How to get a Secure Web Page?

[Anchorman]

I have no idea where to start on this. We have a need to allow our users to
enter Credit Card #'s on a web page, so we need a secure page (have the
little lock at the bottom of the browser) in order to do this.

1) What is this called? (I've heard the term SSL (Secure Socket Layer)
tossed around, I don't know if this is the same or something different).

2) If I need a certificate of some sort for our server, how do I get it?

Thanks for any help you can offer.

Jesse
www.davinci-mims.com

 

[Jeff Cochran]

I have no idea where to start on this. We have a need to allow our users to
enter Credit Card #'s on a web page, so we need a secure page (have the
little lock at the bottom of the browser) in order to do this.

1) What is this called? (I've heard the term SSL (Secure Socket Layer)
tossed around, I don't know if this is the same or something different).

2) If I need a certificate of some sort for our server, how do I get it?

For those two questions, see:

http://www.iisfaq.com/default.aspx?View=P20&P=145

But if you're asking these questions, think twice about doing this.
When you screw it up and credit card numbers leak out, you'll lose
your customer base pretty darned quick. Use a payment processing
service instead.

Jeff

 

[Aaron Bertrand - MVP]

When you screw it up and credit card numbers leak out, you'll lose

your customer base pretty darned quick.

Or worse. (Think lawsuit, fines, prison, etc.)

 

[Aaron Bertrand - MVP]

it). In addition, you should look into encrypting the credit card info

before storing it in the database. Check out ASPEncrypt
(www.aspencrypt.com) for encrypting/decrypting credit card data.

Well, if you need to keep the data, you will also need to decrypt it. And
if you can decrypt it, so can someone else. I love the use of quotes around
the word "secret" to describe where to store the encryption key in the
registry...

 

[Aaron Bertrand - MVP]

Well, if you need to keep the data, you will also need to decrypt it.
And

Sure... if they have the decryption key.

My two thoughts were intended to be connected. E.g. you need the decryption
key to decrypt, so let's "hide" it in the registry. In addition, unless you
manually decrypt the data row by row, you must have programmatic access to
the decryption key in order to automate order processing, etc. So a
malicious user doesn't necessarily need to find/know/guess the key to
decrypt the data.

 

[Aaron Bertrand - MVP]

True. But perhaps the decryption key could reside on a different server

(for example, behind a firewall on a LAN), where the order processing would
get the key and the send it to the database server? Would that make it any
more secure?

Not really. If someone from outside the firewall/LAN could initiate code
that sends the key to the database server, theoretically, they could
intercept it or initiate it to send it somewhere else. Basically, if you
put the key anywhere in plain view, someone will be able to get to it. It's
just a matter of how much work it will take, and whether the payoff is worth
it (knowledge, time, risk).

 

[Aaron Bertrand [MVP]]

True, but I don't think that behind a firewall is exactly in plain
view....

except, of course, to anyone else who was behind that firewall (which in
this scenario should only be the order processing folks).

If the whole thing is behind the firewall, then who are you protecting *any*
portion of it from? I was expressing my thoughts because I know of web
sites that have web-based order processing that is done manually, but from
an online admin section of the site, so credit card information is retrieved
from a database (behind a firewall, I would imagine) and presented to an
order gimp through a browser.

 

[Aaron Bertrand [MVP]]

And I would agree with you that this scenario is not *entirely* secure...
I

was just trying to suggest a possible *more secure* method.

Yep, I was just making sure that was clear to the OP.

 

[Anchorman]

I haven't researched credit card payment services much. But, we want to
control what the screen looks like, and present the items in the manner that
we wish to.

You make a very good point, though, and when we get to the point of actually
storing the credit card #'s, and validating transactions, I'll definately
keep that option in mind.

Jesse

 

[Anchorman]

BTW, What what are some of the services that I can research? Perhaps some
of them will allow me to present the data in my own way. At this point, I'm
just fishing.

Jesse

 

[Anchorman]

Wow, I never thought of doing what you suggeseted, "pointing your browser at
a URL for the database and downloading it". I tried that with my web site,
and IT LET ME!! I've browsed around IIS to see how I can prevent this, but
I can't find a setting that I can change. How do I prevent the downloading
of the database?

Thanks,
Jesse

 

[Bob Barrows]

Wow, I never thought of doing what you suggeseted, "pointing your
browser at a URL for the database and downloading it". I tried that
with my web site, and IT LET ME!! I've browsed around IIS to see how
I can prevent this, but I can't find a setting that I can change.
How do I prevent the downloading of the database?

ASPFAQ is your friend ... if you use it ;-)
http://www.aspfaq.com/show.asp?id=2454

Bob Barrows

 

[Don Grover]

I used verisign.com.au but i gather they have branches other places.
The asp and script samples where excellent and support was good too.
if you need a link look down bottom of
http://www.cokeshop.com.au/cslogin.asp
I put a link there, there com object does the encryption so I did not need a
ssl connection 'for what i did'

Regards
Don

 

[Don Verhagen]

----- Original Message -----
From: "Peter Foti" <[email protected]>
Newsgroups: microsoft.public.inetserver.asp.general
Sent: Friday, December 19, 2003 5:54 PM
Subject: Re: How to get a Secure Web Page?

[post snipped]

True, but I don't think that behind a firewall is exactly in plain view....
except, of course, to anyone else who was behind that firewall (which in
this scenario should only be the order processing folks).

Pete

Don't necessary trust your employees with access to credit card numbers
either. Employee's steal more then the general public ever does.

From http://www.fdle.state.fl.us/press_releases/20030711_Brian_Newsome.html
"The investigation revealed that Newsome compromised in excess of 30
victims/credit card account holders of GE Financial/ JC Penney. Newsome was
employed by GE Financial as a customer service representative. Newsome
signed unauthorized individuals to the victims’ accounts. Newsome then
solicited individuals to fraudulently purchase items/gift cards on the
victims’ accounts. Newsome also provided fraudulent identification to
correspond with the various names. Agents of the US Postal Inspection
Service monitored and tracked mail fraudulently diverted by Newsome and/or
his co-conspirators. The investigation further revealed that Screen
assisted Newsome in fraudulent transactions. It is estimated that the loss
to victims is in excess of $100,000"

Just a thought to keep in mind.

Don