How to get a Secure Web Page?

I have no idea where to start on this. We have a need to allow our users to
enter Credit Card #'s on a web page, so we need a secure page (have the
little lock at the bottom of the browser) in order to do this.

1) What is this called? (I've heard the term SSL (Secure Socket Layer)
tossed around, I don't know if this is the same or something different).

2) If I need a certificate of some sort for our server, how do I get it?

Thanks for any help you can offer.

Jesse
www.davinci-mims.com

jcochran
Fri Dec 19 13:10:37 CST 2003

On Fri, 19 Dec 2003 13:49:31 -0500, "Anchorman"
<JesseN0SPAM@davinci-mims.com> wrote:

>I have no idea where to start on this. We have a need to allow our users to
>enter Credit Card #'s on a web page, so we need a secure page (have the
>little lock at the bottom of the browser) in order to do this.
>
>1) What is this called? (I've heard the term SSL (Secure Socket Layer)
>tossed around, I don't know if this is the same or something different).
>
>2) If I need a certificate of some sort for our server, how do I get it?

For those two questions, see:

http://www.iisfaq.com/default.aspx?View=P20&P=145

But if you're asking these questions, think twice about doing this.
When you screw it up and credit card numbers leak out, you'll lose
your customer base pretty darned quick. Use a payment processing
service instead.

Jeff

Peter
Fri Dec 19 13:31:08 CST 2003

"Anchorman" <JesseN0SPAM@davinci-mims.com> wrote in message
news:uHmKPDmxDHA.2304@TK2MSFTNGP12.phx.gbl...
> I have no idea where to start on this. We have a need to allow our users
to
> enter Credit Card #'s on a web page, so we need a secure page (have the
> little lock at the bottom of the browser) in order to do this.

Presumably, these credit card numbers are being stored in a database? You
should take steps to make sure your database is secure as well (that is, a
user couldn't point his/her browser at a URL for the database and download
it). In addition, you should look into encrypting the credit card info
before storing it in the database. Check out ASPEncrypt
(www.aspencrypt.com) for encrypting/decrypting credit card data. They have
some good examples under the Tasks, including encrypting credit card info.

>
> 1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> tossed around, I don't know if this is the same or something different).

SSL is correct. You can tell when you're using SSL by the protocol in the
URL as well... it will be "https://" vs. "http://" (note the 's').

> 2) If I need a certificate of some sort for our server, how do I get it?

You need to purchase a certificate, or often times your host will have one
that you can use. However, using the hosts certificate will typically mean
that the URL to the secure pages will be something like this:

https://secure.myhost.com/mydomain/mysecurepage.htm

vs. having your own certificate where your URL would probably look more like
this:

https://www.mydomain.com/mysecurepage.htm

Some customers may be turned off if they have to leave your domain. You can
purchase your own certificate from Thawte (www.thawte.com) or Verisign
(though Verisign is a bit of a rip off, in my opinion). Once you have the
certificate, your host will need to install it on the server. You should
contact the host in advance though to let them know you're going to be doing
this. You can find more documentation on the the Thawte and Verisign
websites.

Regards,
Peter Foti

Aaron
Fri Dec 19 15:09:12 CST 2003

> When you screw it up and credit card numbers leak out, you'll lose
> your customer base pretty darned quick.

Or worse. (Think lawsuit, fines, prison, etc.)

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

Aaron
Fri Dec 19 15:11:40 CST 2003

> it). In addition, you should look into encrypting the credit card info
> before storing it in the database. Check out ASPEncrypt
> (www.aspencrypt.com) for encrypting/decrypting credit card data.

Well, if you need to keep the data, you will also need to decrypt it. And
if you can decrypt it, so can someone else. I love the use of quotes around
the word "secret" to describe where to store the encryption key in the
registry...

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

Peter
Fri Dec 19 15:28:54 CST 2003

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:%23f9QfTnxDHA.2456@TK2MSFTNGP10.phx.gbl...
> > it). In addition, you should look into encrypting the credit card info
> > before storing it in the database. Check out ASPEncrypt
> > (www.aspencrypt.com) for encrypting/decrypting credit card data.
>
> Well, if you need to keep the data, you will also need to decrypt it. And
> if you can decrypt it, so can someone else.

Sure... if they have the decryption key.

> I love the use of quotes around
> the word "secret" to describe where to store the encryption key in the
> registry...

