[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

RE: [mv] more security

To: "'minivend-users@minivend.com'" <minivend-users@minivend.com>
Subject: RE: [mv] more security
From: Michael James <mwjames@ak.planet.gen.nz>
Date: Sun, 14 Nov 1999 16:06:29 +1300

Thanks Ben,
And Loy and Christopher (earlier replies).

Having now read all the minivend security documentation and what is 
involved with PGP if cc numbers are to be emailed it all starts to make 
sense.

Cheers
Michael

Planet Communications,  mwjames Consulting,  Pacific Consultants,
mwjames@pl.net , mike@pacificconsult.co.nz
Tel (09) 629 0617
Fax (09) 629 0616
Mob 021 708 460

-----Original Message-----
From:	Ben Myles [SMTP:benlm@mail.com]
Sent:	Sunday, 14 November, 1999 1:32 PM
To:	minivend-users@minivend.com
Subject:	RE: [mv] more security

******    message to minivend-users from Ben Myles <benlm@mail.com> 
    ******

On 12-Nov-99 Michael James wrote:
> Are the security implications different for the following three
> scenarios
> 1. Credit card number collected via the secure server and saved in a
> mail box on the local machine.

I take it you mean the mail is stored on your mailbox on the secure
server? If you telnet in to get it, you're transmitting the details
unencrypted as you read them. If you use SSH to create an encrypted
'tunnel' then this method would be fairly safe. You also need to consider
who else might have access to the mailbox on the server.

> 2.  As above but sent to a mailbox on the local network

Most of the above applies here. You can take care of one problem by using
SSH. This method has a somewhat larger security concern since there is
most likely now more people with access to the local network. YMMV

> 3. As 2 above but collected by someone who has a dial up ppp account
> with the server.

The access problem from above applies here also, since, depending on how
often you collect your mail there will always be people on the remote
machine with physical access. Add to that the fact that the ppp client is
downloading the mail cleartext over the Internet (in the above example we
remedied this by using SSH).

The simplest and most effective option by far is simply to encrypt
everything that needs to remain confidential. Then the issues above don't
really apply, so long as encryption is strong enough and you don't
unencrypt until you have the mail physically on your box.

I'm no security expert, that's just my take. As everyone keeps stressing,
for ultimate security you have to take care of all the weak links.

-Ben
-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to 
Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

Prev by Date: missing right bracket error or can't find string terminator in perl/sql code
Next by Date: [mv] Can't open bin/localize_
Prev by thread: missing right bracket error or can't find string terminator in perl/sql code
Next by thread: MS-SQL
Index(es):
- Date
- Thread