The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PGP/GPG Decryption Question

Discussion in 'General Discussion' started by dkz, Oct 27, 2004.

  1. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Hey,

    I'm setting up a new hosting account for a web design customer of mine and she manually enters credit card information for payment. What I want to do is use SSL for the order form and then use simplesecure to encrypt the entered content and then e-mail it off to her. I got this far but have not been able to figure out how to decrypt the data once e-mailed. For those of you who don't know what simplesecure is, it is a form system that can encrypt data in a few different ways and then e-mail it to someone.

    Any suggestions or program suggestions you may have would be a great help...
     
    #1 dkz, Oct 27, 2004
    Last edited: Oct 27, 2004
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, you need to have something in your email client to decrypt the email. For example, PGP http://www.pgp.com

    You should generate a key pair on the PC not on the server. Then add the public key to the users gnupg keyring on the server. Use that key to encrypt the outgoing emails. This way only the user can decrypt the emails. If you do this the wrong way round with the private key on the server, it makes it pointless as then anyone who hacks into the account can decrypt everything.

    One word of warning. Though this does help with security of CC data, it still isn't secure. Should someone hack the site, they could easily just amend the script that generates the encrypted email to send it to themselves in cleartext. The best solution is always to use a third party CC processor.
     
    #2 chirpy, Oct 28, 2004
    Last edited: May 29, 2006
  3. dkz

    dkz Well-Known Member

    Joined:
    Sep 10, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    I figured out the problem I was having. The script I was using was not encrypting the data properly. I used anothe script and it all worked. So then what's the answer for security if a 3rd party processor is not an option?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The solution you are using is probably as secure as you're going to get without a third party processor being involved. You should just be aware of the limitations of it :)
     
  5. HappyPappy

    HappyPappy Active Member

    Joined:
    Mar 17, 2002
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Wouldn't the answer be to make sure the mail script is permanently encrypted on the server. That way, when the form is activated it actually activates a quick little decrypt program to enable the form mail script to work.

    This is exactly what I am hunting for at the moment - a way to keep a cgi file encrypted on the server to prevent prying eyes from seeing or hacking it.

    Cheers
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You can't encrypt a perl CGI script unless you compile it in binary, the best you can do is to encode it, which is "security through obscurity" and isn't good enough for CC information. Even then, a hacker could simply replace the binary CGI with a hacking script and syphon off the CC details in a kind of man-in-the-middle hack.
     
  7. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    It's worth noting that if they've hacked the site they can quite easily amend your ecommerce app to point to a fake 3rd party processor and get people's credit cards that way. Using a 3rd party processor will not make any difference if your site is hacked.
     
  8. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    I would check on the visa/mastercard regs concerning this as I do not believe they will allow CC info to be e-mailed even if encrypted
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. It can be a can of worms ;)
     

Share This Page