NoName Posted June 17, 2004 Share Posted June 17, 2004 Hi, I have a question, when you enter your creditcard info in checkout_payment.php and then post it to checkout_confirmation.php. Using the default creditcard module, or ipayment or something similar. Is posted from one page to the other in cleartext? Or how does it work? It is useless if it's posted in cleartext as it is a major security hazard I believe. thanks in advance. Quote Link to comment Share on other sites More sharing options...
NoName Posted June 17, 2004 Author Share Posted June 17, 2004 (edited) Hmm, I looked through the code in the checkout_payment.php page and when building the link to checkout_confirmation.php, tep_href_link uses some 'SSL' stuff... But what does it do? I'd sell my soul for some documentation... ;) Edited June 17, 2004 by NoName Quote Link to comment Share on other sites More sharing options...
Guest Posted June 17, 2004 Share Posted June 17, 2004 You must have an SSL certificate installed on your server and osCommerce configured for this - SSL encrypts the entire checkout/account processes :) Matti Quote Link to comment Share on other sites More sharing options...
NoName Posted June 17, 2004 Author Share Posted June 17, 2004 (edited) I suspected that might be the case. :( But the smart thing to do here would be to not post any creditcardinfo in the osc-site, just have the user fill in the creditcardinfo as a last step and then with confirm take the customer to the creditcardpayment company....? That way shopadmins would not have to bother with SSL and creditcard companies that would like to make a plugin to osc would just have to provide users with a dialog and and SSL-proxy on their side. :) Edited June 17, 2004 by NoName Quote Link to comment Share on other sites More sharing options...
Mark Evans Posted June 17, 2004 Share Posted June 17, 2004 I suspected that might be the case. :( But the smart thing to do here would be to not post any creditcardinfo in the osc-site, just have the user fill in the creditcardinfo as a last step and then with confirm take the customer to the creditcardpayment company....? That way shopadmins would not have to bother with SSL and creditcard companies that would like to make a plugin to osc would just have to provide users with a dialog and and SSL-proxy on their side. :) What about when they enter the account details? I wouldnt enter my personal address and info into a site that doesnt use SSL :) With 95% of hosting companies offering free shared SSL certs there isnt an excuse anymore not to have SSL ;) What you describe is the way the 3rd party payment modules such as protx form etc work so if thats what you want look in the contributions section. Quote Mark Evans osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops) --------------------------------------- Software is like sex: It's better when it's free. (Linus Torvalds) Link to comment Share on other sites More sharing options...
NoName Posted June 17, 2004 Author Share Posted June 17, 2004 Isn't it encrypted when a browser posts to a SSL-page? Or am I mistaken..? Quote Link to comment Share on other sites More sharing options...
Guest Posted June 19, 2004 Share Posted June 19, 2004 Isn't it encrypted when a browser posts to a SSL-page? Or am I mistaken..? It must also post from an SSL page :P Matti Quote Link to comment Share on other sites More sharing options...
stevel Posted June 19, 2004 Share Posted June 19, 2004 Well, that's not actually true, though certainly a lot of people would feel more comfortable about it. If the "action" of the form is an https page, the form data is encrypted before being sent. SSL protects the transfer of information from the user's browser to the web server, but no further. The default is that the whole CC number is stored in plaintext in the database, protected only by whatever security you have on the admin panel. There's an option in the default cc module to "split" the number - send part to you by e-mail and put the other part in the database. That's good enough in most cases. If you are using a payment gateway, none of this matters as the gateway handles protecting the cc information. Quote Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description Link to comment Share on other sites More sharing options...
NoName Posted June 21, 2004 Author Share Posted June 21, 2004 Ok, thanks guys for the helpful info :) Quote Link to comment Share on other sites More sharing options...
Guest Posted July 8, 2004 Share Posted July 8, 2004 Hi all, Maybe this is ever so slightly off topic and I apologise if it is but... Why store the CC number - any part of it - in the DB? Why not e-mail the whole lot of it using PGP or similar? This would have the advantage of being able to send the whole "order" via e-mail so that everything (customer details, order etc, etc) is in one e-mail for off-line processing. Has this already been done... or do I have to don my thinking cap? I'd hate to re-invent the wheel. ;) Graham. Quote Link to comment Share on other sites More sharing options...
stevel Posted July 8, 2004 Share Posted July 8, 2004 Yes, it has been done. There is a contribution that encrypts the info with GPG and e-mails it. But this requires a complicated install, the use of a separate gpg executable on the host system (not always feasible), and more. Not straighforward. You would not want to keep EVERYTHING out of the database - there is an advantage to being able to see and maintain customer orders there. It is possible with typical PHP support to encrypt the info in the database, and decrypt it on the fly. There is a contrib for that too. But that requires that the key be stored in the server files. Whether or not that's any better than putting the cleartext data in the database, I don't know. Quote Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description Link to comment Share on other sites More sharing options...
mattstephens Posted July 9, 2004 Share Posted July 9, 2004 I have just about finished working on an alternative solution to the GPG contribution. My host doesn't have GPG on the server but i figured that since mod_ssl is installed i might be able to use that and you can. I dont know how much interest there would be to convert my work into a contribution. I am very new to both php and osCommerce but if hte demand is there then i'd certainly clean it up for others to use. (if anyone who knows osCommerce inside out wants to help then get in touch). The steps i followed are: 1) Use the OpenSSL command line tools to generate a private key file that is also encrypted with a triple-DES passphrase of your choice. 2) Use the OpenSSL command again to split out the public key from the private/public key pair. 3) Put the key files on your site somewhere, i chose to put the public key in the catalog folder and the private key in the admin folder. 4) Change the cc_number field in the orders table to LONGTEXT type so it can store the encrypted credit card info. 4) Add some code to the cc.php file which uses the public key file to encrypt the credit card number. The function before_process() is a perfect place for this. 5) Finally add some way of passing the passphrase for the private key to the admin part of the site and change order.php to decrypt the credit card number using the private key. At the moment i plan to pass the passphrase in on the url to the admin area as i have made sure i can only access it via SSL. The passphrase is stored in session variables and i have a log-off link that will kill the session data. Unfortunately the passphrase does live in the session while admin tasks are going on which isn't ideal but i am not a PHP programmer so if anyone knows a better way?? Finally the code for using the mod_ssl functions to encrypt the data is: $string="Some Important Data"; $fp=fopen ("publickey.pem","r"); $pub_key=fread ($fp,8192); fclose($fp); $PK=openssl_get_publickey($pub_key); if (!$PK) { echo "Cannot get public key"; } openssl_public_encrypt($string,$finaltext,$PK); openssl_free_key($PK); if (!empty($finaltext)) { echo "Encryption OK!<br>"; echo base64_encode($finaltext); echo "<br>"; }else{ echo "Cannot Encrypt"; } And to decrypt the data: $b64txt = <base 64 encoded data from the database>; $fp=fopen ("privatekey.pem","r"); $priv_key=fread ($fp,8192); fclose($fp); $PK=openssl_get_privatekey($priv_key,"passphrase"); $Crypted=openssl_private_decrypt(base64_decode($b64txt),$Decrypted,$PK); if (!$Crypted) { echo "Cannot Decrypt"; }else{ echo "Decrypted Data: " . $Decrypted; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.