Encyption

[JustWondering]

I'm about to setup an encryption page for my web site but I don't have any clue about this. Do you have any sample code or any link that I can look up?

I've heard something about "https" but don't know exactly what it is. After users enter their Creditcard info, they want their data to be encrypted. How can I set this up?

Thanks

 

[palbano]

Do some research on Secure Socket Layer. Ultimately you will implement it in your code by using the https protocol but there is quite a bit more to setting it up then that.

http://www.microsoft.com/windows200.../en/server/help/sag_SEconceptsUnAuthCerts.htm

-pete

 

[JustWondering]

Look like my Web Server supports https. I tried https and got the popup window warning that the page contains both secured and nonsecured items.

So, all I need is to re-direct users to https:// during the purchasing process. Right?

 

[Genimuse]

The "secure and insecure items" message is most commonly the result of one or more graphics on the page that are not specified via relative URLs. That is, instead of referring to the graphic as something like "gfx/mylogo.jpg" the page constains something like "

http://myurl.com/gfx/mylogo.jpg".

As far as "all you need," well, no, probably not. Secure Sockets Layer (properly implemented, with a real certificate and all) will encrypt the data as it travels over the internet. However the credit card number is now (appropriately) unencrypted on your server. If, for example, you just use it to authorize a purchase, sending it to the appropriate authorizing authority (like a credit card processing company) via another secure connection and then you don't store it, you're probably ok. If instead you store the now-unencrypted credit card number on your server then you have a real security risk.

 

[JustWondering]

If my Web Server has SSL Certificate installed, then I don't have to re-direct user to "https" ?

 

[clarkin]

SSL is a standard for encrypting the messages sent between a user's browser and your website. So it protects the user's credit card number when they send it from their browser to your site (probably by hitting a submit button). However, its up to you how you deal with it from then on - SSL doesn't do anything else.

So, as genimuse suggested - why not use the CC number to debit as soon as you get it, store the confirmation details you get back, then forget about the credit card number. Dump it. In fact, make sure your web site never writes it to a file or puts it in a database..

I'm sure if you search about for "security online store" you will find some useful articles.

good luck

 

[Genimuse]

You do need to create links/redirect to "https" -- otherwise the certificate doesn't do anything.

 

[JustWondering]

I really aprreciate all you helps! I have a better understanding about SSL, https.... now.

 

[JustWondering]

I'm still having problems with "https"

I'm in "http" page, when I hit submit button, it depends on the conditions, I will be direct to different "https" page:

If Cond1 then redirect https 1: Works great
If Cond2 then redirect https 2: Works great
If Cond3 then redirect https 3: Got the popup window saying that Iam about to enter to non-secure site. Do I want to enter: Yes, No. If I hit Yes, I am in "https" page.

This doesn't make any sense. It warn me that I'm about to enter non-secure page while I'm trying to enter the secure page.

Can someone please explain to me about this?

Thanks.

 

[JustWondering]

any one?