Would this be safe?
rmalayter at bai.org
Wed Oct 22 09:53:14 CEST 2003
From: Of Jeff Schmidt
> So, are there any problems with this setup?
You've got it down as far as I can tell. This is how we used to process
credit card orders, and it worked very well so long as the volume stayed
> I've also considered generating a key-pair
> for the server ... I think that signing the
> form data would just give a potentially false
> sense of security.
Well, if someone owns your account on that machine, the credit card
numbers themselves can be considered compromised, since they could have
modified your PHP code to copy the card numbers elsewhere before
encryption. I would still have a "server" key pair with no pass phrase
that automatically signs the emails, if only to give some protection
against spoofing of orders.
You should also sign each and every PHP file (detached) on the server
with *your* private key, then write a script to periodically download
all PHP files from the server and verify each of these signatures to
make sure you haven't been hacked. The logic for this should reside on a
With these precautions in place, I think the only serious worries you
would have are:
1) someone hacking you, making changes to capture
credit card numbers, and then changing things
back before your validation script runs.
2) a hacker not modifying any PHP files, but just
copying your server private key and sending
Both of these scenarios can be mitigated somewhat by adjusting your
timing: doing the verification run frequently, and changing the
unprotected server signing key frequently.
More information about the Gnupg-users