plain html forms through sll locally (ssl server does not do php), and then using the host server to test the extra php bits etc...

if anyone can help with this i would be able to sleep easier:
the more i've read about cgi, the more confused i've become.
if a web server is 'cgi enabled', is there a way to set up the windows environment so that c:\php\php.exe will be executed when a request is made for a .php file?
i've found so much conflicting misinformation, i just want to know: am i way off track here? :?

j_browne · - Joined: 26 Mar 2004 Posts: 13

well thanks Anonymoose. stunnel does the trick, i can now use ssl AND php :)

Anonymoose, i have a strange problem though when i load certain php pages thru https, it renders most of the page and then just sits there for ages while the little bar ticks across. if i press X/stop, then the page appears fully rendered! it's already finished the page so what the hell is it doing? there is no network traffic and i'm running on localhost!
this only happens on some pages, DOES NOT HAPPEN IN FIREBIRD, only IE.

my stunnel.conf is very basic:
"
Stunnel server configuration file
key=c:\stunnel\stunnel.pem

#up this number to 7 to get full log details
#leave it at 3 to just get critical error messages
debug=3
output=c:\stunnel\output.log

[stunnel]
accept=443
connect=80
"

if i wait forever the page will show correctly in IE.
if I press stop i see the complete page immediately, but the following error is logged in output.log:
"2004.04.12 18:52:15 LOG3[1712:1324]: SSL_read (ERROR_SYSCALL): Connection reset by peer (WSAECONNRESET) (10054)"

none of this matters much because i doubt i'll get this on the host's server but i'd like to know what the hell it is doing...

jmoschetti45 · - Joined: 29 Oct 2003 Posts: 95 Location: MI USA

I had the same error. Thats why I gave up using it. I have almost the exact same config too, just I have logging set to 7.
_________________
http://jmoschetti45.com

j_browne · - Joined: 26 Mar 2004 Posts: 13

perhaps microsoft will spontaniously combust and firefox will become standard?
that would fix this problem.
oh well who cares, at least i can develop on my local machine instead of one the host server...

Foxified · - Joined: 13 Apr 2004 Posts: 487 Location: Canada

I love firefox..But
If i have it open
and im working elswhere on my comp, my comp seems to slow down even if firefox isnt loading anything, seems to lag my 1ghz cpu =.-