How to get a Secure Web Page?

Re: How to get a Secure Web Page?

On Fri, 19 Dec 2003 13:49:31 -0500, "Anchorman"
<JesseN0SPAM@da vinci-mims.com> wrote:
[color=blue]
>I have no idea where to start on this. We have a need to allow our users to
>enter Credit Card #'s on a web page, so we need a secure page (have the
>little lock at the bottom of the browser) in order to do this.
>
>1) What is this called? (I've heard the term SSL (Secure Socket Layer)
>tossed around, I don't know if this is the same or something different).
>
>2) If I need a certificate of some sort for our server, how do I get it?[/color]

For those two questions, see:



But if you're asking these questions, think twice about doing this.
When you screw it up and credit card numbers leak out, you'll lose
your customer base pretty darned quick. Use a payment processing
service instead.

Jeff

Re: How to get a Secure Web Page?

"Anchorman" <JesseN0SPAM@da vinci-mims.com> wrote in message
news:uHmKPDmxDH A.2304@TK2MSFTN GP12.phx.gbl...[color=blue]
> I have no idea where to start on this. We have a need to allow our users[/color]
to[color=blue]
> enter Credit Card #'s on a web page, so we need a secure page (have the
> little lock at the bottom of the browser) in order to do this.[/color]

Presumably, these credit card numbers are being stored in a database? You
should take steps to make sure your database is secure as well (that is, a
user couldn't point his/her browser at a URL for the database and download
it). In addition, you should look into encrypting the credit card info
before storing it in the database. Check out ASPEncrypt
(www.aspencrypt.com) for encrypting/decrypting credit card data. They have
some good examples under the Tasks, including encrypting credit card info.
[color=blue]
>
> 1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> tossed around, I don't know if this is the same or something different).[/color]

SSL is correct. You can tell when you're using SSL by the protocol in the
URL as well... it will be "https://" vs. "http://" (note the 's').
[color=blue]
> 2) If I need a certificate of some sort for our server, how do I get it?[/color]

You need to purchase a certificate, or often times your host will have one
that you can use. However, using the hosts certificate will typically mean
that the URL to the secure pages will be something like this:



vs. having your own certificate where your URL would probably look more like
this:



Some customers may be turned off if they have to leave your domain. You can
purchase your own certificate from Thawte (www.thawte.com) or Verisign
(though Verisign is a bit of a rip off, in my opinion). Once you have the
certificate, your host will need to install it on the server. You should
contact the host in advance though to let them know you're going to be doing
this. You can find more documentation on the the Thawte and Verisign
websites.

Regards,
Peter Foti

Re: How to get a Secure Web Page?

> When you screw it up and credit card numbers leak out, you'll lose[color=blue]
> your customer base pretty darned quick.[/color]

Or worse. (Think lawsuit, fines, prison, etc.)

--
Aaron Bertrand
SQL Server MVP

Re: How to get a Secure Web Page?

> it). In addition, you should look into encrypting the credit card info[color=blue]
> before storing it in the database. Check out ASPEncrypt
> (www.aspencrypt.com) for encrypting/decrypting credit card data.[/color]

Well, if you need to keep the data, you will also need to decrypt it. And
if you can decrypt it, so can someone else. I love the use of quotes around
the word "secret" to describe where to store the encryption key in the
registry...

--
Aaron Bertrand
SQL Server MVP

Re: How to get a Secure Web Page?

"Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
news:%23f9QfTnx DHA.2456@TK2MSF TNGP10.phx.gbl. ..[color=blue][color=green]
> > it). In addition, you should look into encrypting the credit card info
> > before storing it in the database. Check out ASPEncrypt
> > (www.aspencrypt.com) for encrypting/decrypting credit card data.[/color]
>
> Well, if you need to keep the data, you will also need to decrypt it. And
> if you can decrypt it, so can someone else.[/color]

Sure... if they have the decryption key.
[color=blue]
> I love the use of quotes around
> the word "secret" to describe where to store the encryption key in the
> registry...[/color]

LOL! Yes, that method is somewhat foolish, and not realistic in a world
where sites are hosted and you have no control over the server.
A better approach might be to store the decryption key on a PC that is not
publicly accessible, or perhaps require the user to input the decryption key
(over a secure connection, of course).

