[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: Encrypting entire order file
****** message to minivend-users from Larry Leszczynski <larryl@furph.com> ******
Hi Erik -
> I like the simplicity of your solution, as I had tried to encrypt the
> whole order (using PGP/MIME) with no success myself.
>
> Won't this leave a security exposure? As I understand minivend, it uses
> EncryptProgram to encrypt the CC as soon as it receives it. Then when the
> order gets built it just includes the encrypted ccinfo.
>
> Doesn't your solution mean that the ccinfo will be unencrypted in the
> session db?
Unfortunately, yes. We added some code to bin/minivend so that after an
order is completed, the session is cleared (as if the customer had
"cancelled"), but the info is in the session between the time it is first
submitted by the user and when they complete the check out (or when the
session is expired later in the day).
In this case the merchant was unable to open the pgp-encrypted attachments
in his mail program, and requested a single encrypted email (like John's
client). Given the merchant's level of technical expertise (basically
zero), the low volume of traffic at his site (a couple purchases a week),
and other security measures already in place on that machine and the
network in general, we felt that is was an acceptable but less-than-ideal
tradeoff.
I think a better approach would be some modifications to MiniVend that
still allow use of EncryptProgram to pgp-encrypt the CC info into the
session, but de-crypt before inserting into the email as long as PGP is
specified to encrypt the entire email. I will post code changes when I
get the time to work on it...
Larry
> > Hi John -
> >
> > > So, the question is, does anyone have an orderfile being delivered
> > > that is totally encrypted as one document( not an attachment )?
> > >
> > > Actually, the question is, can you share your knowledge with me ? :)
> >
> > I have one catalog doing that, which sets:
> >
> > PGP /usr/local/bin/pgp -feat __ORDERS_TO__ 2>/dev/null
> > EncryptProgram /bin/cat
> >
> > (Honestly, I don't remember why I set EncryptProgram to /bin/cat.
> > I think when it was set to pgp, I had pgp-encrypted stuff inside
> > pgp-encrypted stuff.)
> >
> > The ord/report.html pages looks like:
> > ---------------------------------------------
> > Referer: [data session referer]
> > Credit Info: [value mv_credit_card_info]
> > [include file="pages/ord/receipt.txt"]
> > ---------------------------------------------
> >
> > There are no mime tags, it all goes as a single page email. I took all
> > the customer shipping/billing info and item-list tags (initially from the
> > demo catalog pages) and put them into ord/receipt.txt. This gets included
> > into both ord/report.html (the emailed part) and ord/receipt.html (the
> > onsceen receipt seen by the customer) so I only have to make changes in
> > one place to affect both emailed ond onscreen receipts. The onscreen
> > receipt does not include the mv_credit_card_info tag, however.
> >
> >
> >
> > Larry Leszczynski
> > larryl@furph.com
> > --
> > furph, Inc. WWW/Unix/Windows Solutions 734-513-7763 (voice)
> > info@furph.com http://www.furph.com 734-513-7759 (FAX)
> >
>
>
Larry Leszczynski
larryl@furph.com
--
furph, Inc. WWW/Unix/Windows Solutions 734-513-7763 (voice)
info@furph.com http://www.furph.com 734-513-7759 (FAX)
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
