Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

https and encryption 1

Status
Not open for further replies.
bkrike

bkrike

MIS
Mar 14, 2002
1,681
US
Hi,
I was about to place an order online when I noticed the page I was inputting my credit card info was not an https page. I emailed the site and asked if this was secure, and they claimed that the credit card info would be encrypted. I don’t believe them as it was a very basic site, and I don’t think they even know what https is.

So, my question: is it possible to encrypt form type info, so that it would be hidden at all the hop points along the way, if it was not an https page? Or were they mistaken?

I assume nothing is 100%, but my understating is that it is not possible to encrypt data I am sending, unless is it https. Of course, I am not a web site designer, so I am asking you guys.
 
Sort by date Sort by votes
HTTP is HTTP unencrypted, raw data and while it is very dificult to steal data in this way it is by no means impossible.
In short - Do Not Touch This Service with a barge pole!
Credit cards should never be handled by any organisation other than banks who have the systems in place to check and verify card details.

Keith
 
Upvote 0 Downvote
bkrike said:
So, my question: is it possible to encrypt form type info, so that it would be hidden at all the hop points along the way, if it was not an https page? Or were they mistaken?
Click to expand...

The data might be encrypted on the server, but the data would be sent from your browser to the server in clear text. Using an SSL connection means the data send from your browser to the server in an encrypted string. If the lack the ability to install an SSL certificate, then you certainly don't want them to have any access to your sensitive details.

audiopro said:
Credit cards should never be handled by any organisation other than banks who have the systems in place to check and verify card details.
Click to expand...

So what are you saying here? Nobody should use their credit card to pay for something on the Internet? Nobody should use a credit card to pay for anything?

The bank would be involved somewhere along the way if they are processing the cards, however that doesn't mean you should only provide your credit card details to a bank, you are basically suggesting something that would render the whole point of a credit card useless.

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Thanks Wullie-
That is what I thought, and tried to explain to them in my emails. Though, they never did "get it." I also assumed that whoever originally told this merchant the information was "encrypted," was referring to their servers.

I just wanted to make sure I was not talking out of my butt.
 
Upvote 0 Downvote
What I am saying is that most organisations collect customer name and address details and then connect to a bank's portal for credit card processing.
Code: 
Nobody should use a credit card to pay for anything?
Of course I am not saying that.
Code: 
The bank would be involved somewhere along the way
Yes to take the credit card details.
What I am trying to point out is that banks control the processing of credit cards very stictly, something which a non bank organisation is unable to do. In addition, In the UK at least, the storage of credit card details falls within the legislation of the Data Protection Act.

Keith
 
Upvote 0 Downvote
audiopro said:
Yes to take the credit card details.
What I am trying to point out is that banks control the processing of credit cards very stictly, something which a non bank organisation is unable to do. In addition, In the UK at least, the storage of credit card details falls within the legislation of the Data Protection Act.
Click to expand...

So again, are you saying that a credit card should not be used on the Internet? Many retailers accept cards and process them in compliance with security requirements, however they are not banks.

If you only dealt directly with banks, you would have virtually nowhere on the Internet that you could deal with. Paypal is not a bank, Worldpay is not a bank, none of the payment processors are likey to be banks. They all process the payments through the banks, however they are not banks themselves, just like the retailer that accepts your card and then processes it.

When you walk into a shop to pay by credit card, what is to say the person behind the counter is not taking an imprint of your card? When you call a company to pay by credit card, what is to say the guy on the other end of the phone isn't writing the details on a piece of paper that will just sit around the office? (I know at least 1 major UK company that does this)

Banks are involved in the process, however saying that you should only provide the details directly to a bank is misleading because it simply isn't practical.

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Code: 
They all process the payments through the banks, however they are not banks.
I am well aware they are not banks but they use banks to process the cards, they do not process cards themselves, which was my original point.


Keith
 
Upvote 0 Downvote
You said credit cards should never be handled by anyone other than the bank, how exactly does the bank get the details then?

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Via the bank's portal which most payment web sites link to once they have gathered the order information , shipping address and special instructions. The bank then returns a confirmation to the merchant that payment has been confirmed. At least this is the way we do it on the dozen or so sites we have set up.
The whole point of my reply was to point out that if a credit card number is not passed via a https then it is not being submitted to a bank and is by no means secure.
We have to do all we can to prevent credit card fraud.

Keith
 
Upvote 0 Downvote
audiopro said:
The whole point of my reply was to point out that if a credit card number is not passed via a https then it is not being submitted to a bank and is by no means secure.
Click to expand...

How can you possibly say that? You don't know how their backend system works. Just because the user doesn't enter their details through SSL doesn't mean the data is not being submitted to a bank.

I'm not disputing the fact that it is unsecure to submit details through HTTP, however your blanket statements are not doing anyone any favours because you are commenting on things you have no idea if you are correct on or not.


Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
None of the banks we deal with ( the top 4 UK banks ) will entertain a non secure connection. In fact they insist on additional security features as well as encryption. The banks also check out the merchant's web site before putting the payment connection live.
I am only passing on information I know to be correct.


Keith
 
Upvote 0 Downvote
audiopro said:
None of the banks we deal with ( the top 4 UK banks ) will entertain a non secure connection. In fact they insist on additional security features as well as encryption. The banks also check out the merchant's web site before putting the payment connection live.
I am only passing on information I know to be correct.
Click to expand...

That's all fair and well, but what is to say that they didn't have SSL setup originally? What is to say this isn't a secondary website that the bank isn't aware of? How do you know they are not accepting the details on the site and then manually entering them into a payment gateway account?

Your comments are blanket statements as if everything is black and white. The only obvious thing here is that the user to server connect is not secure for credit cards, however the rest of it is speculation because you have absolutely no way of knowing how the background process works here.

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Code: 
What is to say this isn't a secondary website that the bank isn't aware of?
Where are we going with this discussion?
The site has a huge security hole in it, yet you are trying to justify their existence.


Keith
 
Upvote 0 Downvote
audiopro said:
Where are we going with this discussion?
The site has a huge security hole in it, yet you are trying to justify their existence.
Click to expand...

Considering I have said many times that that it is not secure and the OP should not trust them with the data, I don't see where I am justifying the lack of SSL. Try reading my posts and you will see this.

I am commenting on your statements that are totally false. At least one of your comments was discriminating against a huge amount of companies on the Internet. If you post statements like you did above on a public forum, you need to expect someone to pull you up on them.

I don't like the idea of someone reading this thread and thinking it is advisable not to deal with any company that accepts cards directly on their website, which your original post clearly stated you should not do because they are not a bank. You then proceeded to say that they were not processing the data through a bank because they were not using SSL on their site, which again is speculation.

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Might I point out that I recently came across an ecommerce site that embedded an external payment system within a frameset.

Since the frameset was not hosted on a secure server it appeared that the transaction would not be secure.

However, closer inspection revealed that the frame content, the actual form, was hosted on a secure server.

Not a great idea, and not confidence inducing but secure all the same.

Or is it? You tell me!


Another example.

HSBC's secure e-trading payment gateway does NOT explicitly require an SSL connection to INITIATE a transaction. However, with HSBC you do not send card details from your site to theirs. The card info is entered on their site instead, which is done over a secure connection.
You DO need to return the customer to a secure page on your site though as there is some sensitive information passed back to the site from HSBC.


For the original poster.
In short ANY transaction that contains sensitive information such as Credit Card details should be conducted over a secure connection. So long as the page where you actually enter your card info is secure (and any consequent pages where the number would then be available) then you will be ok.

Foamcow Heavy Industries - Web design and ranting
Target Marketing Communications - Advertising, Direct Marketing and Public Relations
I wonder what possesses people to make those animated gifs. Do you just get up in the morning and think, "You know what web design r
 
Upvote 0 Downvote
Foamcow said:
Might I point out that I recently came across an ecommerce site that embedded an external payment system within a frameset.
Click to expand...

Just to confuse the situation further, go to the Macromedia site and run through the order process, there is no SSL certificate in sight when you enter your Credit Card details, the encryption in done through flash.

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
If you right click and do properties on the frame the URL should appear as https, so although the padlock isn't there on the main browser window you can still see if the frame has SSL.

You could also run the URL through Verisign (or whoever they claim to be using) and see if they even own a cert.

If they are using SSL then they should have a site seal somewhere on their site to tell you who they use, this links to their certificate. This doesn't prove that they are using it but should prove that they own one.
 
Upvote 0 Downvote
Sorry Wullie, I feel we are both arguing the same point but from different directions so I am apologising if I have caused any upset.
Just as an aside:-
The only credit card fraud I have been involved in took place over a very secure SSL and was only discovered during a company audit. Even the card holder wasn't aware of it.

Keith
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

angemaths
  • Locked
  • Question
updating WordPress and Plugin?
Replies
1
Views
172
jackm01
jackm01
Newb2IT
  • Locked
  • Question
How do I server pages using https? 1
Replies
6
Views
135
Ascalonian
Ascalonian
EdwardMartinIII
  • Locked
  • Question
Drupal: menus and submenus?
Replies
8
Views
122
kjv1611
kjv1611
AreYouOutThere
  • Locked
  • Question
sitebuilder and webhosting merit points to look for...
Replies
8
Views
219
kjv1611
kjv1611
Tules
  • Locked
  • Question
Automatic uploading and embedding of media
Replies
4
Views
71
Tules
Tules

Part and Inventory Search

Sponsor

Back
Top