Peter Foti

Re: How to get a Secure Web Page?

> > Well, if you need to keep the data, you will also need to decrypt it.
And[color=blue][color=green]
> > if you can decrypt it, so can someone else.[/color]
>
> Sure... if they have the decryption key.[/color]

My two thoughts were intended to be connected. E.g. you need the decryption
key to decrypt, so let's "hide" it in the registry. In addition, unless you
manually decrypt the data row by row, you must have programmatic access to
the decryption key in order to automate order processing, etc. So a
malicious user doesn't necessarily need to find/know/guess the key to
decrypt the data.

--
Aaron Bertrand
SQL Server MVP

Re: How to get a Secure Web Page?

"Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
news:Oz%231ydnx DHA.2620@TK2MSF TNGP09.phx.gbl. ..[color=blue][color=green][color=darkred]
> > > Well, if you need to keep the data, you will also need to decrypt it.[/color][/color]
> And[color=green][color=darkred]
> > > if you can decrypt it, so can someone else.[/color]
> >
> > Sure... if they have the decryption key.[/color]
>
> My two thoughts were intended to be connected. E.g. you need the[/color]
decryption[color=blue]
> key to decrypt, so let's "hide" it in the registry.[/color]

Hehehe... I didn't make that connection the first time... it's even funnier
when you put it like that. :)
[color=blue]
> In addition, unless you
> manually decrypt the data row by row, you must have programmatic access to
> the decryption key in order to automate order processing, etc. So a
> malicious user doesn't necessarily need to find/know/guess the key to
> decrypt the data.[/color]

True. But perhaps the decryption key could reside on a different server
(for example, behind a firewall on a LAN), where the order processing would
get the key and the send it to the database server? Would that make it any
more secure?

Pete

Re: How to get a Secure Web Page?

> True. But perhaps the decryption key could reside on a different server[color=blue]
> (for example, behind a firewall on a LAN), where the order processing[/color]
would[color=blue]
> get the key and the send it to the database server? Would that make it[/color]
any[color=blue]
> more secure?[/color]

Not really. If someone from outside the firewall/LAN could initiate code
that sends the key to the database server, theoretically, they could
intercept it or initiate it to send it somewhere else. Basically, if you
put the key anywhere in plain view, someone will be able to get to it. It's
just a matter of how much work it will take, and whether the payoff is worth
it (knowledge, time, risk).

--
Aaron Bertrand
SQL Server MVP

Re: How to get a Secure Web Page?

"Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
news:e1R5jAoxDH A.2396@TK2MSFTN GP09.phx.gbl...[color=blue][color=green]
> > True. But perhaps the decryption key could reside on a different server
> > (for example, behind a firewall on a LAN), where the order processing[/color]
> would[color=green]
> > get the key and the send it to the database server? Would that make it[/color]
> any[color=green]
> > more secure?[/color]
>
> Not really. If someone from outside the firewall/LAN could initiate code
> that sends the key to the database server, theoretically, they could
> intercept it or initiate it to send it somewhere else.[/color]

I assume you mean, for example, an order is placed, thus triggering the
order processing to begin by sending the decryption key. Presumably,
though, it would be sent via HTTPS, so as to keep it secure during
transmission.
[color=blue]
> Basically, if you
> put the key anywhere in plain view, someone will be able to get to it.[/color]
It's[color=blue]
> just a matter of how much work it will take, and whether the payoff is[/color]
worth[color=blue]
> it (knowledge, time, risk).[/color]

True, but I don't think that behind a firewall is exactly in plain view....
except, of course, to anyone else who was behind that firewall (which in
this scenario should only be the order processing folks).

Pete

Re: How to get a Secure Web Page?

> True, but I don't think that behind a firewall is exactly in plain
view....[color=blue]
> except, of course, to anyone else who was behind that firewall (which in
> this scenario should only be the order processing folks).[/color]

If the whole thing is behind the firewall, then who are you protecting *any*
portion of it from? I was expressing my thoughts because I know of web
sites that have web-based order processing that is done manually, but from
an online admin section of the site, so credit card information is retrieved
from a database (behind a firewall, I would imagine) and presented to an
order gimp through a browser.