LOL! Yes, that method is somewhat foolish, and not realistic in a world
where sites are hosted and you have no control over the server.
A better approach might be to store the decryption key on a PC that is not
publicly accessible, or perhaps require the user to input the decryption key
(over a secure connection, of course).

Peter Foti

Aaron
Fri Dec 19 15:30:06 CST 2003

> > Well, if you need to keep the data, you will also need to decrypt it.
And
> > if you can decrypt it, so can someone else.
>
> Sure... if they have the decryption key.

My two thoughts were intended to be connected. E.g. you need the decryption
key to decrypt, so let's "hide" it in the registry. In addition, unless you
manually decrypt the data row by row, you must have programmatic access to
the decryption key in order to automate order processing, etc. So a
malicious user doesn't necessarily need to find/know/guess the key to
decrypt the data.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

Peter
Fri Dec 19 16:27:03 CST 2003

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:Oz%231ydnxDHA.2620@TK2MSFTNGP09.phx.gbl...
> > > Well, if you need to keep the data, you will also need to decrypt it.
> And
> > > if you can decrypt it, so can someone else.
> >
> > Sure... if they have the decryption key.
>
> My two thoughts were intended to be connected. E.g. you need the
decryption
> key to decrypt, so let's "hide" it in the registry.

Hehehe... I didn't make that connection the first time... it's even funnier
when you put it like that. :)

> In addition, unless you
> manually decrypt the data row by row, you must have programmatic access to
> the decryption key in order to automate order processing, etc. So a
> malicious user doesn't necessarily need to find/know/guess the key to
> decrypt the data.

True. But perhaps the decryption key could reside on a different server
(for example, behind a firewall on a LAN), where the order processing would
get the key and the send it to the database server? Would that make it any
more secure?

Pete

Aaron
Fri Dec 19 16:32:19 CST 2003

> True. But perhaps the decryption key could reside on a different server
> (for example, behind a firewall on a LAN), where the order processing
would
> get the key and the send it to the database server? Would that make it
any
> more secure?

Not really. If someone from outside the firewall/LAN could initiate code
that sends the key to the database server, theoretically, they could
intercept it or initiate it to send it somewhere else. Basically, if you
put the key anywhere in plain view, someone will be able to get to it. It's
just a matter of how much work it will take, and whether the payoff is worth
it (knowledge, time, risk).

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

Peter
Fri Dec 19 16:54:27 CST 2003

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:e1R5jAoxDHA.2396@TK2MSFTNGP09.phx.gbl...
> > True. But perhaps the decryption key could reside on a different server
> > (for example, behind a firewall on a LAN), where the order processing
> would
> > get the key and the send it to the database server? Would that make it
> any
> > more secure?
>
> Not really. If someone from outside the firewall/LAN could initiate code
> that sends the key to the database server, theoretically, they could
> intercept it or initiate it to send it somewhere else.

I assume you mean, for example, an order is placed, thus triggering the
order processing to begin by sending the decryption key. Presumably,
though, it would be sent via HTTPS, so as to keep it secure during
transmission.

> Basically, if you
> put the key anywhere in plain view, someone will be able to get to it.
It's
> just a matter of how much work it will take, and whether the payoff is
worth
> it (knowledge, time, risk).

True, but I don't think that behind a firewall is exactly in plain view....
except, of course, to anyone else who was behind that firewall (which in
this scenario should only be the order processing folks).

Pete

Aaron
Fri Dec 19 17:51:08 CST 2003

> True, but I don't think that behind a firewall is exactly in plain
view....
> except, of course, to anyone else who was behind that firewall (which in
> this scenario should only be the order processing folks).

If the whole thing is behind the firewall, then who are you protecting *any*
portion of it from? I was expressing my thoughts because I know of web
sites that have web-based order processing that is done manually, but from
an online admin section of the site, so credit card information is retrieved
from a database (behind a firewall, I would imagine) and presented to an
order gimp through a browser.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

Peter
Fri Dec 19 18:12:26 CST 2003

"Aaron Bertrand [MVP]" <aaron@TRASHaspfaq.com> wrote in message
news:OaqI6roxDHA.540@tk2msftngp13.phx.gbl...
> > True, but I don't think that behind a firewall is exactly in plain
> view....
> > except, of course, to anyone else who was behind that firewall (which in
> > this scenario should only be the order processing folks).
>
> If the whole thing is behind the firewall, then who are you protecting
*any*
> portion of it from?

