Data protection

  • mattkopko
  • Newbie
  • Newbie
  • mattkopko
  • Posts: 6

Post 3+ Months Ago

hey all:
i have developed an asp web app that has basic session username & password protection. however, where should i store all the passwords of all the users so that it cannot be seen by anyone who wishes? right now i have them stored in a text file in the directory of my asp application (so they can be seen by anyone!). i was thinking about storing the information below the webroot, so it can't be accessed from the web. is that a good idea? if i start having lots of info, this could really sully the webroot.

also, i am currently developing another web app that takes user's credit card information (i have an actual physical credit card machine). i will be charging them at a later data for a non-web service. what is the most secure way of obtaining and storing this information? if credit cards get out, that's really serious...

i would be really appreciative of any help, on any of the topics.

thanks,
matt[/quote]
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

1. Anywhere off the web root is fine but it would be better to encrypt the passwords using something like MD5 AND put them off the web root.

2. If you want people's credit cards, you're going to have to get an SSL certificate. This can be done for free but people's web browsers will complain about it. If you don't want people's browser's to complain, you'll have to go to verisgin or thwarte or some other certificate authority.

As for storing the card numbers, the best way to do it is to store them on a seperate computer that is not directly accessible from the internet. (I.E. you have two network cards in your server. One goes to the internet, while the other goes through a crossover cable into the back of another server, and you use the other server to store the numbers. You should use some kind of strong encryption on the passwords, even though they are not actually on the same web server - DES or IDEA or Blowfish)

However, if you want to store them on the same server, that's not too bad, just be careful. Most importantly, make sure the key used to encrypt your data is not stored in the web root, even if it is inside the ASP code of a file.

I have seen broken IIS servers outputting the ASP code of the pages rather than interpreting it.
  • mattkopko
  • Newbie
  • Newbie
  • mattkopko
  • Posts: 6

Post 3+ Months Ago

thanks a lot, rjstephens. your response provides me with a lot of direction for my website's security. i still have another question (or two)

1. i am new to ssl encryption. is this actually software to install on the server, or is it some code i would put in my scripts?
2. is there any way for someone to read server side scripting code?

thanks again for all your help,
matt kopko
  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

1. SSL encryption requires that software be installed on your server to encrypt and decrypt the server's outgoing and incoming data. If you're using apache, you have to either compile apache with ssl support, or you can add SSL as a module.

I assume you'd do the same thing with IIS - add SSL as a module. Once ssl is set up, you can go to
https://yourdomain.com/something.html
and anyone monitoring your network traffic has no idea what was transmitted.

Note the s in 'https'.


Second, it is not normally possible. However, I have seen cases of IIS servers outputting the ASP code instead of interpreting it. Apparently the asp process crashed or something, I'm not sure exactly. I don't know much about IIS servers.

If you want to keep your code secure, you could probably store the script in question away from the web root, and then include it from inside the web root. That's your best bet IMO.
  • digitalMedia
  • a.k.a. dM
  • Genius
  • User avatar
  • Posts: 5149
  • Loc: SC-USA

Post 3+ Months Ago

//moved
  • mattkopko
  • Newbie
  • Newbie
  • mattkopko
  • Posts: 6

Post 3+ Months Ago

rj:
thanks again for all your help. i get i will contact ssl certificate distributors like verisign and see what their deals are...
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Umm...does anybody know which thread this belongs with? If so let me know and I'll merge it.
  • mattkopko
  • Newbie
  • Newbie
  • mattkopko
  • Posts: 6

Post 3+ Months Ago

whoops, sorry. this was a reply to the data protection thread started by matt kopko. sorry about that...
  • mattkopko
  • Newbie
  • Newbie
  • mattkopko
  • Posts: 6

Post 3+ Months Ago

i'm looking into ssl options now...
what do you guys think is the best place to store the sensitive information once ssl encryption is set up on the server? i was thinking in a text file below the webroot...

matt
  • mattkopko
  • Newbie
  • Newbie
  • mattkopko
  • Posts: 6

Post 3+ Months Ago

also:
do you guys think ssl encryption is necessary for small-time protection of sensitive information? that is, if the information is stored in a safe place, how important as the actual process of sending the information? i understand the security risk existent, but who is responsible if the information gets out in transit. i don't mean to sound like an asshole, but for organizations without the ability to dedicate resources to this type of security, what happens?

i mean, what percentage of online retailers use ssl encryption?
what are other options to provide semi-decent protection of sensitive information?

thanks for any help,
matt
  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

SSL is for use only when the data is en route, not for storing the data after it reaches its destination.

I would assume somewhere in the region of 100% of online retailers use SSL, but there are probably a few "red herrings" who can't be bothered even though it is important.

Once you receive the data, at the very least, make sure you store the data off of the web root. However, if you can afford it, set up a second server that is not connected to the internet and install a second network card in your first server so that you have one cable going straight to your second server. Use the second server to host a database of some sort (MySQL/MS SQL) and use that to store people's cc information.

Post Information

  • Total Posts in this topic: 11 posts
  • Users browsing this forum: No registered users and 85 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.