Luigi Donatello Asero said:
Beauregard T. Shagnasty said:
On a normal page, it [https] is useless.
Just to mention a few things:
1) it is important the the user can send data through the encryption so that
confidential data cannot be intercepted as easily
If the data being sent actually _is_ confidential, then sure.
2) it is also important that the user can identify who offers a product or a
service. A https protocoll says that the site
https://www.scaiecat-spa-gigi.com is really this and not some other.
This is important for all the pages.
If this is of such pressing importance, why is that so few sites that
live and breathe by the trust their customers have in them bother to use
https for the entire site? Example: my employer (you've heard of them)
is fanatical about securing customer data, and about security in
general. But for just looking around the site, doing searches, adding
items to a cart, etc., plain ol' http is used. It's important to secure
against risk, but it's also important to objectively identify where the
risk is.
The user should wait for my answer anyway, that means, that I open the data
base, take the number and so on.
How secure _is_ that database, by the way? Does it have any sort of
password protection? How secure is the password and how often is it
changed?
Are the credit card numbers highly encrypted *in* the database? No? Then
couldn't some enterprising young thief simple extract the plain-text
credit card number from the database and start charging? (Answer: yes.)
If you have to bring the credit card number up on your screen in
plain-text, what is to stop some enterprising young thief from
screen-scraping it? (Answer: precious little.)
It seems to me that if you're really concerned about security and
safe-guarding your customers' valuable data, it's issues like those that
you ought to be worrying about, not about someone somehow corrupting
your sales information pages. That is a miniscule threat. Extracting
plain-text credit card numbers from any sort of data store is a real and
present threat.
Last but not least, is it necessary to get a special permission from Visa to
get the money by credit cards?
Yes, you need an account with them. Also, be aware that credit card
companies charge their clients (that'd be you) a small surcharge:
usually several percent of the amount charged will go to the credit card
company and not to yourself.