PGP/GPG Decryption Question

dkz

Well-Known Member
Sep 10, 2004
100
0
166
Hey,

I'm setting up a new hosting account for a web design customer of mine and she manually enters credit card information for payment. What I want to do is use SSL for the order form and then use simplesecure to encrypt the entered content and then e-mail it off to her. I got this far but have not been able to figure out how to decrypt the data once e-mailed. For those of you who don't know what simplesecure is, it is a form system that can encrypt data in a few different ways and then e-mail it to someone.

Any suggestions or program suggestions you may have would be a great help...
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
Well, you need to have something in your email client to decrypt the email. For example, PGP http://www.pgp.com

You should generate a key pair on the PC not on the server. Then add the public key to the users gnupg keyring on the server. Use that key to encrypt the outgoing emails. This way only the user can decrypt the emails. If you do this the wrong way round with the private key on the server, it makes it pointless as then anyone who hacks into the account can decrypt everything.

One word of warning. Though this does help with security of CC data, it still isn't secure. Should someone hack the site, they could easily just amend the script that generates the encrypted email to send it to themselves in cleartext. The best solution is always to use a third party CC processor.
 
Last edited:

dkz

Well-Known Member
Sep 10, 2004
100
0
166
I figured out the problem I was having. The script I was using was not encrypting the data properly. I used anothe script and it all worked. So then what's the answer for security if a 3rd party processor is not an option?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
The solution you are using is probably as secure as you're going to get without a third party processor being involved. You should just be aware of the limitations of it :)
 

HappyPappy

Active Member
Mar 17, 2002
44
0
306
chirpy said:
The solution you are using is probably as secure as you're going to get without a third party processor being involved. You should just be aware of the limitations of it :)
Wouldn't the answer be to make sure the mail script is permanently encrypted on the server. That way, when the form is activated it actually activates a quick little decrypt program to enable the form mail script to work.

This is exactly what I am hunting for at the moment - a way to keep a cgi file encrypted on the server to prevent prying eyes from seeing or hacking it.

Cheers
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
You can't encrypt a perl CGI script unless you compile it in binary, the best you can do is to encode it, which is "security through obscurity" and isn't good enough for CC information. Even then, a hacker could simply replace the binary CGI with a hacking script and syphon off the CC details in a kind of man-in-the-middle hack.
 

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
chirpy said:
One word of warning. Though this does help with security of CC data, it still isn't secure. Should someone hack the site, they could easily just amend the script that generates the encrypted email to send it to themselves in cleartext. The best solution is always to use a third party CC processor.
It's worth noting that if they've hacked the site they can quite easily amend your ecommerce app to point to a fake 3rd party processor and get people's credit cards that way. Using a 3rd party processor will not make any difference if your site is hacked.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
rs-freddo said:
It's worth noting that if they've hacked the site they can quite easily amend your ecommerce app to point to a fake 3rd party processor and get people's credit cards that way. Using a 3rd party processor will not make any difference if your site is hacked.
Indeed. It can be a can of worms ;)