--
Aaron Bertrand
SQL Server MVP

Re: How to get a Secure Web Page?

"Aaron Bertrand [MVP]" <aaron@TRASHasp faq.com> wrote in message
news:OaqI6roxDH A.540@tk2msftng p13.phx.gbl...[color=blue][color=green]
> > True, but I don't think that behind a firewall is exactly in plain[/color]
> view....[color=green]
> > except, of course, to anyone else who was behind that firewall (which in
> > this scenario should only be the order processing folks).[/color]
>
> If the whole thing is behind the firewall, then who are you protecting[/color]
*any*[color=blue]
> portion of it from?[/color]

If the whole thing is behind the firewall, then you are protecting it from
everyone, no? But my example was meant as:
- Website is on some public host somewhere (not behind firewall, or perhaps
behind host's firewall which is configured to only allow HTTP(S) through)
- Order processing is done (behind a firewall) on a corporate LAN, where the
decryption key is kept
[color=blue]
> I was expressing my thoughts because I know of web
> sites that have web-based order processing that is done manually, but from
> an online admin section of the site, so credit card information is[/color]
retrieved[color=blue]
> from a database (behind a firewall, I would imagine) and presented to an
> order gimp through a browser.[/color]

And I would agree with you that this scenario is not *entirely* secure... I
was just trying to suggest a possible *more secure* method. :)

Insecurely,
Pete :)

Re: How to get a Secure Web Page?

> And I would agree with you that this scenario is not *entirely* secure...
I[color=blue]
> was just trying to suggest a possible *more secure* method. :)[/color]

Yep, I was just making sure that was clear to the OP.

--
Aaron Bertrand
SQL Server MVP

Re: How to get a Secure Web Page?

I haven't researched credit card payment services much. But, we want to
control what the screen looks like, and present the items in the manner that
we wish to.

You make a very good point, though, and when we get to the point of actually
storing the credit card #'s, and validating transactions, I'll definately
keep that option in mind.

Jesse

"Jeff Cochran" <jcochran.nospa m@naplesgov.com > wrote in message
news:3fe44cb4.7 94637678@msnews .microsoft.com. ..[color=blue]
> On Fri, 19 Dec 2003 13:49:31 -0500, "Anchorman"
> <JesseN0SPAM@da vinci-mims.com> wrote:
>[color=green]
> >I have no idea where to start on this. We have a need to allow our users[/color][/color]
to[color=blue][color=green]
> >enter Credit Card #'s on a web page, so we need a secure page (have the
> >little lock at the bottom of the browser) in order to do this.
> >
> >1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> >tossed around, I don't know if this is the same or something different).
> >
> >2) If I need a certificate of some sort for our server, how do I get it?[/color]
>
> For those two questions, see:
>
> http://www.iisfaq.com/default.aspx?View=P20&P=145
>
> But if you're asking these questions, think twice about doing this.
> When you screw it up and credit card numbers leak out, you'll lose
> your customer base pretty darned quick. Use a payment processing
> service instead.
>
> Jeff[/color]

Re: How to get a Secure Web Page?

BTW, What what are some of the services that I can research? Perhaps some
of them will allow me to present the data in my own way. At this point, I'm
just fishing.

Jesse

"Jeff Cochran" <jcochran.nospa m@naplesgov.com > wrote in message
news:3fe44cb4.7 94637678@msnews .microsoft.com. ..[color=blue]
> On Fri, 19 Dec 2003 13:49:31 -0500, "Anchorman"
> <JesseN0SPAM@da vinci-mims.com> wrote:
>[color=green]
> >I have no idea where to start on this. We have a need to allow our users[/color][/color]
to[color=blue][color=green]
> >enter Credit Card #'s on a web page, so we need a secure page (have the
> >little lock at the bottom of the browser) in order to do this.
> >
> >1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> >tossed around, I don't know if this is the same or something different).
> >
> >2) If I need a certificate of some sort for our server, how do I get it?[/color]
>
> For those two questions, see:
>
> http://www.iisfaq.com/default.aspx?View=P20&P=145
>
> But if you're asking these questions, think twice about doing this.
> When you screw it up and credit card numbers leak out, you'll lose
> your customer base pretty darned quick. Use a payment processing
> service instead.
>
> Jeff[/color]