Would this be safe?

Ryan Malayter rmalayter at bai.org
Wed Oct 22 09:53:14 CEST 2003

From:  Of Jeff Schmidt

> So, are there any problems with this setup?
You've got it down as far as I can tell. This is how we used to process
credit card orders, and it worked very well so long as the volume stayed

> I've also considered generating a key-pair 
> for the server ... I think that signing the 
> form data would just give a potentially false 
> sense of security.
Well, if someone owns your account on that machine, the credit card
numbers themselves can be considered compromised, since they could have
modified your PHP code to copy the card numbers elsewhere before
encryption. I would still have a "server" key pair with no pass phrase
that automatically signs the emails, if only to give some protection
against spoofing of orders.

You should also sign each and every PHP file (detached) on the server
with *your* private key, then write a script to periodically download
all PHP files from the server and verify each of these signatures to
make sure you haven't been hacked. The logic for this should reside on a
remote machine.

With these precautions in place, I think the only serious worries you
would have are:
   1) someone hacking you, making changes to capture 
	credit card numbers, and then changing things 
	back before your validation script runs.
   2) a hacker not modifying any PHP files, but just 
	copying your server private key and sending 
	spoofed orders. 

Both of these scenarios can be mitigated somewhat by adjusting your
timing: doing the verification run frequently, and changing the
unprotected server signing key frequently.


More information about the Gnupg-users mailing list