I have no idea where to start on this. We have a need to allow our users to
enter Credit Card #'s on a web page, so we need a secure page (have the
little lock at the bottom of the browser) in order to do this.
1) What is this called? (I've heard the term SSL (Secure Socket Layer)
tossed around, I don't know if this is the same or something different).
2) If I need a certificate of some sort for our server, how do I get it?
Thanks for any help you can offer.
Jesse www.davinci-mims.com 18 6828
On Fri, 19 Dec 2003 13:49:31 -0500, "Anchorman"
<Je*********@da vinci-mims.com> wrote: I have no idea where to start on this. We have a need to allow our users to enter Credit Card #'s on a web page, so we need a secure page (have the little lock at the bottom of the browser) in order to do this.
1) What is this called? (I've heard the term SSL (Secure Socket Layer) tossed around, I don't know if this is the same or something different).
2) If I need a certificate of some sort for our server, how do I get it?
For those two questions, see: http://www.iisfaq.com/default.aspx?View=P20&P=145
But if you're asking these questions, think twice about doing this.
When you screw it up and credit card numbers leak out, you'll lose
your customer base pretty darned quick. Use a payment processing
service instead.
Jeff
"Anchorman" <Je*********@da vinci-mims.com> wrote in message
news:uH******** ******@TK2MSFTN GP12.phx.gbl... I have no idea where to start on this. We have a need to allow our users
to enter Credit Card #'s on a web page, so we need a secure page (have the little lock at the bottom of the browser) in order to do this.
Presumably, these credit card numbers are being stored in a database? You
should take steps to make sure your database is secure as well (that is, a
user couldn't point his/her browser at a URL for the database and download
it). In addition, you should look into encrypting the credit card info
before storing it in the database. Check out ASPEncrypt
(www.aspencrypt.com) for encrypting/decrypting credit card data. They have
some good examples under the Tasks, including encrypting credit card info. 1) What is this called? (I've heard the term SSL (Secure Socket Layer) tossed around, I don't know if this is the same or something different).
SSL is correct. You can tell when you're using SSL by the protocol in the
URL as well... it will be "https://" vs. "http://" (note the 's').
2) If I need a certificate of some sort for our server, how do I get it?
You need to purchase a certificate, or often times your host will have one
that you can use. However, using the hosts certificate will typically mean
that the URL to the secure pages will be something like this: https://secure.myhost.com/mydomain/mysecurepage.htm
vs. having your own certificate where your URL would probably look more like
this: https://www.mydomain.com/mysecurepage.htm
Some customers may be turned off if they have to leave your domain. You can
purchase your own certificate from Thawte ( www.thawte.com) or Verisign
(though Verisign is a bit of a rip off, in my opinion). Once you have the
certificate, your host will need to install it on the server. You should
contact the host in advance though to let them know you're going to be doing
this. You can find more documentation on the the Thawte and Verisign
websites.
Regards,
Peter Foti
> When you screw it up and credit card numbers leak out, you'll lose your customer base pretty darned quick.
Or worse. (Think lawsuit, fines, prison, etc.)
--
Aaron Bertrand
SQL Server MVP http://www.aspfaq.com/
> it). In addition, you should look into encrypting the credit card info before storing it in the database. Check out ASPEncrypt (www.aspencrypt.com) for encrypting/decrypting credit card data.
Well, if you need to keep the data, you will also need to decrypt it. And
if you can decrypt it, so can someone else. I love the use of quotes around
the word "secret" to describe where to store the encryption key in the
registry...
--
Aaron Bertrand
SQL Server MVP http://www.aspfaq.com/
"Aaron Bertrand - MVP" <aa***@TRASHasp faq.com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. .. it). In addition, you should look into encrypting the credit card info before storing it in the database. Check out ASPEncrypt (www.aspencrypt.com) for encrypting/decrypting credit card data. Well, if you need to keep the data, you will also need to decrypt it. And if you can decrypt it, so can someone else.
Sure... if they have the decryption key.
I love the use of quotes around the word "secret" to describe where to store the encryption key in the registry...
LOL! Yes, that method is somewhat foolish, and not realistic in a world
where sites are hosted and you have no control over the server.
A better approach might be to store the decryption key on a PC that is not
publicly accessible, or perhaps require the user to input the decryption key
(over a secure connection, of course).
Peter Foti
> > Well, if you need to keep the data, you will also need to decrypt it.
And if you can decrypt it, so can someone else.
Sure... if they have the decryption key.
My two thoughts were intended to be connected. E.g. you need the decryption
key to decrypt, so let's "hide" it in the registry. In addition, unless you
manually decrypt the data row by row, you must have programmatic access to
the decryption key in order to automate order processing, etc. So a
malicious user doesn't necessarily need to find/know/guess the key to
decrypt the data.
--
Aaron Bertrand
SQL Server MVP http://www.aspfaq.com/
"Aaron Bertrand - MVP" <aa***@TRASHasp faq.com> wrote in message
news:Oz******** ********@TK2MSF TNGP09.phx.gbl. .. Well, if you need to keep the data, you will also need to decrypt it. And if you can decrypt it, so can someone else. Sure... if they have the decryption key.