If the whole thing is behind the firewall, then you are protecting it from
everyone, no? But my example was meant as:
- Website is on some public host somewhere (not behind firewall, or perhaps
behind host's firewall which is configured to only allow HTTP(S) through)
- Order processing is done (behind a firewall) on a corporate LAN, where the
decryption key is kept

> I was expressing my thoughts because I know of web
> sites that have web-based order processing that is done manually, but from
> an online admin section of the site, so credit card information is
retrieved
> from a database (behind a firewall, I would imagine) and presented to an
> order gimp through a browser.

And I would agree with you that this scenario is not *entirely* secure... I
was just trying to suggest a possible *more secure* method. :)

Insecurely,
Pete :)

Aaron
Fri Dec 19 18:16:47 CST 2003

> And I would agree with you that this scenario is not *entirely* secure...
I
> was just trying to suggest a possible *more secure* method. :)

Yep, I was just making sure that was clear to the OP.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

Anchorman
Sat Dec 20 05:37:20 CST 2003

I haven't researched credit card payment services much. But, we want to
control what the screen looks like, and present the items in the manner that
we wish to.

You make a very good point, though, and when we get to the point of actually
storing the credit card #'s, and validating transactions, I'll definately
keep that option in mind.

Jesse

"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
news:3fe44cb4.794637678@msnews.microsoft.com...
> On Fri, 19 Dec 2003 13:49:31 -0500, "Anchorman"
> <JesseN0SPAM@davinci-mims.com> wrote:
>
> >I have no idea where to start on this. We have a need to allow our users
to
> >enter Credit Card #'s on a web page, so we need a secure page (have the
> >little lock at the bottom of the browser) in order to do this.
> >
> >1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> >tossed around, I don't know if this is the same or something different).
> >
> >2) If I need a certificate of some sort for our server, how do I get it?
>
> For those two questions, see:
>
> http://www.iisfaq.com/default.aspx?View=P20&P=145
>
> But if you're asking these questions, think twice about doing this.
> When you screw it up and credit card numbers leak out, you'll lose
> your customer base pretty darned quick. Use a payment processing
> service instead.
>
> Jeff

Anchorman
Sat Dec 20 05:38:35 CST 2003

BTW, What what are some of the services that I can research? Perhaps some
of them will allow me to present the data in my own way. At this point, I'm
just fishing.

Jesse

"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
news:3fe44cb4.794637678@msnews.microsoft.com...
> On Fri, 19 Dec 2003 13:49:31 -0500, "Anchorman"
> <JesseN0SPAM@davinci-mims.com> wrote:
>
> >I have no idea where to start on this. We have a need to allow our users
to
> >enter Credit Card #'s on a web page, so we need a secure page (have the
> >little lock at the bottom of the browser) in order to do this.
> >
> >1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> >tossed around, I don't know if this is the same or something different).
> >
> >2) If I need a certificate of some sort for our server, how do I get it?
>
> For those two questions, see:
>
> http://www.iisfaq.com/default.aspx?View=P20&P=145
>
> But if you're asking these questions, think twice about doing this.
> When you screw it up and credit card numbers leak out, you'll lose
> your customer base pretty darned quick. Use a payment processing
> service instead.
>
> Jeff

Anchorman
Sat Dec 20 05:54:10 CST 2003

Wow, I never thought of doing what you suggeseted, "pointing your browser at
a URL for the database and downloading it". I tried that with my web site,
and IT LET ME!! I've browsed around IIS to see how I can prevent this, but
I can't find a setting that I can change. How do I prevent the downloading
of the database?

