Encryption / Sicure

90Nz0

I've developed a Shopping Cart (/catalog / the-whole-shibang) for the http://www.skateattack.biz .

Everything works fine (except a little slow, will post again about that :p) - except I would like for it to have some kind of PGP or SSL on it.

When you submit your cart, it sends an email out to two address ('Skate Attack' and 'User') with all the details. Then when Skate Attack recives the email - they put the order through the credit-card machine and continue on with there buisniss logic for Mail Order.

I need some kind of sicurity - how would I impliment PGP with this?
Is there another way to go about it, that'll be sicure?
How exacly does SSL work/Get implimented? (is it just adding that '1' onto the end of the cookie?)

If you can point me to some articals or something, or give me any tips/advice - it would be fan-tas-tic.

Cheers.

acidbox

first you have to buy a SSL certificate. The best deal I have found is from www.geotrust.com. After, you have to install the certificate on your server, if you run a web based panel like ensim, plesk, or cobalt, it is very easy to install a certificate from inside there. Once you have done that, you just need to point your customers to [url]https://[/url] instead of [url]http://.[/url] This will make all data become 128 bit-encrypted.

The next thing you want to do, is check to see if the browser is USING the SSL encryption. It is very easy for someone to manually type in [url]http://[/url] instead of [url]https://.[/url] So you have to use a bit of code, similar to the following:

<?php
		if (($_SERVER['HTTPS']) != "on")
			{
				?>
				<script language="JavaScript"> 
					<!-- 
					location.reload("<? echo("https://www.yourdomain.com"); 
					//--> 
				</script>
				<?
			}
?>

That will automatically refresh the page if SSL is not active on a page you want it to be active on.

As far as encrypyting actual cookies, you can use md5() to encrypt the data you plan to store BEFORE you store it. Then, when u check to see if it is valid, compare the now-encrypted cookie to an encrypted verison of the data u want to authenticate.

Hope that helps some.

90Nz0

Thanks, I currently do actualy use

md5(date ("l dS of F Y h:i:s A"));

to do that.

So, is it automiticly enabled on HTTPS? What does it exacly do?

How would I then impliment the PGP on it? is there a simple function that I could use?

superwormy

Don't know about PGP, but SSL is just a protocal, basically its a secure version of HTTP.

You access your secure pages by visiting:
https://www.whatever.com/

INSTEAD OF:
http://www.whatever.com/

You don't need any special functions to have SSL encryption. The only time you need SSL is when the person is submitting their credit card number to you ( or other sensitive data ), otherwise theres no need. Just have the form post to [url]HTTPS://[/url] instead of [url]HTTP://[/url]

Note that I hope you are not emailing credit card numbers to the people who run teh cards... because email is not secure at all. You should store them in a database encryped with crypt() or something simliar.

90Nz0

Would it be a problem/bad to just host the whole thing on the HTTPS to make life easy?

I would'nt send the USER any CreditCard details, just everything else. However, all the details will be sent (in PGP form) to the SHOP

superwormy

[url]HTTPS://[/url] ( SSL ) is much slower than regular HTTP because of the encryption. You could just do the whole site using https, its just not generally a recomended / professional way to do things.

90Nz0

Thanks.

What's the best way to send the data in a sicure format to an E-Mail ?

superwormy

You SHOULD NOT send sensitive data through E-Mail.

Period.

You can send encrypted emails, I don't know how. Further though, email is unreliable, you won't be able to tell if the email ever actually arrived anyway. Store the sensitive information in a database, or even in text files on the server ( NOT INSIDE THE WWW DIRECTORY WHERE PEOPLE CAN GET AT THEM! ) and have them login over HTTPS to access the data.

90Nz0

Unfortunatly that is not practical for buisniss logic.

The SHOP user just leaves Outlook open, and when it arives, Decrypts via PGP, and places the order into process. The computer is just behind the till - there is not a dedicated member of staff to deal with it.

They don't want it to be web-bassed.

if im making any sence.

superwormy

http://216.239.39.100/search?q=cache:tlr7oCON5lsC:www.emkdesign.com/doc/openssl_pkcs7_encrypt.pdf+php+encrypted+email&hl=en&ie=UTF-8

http://www.phpuk.org/code.php

90Nz0

Thank you, i'll have a looky now.

I like that PDF - 2 - HTML thinggy, did'nt know google does that, could be usefull (/me writes down in ToDo log)

mcgruff

Think of the damage that could be caused to your professional reputation if some customer credit card numbers got stolen.

Not only that, it's a little nick in the reputation of php as a secure language and the whole damn internet as a safe place to do business. Half-assed developers screw it up for everyone (Microsoft for example).

It's absolutely essential that you are at an expert level with php - and many other subjects - before you even think about creating an online shop.

There's about a million things to consider: variable poisoning, php set up, securing your database, encryption, cookie forging, network sniffing, shared host...

Would you give your credit card number to a shop where the programmer was asking about basic security measures on a bulletin board?

If you are asking questions you are not ready - but keep asking and one day you will be.

Sorry to be so blunt but it's all got to be said. Good luck.