11 replies to this topic

[NoName]

Hi,

I have a question, when you enter your creditcard info in checkout_payment.php and then post it to checkout_confirmation.php. Using the default creditcard module, or ipayment or something similar. Is posted from one page to the other in cleartext? Or how does it work?

It is useless if it's posted in cleartext as it is a major security hazard I believe.

thanks in advance.

[NoName]

Hmm, I looked through the code in the checkout_payment.php page and when building the link to checkout_confirmation.php, tep_href_link uses some 'SSL' stuff... But what does it do? I'd sell my soul for some documentation...

Edited by NoName, 17 June 2004, 12:29.

[Johnson]

You must have an SSL certificate installed on your server and osCommerce configured for this - SSL encrypts the entire checkout/account processes

Matti

[NoName]

I suspected that might be the case. But the smart thing to do here would be to not post any creditcardinfo in the osc-site, just have the user fill in the creditcardinfo as a last step and then with confirm take the customer to the creditcardpayment company....? That way shopadmins would not have to bother with SSL and creditcard companies that would like to make a plugin to osc would just have to provide users with a dialog and and SSL-proxy on their side.

Edited by NoName, 17 June 2004, 13:34.

[Mark Evans]

NoName, on Jun 17 2004, 01:32 PM, said:

I suspected that might be the case. But the smart thing to do here would be to not post any creditcardinfo in the osc-site, just have the user fill in the creditcardinfo as a last step and then with confirm take the customer to the creditcardpayment company....? That way shopadmins would not have to bother with SSL and creditcard companies that would like to make a plugin to osc would just have to provide users with a dialog and and SSL-proxy on their side.

What about when they enter the account details?

I wouldnt enter my personal address and info into a site that doesnt use SSL

With 95% of hosting companies offering free shared SSL certs there isnt an excuse anymore not to have SSL

What you describe is the way the 3rd party payment modules such as protx form etc work so if thats what you want look in the contributions section.

[NoName]

Isn't it encrypted when a browser posts to a SSL-page? Or am I mistaken..?

[Johnson]

NoName, on Jun 17 2004, 11:42 AM, said:

Isn't it encrypted when a browser posts to a SSL-page? Or am I mistaken..?

It must also post from an SSL page

Matti

[stevel]

Well, that's not actually true, though certainly a lot of people would feel more comfortable about it. If the "action" of the form is an https page, the form data is encrypted before being sent.

SSL protects the transfer of information from the user's browser to the web server, but no further. The default is that the whole CC number is stored in plaintext in the database, protected only by whatever security you have on the admin panel. There's an option in the default cc module to "split" the number - send part to you by e-mail and put the other part in the database. That's good enough in most cases.

If you are using a payment gateway, none of this matters as the gateway handles protecting the cc information.

[NoName]

Ok, thanks guys for the helpful info

[MoyCom]

Hi all,

Maybe this is ever so slightly off topic and I apologise if it is but...

Why store the CC number - any part of it - in the DB? Why not e-mail the whole lot of it using PGP or similar?

This would have the advantage of being able to send the whole "order" via e-mail so that everything (customer details, order etc, etc) is in one e-mail for off-line processing.

Has this already been done... or do I have to don my thinking cap? I'd hate to re-invent the wheel.

Graham.

[stevel]

Yes, it has been done. There is a contribution that encrypts the info with GPG and e-mails it. But this requires a complicated install, the use of a separate gpg executable on the host system (not always feasible), and more. Not straighforward.

You would not want to keep EVERYTHING out of the database - there is an advantage to being able to see and maintain customer orders there.

It is possible with typical PHP support to encrypt the info in the database, and decrypt it on the fly. There is a contrib for that too. But that requires that the key be stored in the server files. Whether or not that's any better than putting the cleartext data in the database, I don't know.

[mattstephens]

I have just about finished working on an alternative solution to the GPG contribution. My host doesn't have GPG on the server but i figured that since mod_ssl is installed i might be able to use that and you can.

I dont know how much interest there would be to convert my work into a contribution. I am very new to both php and osCommerce but if hte demand is there then i'd certainly clean it up for others to use. (if anyone who knows osCommerce inside out wants to help then get in touch).

The steps i followed are:

1) Use the OpenSSL command line tools to generate a private key file that is also encrypted with a triple-DES passphrase of your choice.
2) Use the OpenSSL command again to split out the public key from the private/public key pair.
3) Put the key files on your site somewhere, i chose to put the public key in the catalog folder and the private key in the admin folder.
4) Change the cc_number field in the orders table to LONGTEXT type so it can store the encrypted credit card info.
4) Add some code to the cc.php file which uses the public key file to encrypt the credit card number. The function before_process() is a perfect place for this.
5) Finally add some way of passing the passphrase for the private key to the admin part of the site and change order.php to decrypt the credit card number using the private key. At the moment i plan to pass the passphrase in on the url to the admin area as i have made sure i can only access it via SSL. The passphrase is stored in session variables and i have a log-off link that will kill the session data. Unfortunately the passphrase does live in the session while admin tasks are going on which isn't ideal but i am not a PHP programmer so if anyone knows a better way??

Finally the code for using the mod_ssl functions to encrypt the data is:

$string="Some Important Data";
$fp=fopen ("publickey.pem","r");
$pub_key=fread ($fp,8192);
fclose($fp);
$PK=openssl_get_publickey($pub_key);
if (!$PK) {
echo "Cannot get public key";
}
openssl_public_encrypt($string,$finaltext,$PK);
openssl_free_key($PK);
if (!empty($finaltext)) {
echo "Encryption OK!<br>";
echo base64_encode($finaltext);
echo "<br>";
}else{
echo "Cannot Encrypt";
}

And to decrypt the data:

$b64txt = <base 64 encoded data from the database>;
$fp=fopen ("privatekey.pem","r");
$priv_key=fread ($fp,8192);
fclose($fp);
$PK=openssl_get_privatekey($priv_key,"passphrase");
$Crypted=openssl_private_decrypt(base64_decode($b64txt),$Decrypted,$PK);
if (!$Crypted) {
echo "Cannot Decrypt";
}else{
echo "Decrypted Data: " . $Decrypted;
}