Thanks,
Jesse

"Peter Foti" <peterf@systolicNOSPAMnetworks.com> wrote in message
news:vu6kc52hc8id6c@corp.supernews.com...
> "Anchorman" <JesseN0SPAM@davinci-mims.com> wrote in message
> news:uHmKPDmxDHA.2304@TK2MSFTNGP12.phx.gbl...
> > I have no idea where to start on this. We have a need to allow our
users
> to
> > enter Credit Card #'s on a web page, so we need a secure page (have the
> > little lock at the bottom of the browser) in order to do this.
>
> Presumably, these credit card numbers are being stored in a database? You
> should take steps to make sure your database is secure as well (that is, a
> user couldn't point his/her browser at a URL for the database and download
> it). In addition, you should look into encrypting the credit card info
> before storing it in the database. Check out ASPEncrypt
> (www.aspencrypt.com) for encrypting/decrypting credit card data. They
have
> some good examples under the Tasks, including encrypting credit card info.
>
> >
> > 1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> > tossed around, I don't know if this is the same or something different).
>
> SSL is correct. You can tell when you're using SSL by the protocol in the
> URL as well... it will be "https://" vs. "http://" (note the 's').
>
> > 2) If I need a certificate of some sort for our server, how do I get it?
>
> You need to purchase a certificate, or often times your host will have one
> that you can use. However, using the hosts certificate will typically
mean
> that the URL to the secure pages will be something like this:
>
> https://secure.myhost.com/mydomain/mysecurepage.htm
>
> vs. having your own certificate where your URL would probably look more
like
> this:
>
> https://www.mydomain.com/mysecurepage.htm
>
> Some customers may be turned off if they have to leave your domain. You
can
> purchase your own certificate from Thawte (www.thawte.com) or Verisign
> (though Verisign is a bit of a rip off, in my opinion). Once you have the
> certificate, your host will need to install it on the server. You should
> contact the host in advance though to let them know you're going to be
doing
> this. You can find more documentation on the the Thawte and Verisign
> websites.
>
> Regards,
> Peter Foti
>
>

Bob
Sat Dec 20 06:08:44 CST 2003

Anchorman wrote:
> Wow, I never thought of doing what you suggeseted, "pointing your
> browser at a URL for the database and downloading it". I tried that
> with my web site, and IT LET ME!! I've browsed around IIS to see how
> I can prevent this, but I can't find a setting that I can change.
> How do I prevent the downloading of the database?
>
ASPFAQ is your friend ... if you use it ;-)
http://www.aspfaq.com/show.asp?id=2454

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Don
Sat Dec 20 07:11:02 CST 2003

I used verisign.com.au but i gather they have branches other places.
The asp and script samples where excellent and support was good too.
if you need a link look down bottom of
http://www.cokeshop.com.au/cslogin.asp
I put a link there, there com object does the encryption so I did not need a
ssl connection 'for what i did'

Regards
Don



"Anchorman" <JesseN0SPAM@davinci-mims.com> wrote in message
news:uHmKPDmxDHA.2304@TK2MSFTNGP12.phx.gbl...
> I have no idea where to start on this. We have a need to allow our users
to
> enter Credit Card #'s on a web page, so we need a secure page (have the
> little lock at the bottom of the browser) in order to do this.
>
> 1) What is this called? (I've heard the term SSL (Secure Socket Layer)
> tossed around, I don't know if this is the same or something different).
>
> 2) If I need a certificate of some sort for our server, how do I get it?
>
> Thanks for any help you can offer.
>
> Jesse
> www.davinci-mims.com
>
>

Don
Sat Dec 20 09:56:16 CST 2003

----- Original Message -----
From: "Peter Foti" <peterf@systolicNOSPAMnetworks.com>
Newsgroups: microsoft.public.inetserver.asp.general
Sent: Friday, December 19, 2003 5:54 PM
Subject: Re: How to get a Secure Web Page?

[post snipped]

> True, but I don't think that behind a firewall is exactly in plain
view....
> except, of course, to anyone else who was behind that firewall (which in
> this scenario should only be the order processing folks).
>
> Pete

Don't necessary trust your employees with access to credit card numbers
either. Employee's steal more then the general public ever does.

From http://www.fdle.state.fl.us/press_releases/20030711_Brian_Newsome.html
"The investigation revealed that Newsome compromised in excess of 30
victims/credit card account holders of GE Financial/ JC Penney. Newsome was
employed by GE Financial as a customer service representative. Newsome
signed unauthorized individuals to the victims? accounts. Newsome then
solicited individuals to fraudulently purchase items/gift cards on the
victims? accounts. Newsome also provided fraudulent identification to
correspond with the various names. Agents of the US Postal Inspection
Service monitored and tracked mail fraudulently diverted by Newsome and/or
his co-conspirators. The investigation further revealed that Screen
assisted Newsome in fraudulent transactions. It is estimated that the loss
to victims is in excess of $100,000"

Just a thought to keep in mind.

Don