My two thoughts were intended to be connected. E.g. you need the
decryption key to decrypt, so let's "hide" it in the registry.
Hehehe... I didn't make that connection the first time... it's even funnier
when you put it like that. :)
In addition, unless you manually decrypt the data row by row, you must have programmatic access to the decryption key in order to automate order processing, etc. So a malicious user doesn't necessarily need to find/know/guess the key to decrypt the data.
True. But perhaps the decryption key could reside on a different server
(for example, behind a firewall on a LAN), where the order processing would
get the key and the send it to the database server? Would that make it any
more secure?
Pete
> True. But perhaps the decryption key could reside on a different server (for example, behind a firewall on a LAN), where the order processing
would get the key and the send it to the database server? Would that make it
any more secure?
Not really. If someone from outside the firewall/LAN could initiate code
that sends the key to the database server, theoretically, they could
intercept it or initiate it to send it somewhere else. Basically, if you
put the key anywhere in plain view, someone will be able to get to it. It's
just a matter of how much work it will take, and whether the payoff is worth
it (knowledge, time, risk).
--
Aaron Bertrand
SQL Server MVP http://www.aspfaq.com/
"Aaron Bertrand - MVP" <aa***@TRASHasp faq.com> wrote in message
news:e1******** ******@TK2MSFTN GP09.phx.gbl... True. But perhaps the decryption key could reside on a different server (for example, behind a firewall on a LAN), where the order processing would get the key and the send it to the database server? Would that make it any more secure?
Not really. If someone from outside the firewall/LAN could initiate code that sends the key to the database server, theoretically, they could intercept it or initiate it to send it somewhere else.
I assume you mean, for example, an order is placed, thus triggering the
order processing to begin by sending the decryption key. Presumably,
though, it would be sent via HTTPS, so as to keep it secure during
transmission.
Basically, if you put the key anywhere in plain view, someone will be able to get to it.
It's just a matter of how much work it will take, and whether the payoff is
worth it (knowledge, time, risk).
True, but I don't think that behind a firewall is exactly in plain view....
except, of course, to anyone else who was behind that firewall (which in
this scenario should only be the order processing folks).
Pete This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: deko |
last post by:
I use a download script to allow users to download files that are not in a
publicly accessible directory. The files should only be downloadable from a
secure page which only authenticated users have access to. But how do I
prevent someone from running the download script? The hyperlinks in the
secure page point to the download script which is in a public directory. If
the script is not in a public directory, the links fail.
The...
|
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms
Authentication set up and it worked just fine. Then I
realized that I needed to have some pages unsecure.
I then created 2 directories. One named Secure and the
other named Public. I placed my web.config file in my
|
by: Pooja Renukdas |
last post by:
Hello,
I have this web site where only two pages have to be secure pages and
I need to call them using https, but since I have my development
server and my production web server, I dont want to enter the absolute
url like
response.redirect("https://myProductionServer.com/SecurePage.aspx"),
because when Im working in the development server I would have to
change it back and forth everytime. Is there an easy way to do this
without having...
|
by: Seth |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side. I need to do this because I can not
reference the non-secure cookie...
|
by: Iulian Ionescu |
last post by:
I have a page (http://www.something.com/) and a secure page (https://secure.something.com) and the secure.something.com points to http://www.something.com/secure/
All works ok, but, when I transfer to one of the pages on the secure directory all gets lost. First of all, I had to basically duplicate my web application assembly in the secure folder. I created a "secureWrapper" solution and I added the main web application as a reference,...
| |
by: Vince Mele |
last post by:
We are having a small problem with a couple of reports we developed for a
client website.
On two of the reports, sometimes (most of the time) we receive a warning
message before the output of the report is presented in the browser. The
warning message says "This page contains both secure and non-secure items.
Do you want to display the non-secure items Yes, No, Cancel)".
The site was developed using ASP.NET, VB.NET, and Crystal Reports...
|
by: Brian Henry |
last post by:
I created a project and it looks like everything is loading under HTTPS on
all the pages perfectly except one page that it loads saying that the page
contains both secure and non secure items... how would i check to see which
items are loading that are insecure on IIS? the page is writen in ASP.NET, I
know exactly which control is doing it (a custom writen one) but i cant seem
to figure out what in the control is doing it... is there logs...
|
by: Just D. |
last post by:
All,
I'm having a WebApp working through a secure connection (https). One of my
pages is calling an external site to show the geographical map, this site is
not secure and it should be calling inside the frame on the secure page. The
browser (IE) complains that the page has secure and non-secure items. When
we click Yes, it continues and works just fine.
Do we have any method to tell the browser do not show this warning on this
page...
|
by: todd.freed |
last post by:
Hey all,
I have been racking my brain all morning to find a solution to this,
and I am having no luck. Our webpage is created with Visual Studio C#
and ASP.Net, hosted in-house using HTTPS with SSL. We got it up and
running great in Dev but once we put it up on the secure server (HTTPS)
we started getting Security Alert messages saying "This page contains
both secure and nonsecure items." - It displays several of these on
every page of...
|
by: amitvps |
last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome jobs.
When a non-secure page references a secure page with relative URL, the web server generates error until absolute URL with https prefix is used. On the other hand when a secure page references a non-secure page, the non-secure page will be...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |