Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > Developer Center > Security through client-side encryption?

Security through client-side encryption?
Thread Tools
derien
Forum Regular
Join Date: Aug 2002
Location: Cascadia
Status: Offline
Reply With Quote
Jan 11, 2003, 12:26 AM
 
I work for a tiny company (I'm the only employee besides the owner) whose website thus far has been maintained primarily for contact and product information. Eventually, it would be nice to add the ability to order through the site, but that is unlikely to happen if it requires much of a sophisticated setup. (We're talking about a technologically-challenged enterprise here; the invoicing system remains implemented in Excel on a Mac Classic.) Probably most orders come over the fax from schools or retailers and are billed later, so it probably wouldn't be worth the expense to set up the site with SSL and complicated e-commerce tools.

For retail customers, though, I might be inclined to reproduce the order form in HTML (a table of products, with quantity boxes). Of course, if this were implemented by offering to call for credit card information, it would probably prove more difficult than just having the customer call in the order in the first place, since you have to take into account timezone differences and the possibility that the customer won't be at the number when the order is received.

So, I was thinking about how most easily to accept the credit card number online, and came up with the idea of using a client-side Javascript to encode the information with a public key encryption scheme, and then sending the entire thing with a sendmail CGI. That way, the clear number would never pass through the Internet. Is there any problem with this concept? I think for this business's purposes, the technique would be preferable to using something like PayPal's shopping cart system.

I see that integers in Javascript have accuracy only up to about 52 bits. That wouldn't be enough for a strong encryption, so are there any quick, easy ways to handle large numbers? Besides that, does anyone immediately see any flaw in the general concept? Who knows if there will even ever be time to work on it (the website is definitely not a priority), but I would like to have an idea of whether I'm justified in believing the security could be adequate. I realize that some people might be disinclined to use online ordering if they don't see the secure connection icon, but I'm not overly concerned about that; for now, I'm more interested in the soundness of the process itself.
     
Millennium
Clinically Insane
Join Date: Nov 1999
Status: Offline
Reply With Quote
Jan 11, 2003, 12:11 PM
 
Encryption in JavaScript has some rather severe issues, perhaps chief among them being browser support. But public-key encryption is also going to be very slow in JS

What Web server are you using? Generally, SSL isn't hard or expensive to implement at all, and shouldn't require any changes in your code (except perhaps to change http:// to https:// in your links).
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
     
   
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 03:39 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,