[ic] Dumb security question
Mike Heins
mikeh@minivend.com
Fri, 30 Mar 2001 18:34:36 -0500
Quoting Jonathan Melhuish (jonathanmelhuish@email.com):
> I'd be interested in knowing how to set up a system like this, too. I want to
> be able to just send a confirmation email to my sales rep, who will then log
> in via a secure connection to retrieve credit card details.
>
> I know linux is supposed to be secure, and that any file with the permissions
> set correctly should only be visible to authorised users, but would it not be
> sensible to encrypt the data, just in case? The data should also be deleted
> automatically once the rep has retrieved it.
>
> Does IC have this facility? I would have thought it would be a fairly
> standard setup. Has anybody found a way to implement it?
Nope. Because unless you write a complicated and potentially insecure
script to decrypt the card, you have to store the credit card number
in the clear on the disk. We don't do that. If you want to figure it
out yourself and do it, so be it, but we certainly won't help.
One way to do it is to use https and pass a GPG pass-phrase that way
every time, but that is not really secure either.
We encourage the use of GPG/PGP as the means of getting credit card
numbers. That, you can do with Interchange. In fact, it is even quite
convenient with a mailer like Eudora, which only prompts you once no
matter how many emails you open in the same session.
--
Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH 45056
phone +1.513.523.7621 fax 7501 <mheins@redhat.com>
Nature, to be commanded, must be obeyed. -- Francis Bacon