[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] PGP for dummys
- Subject: Re: [cobalt-users] PGP for dummys
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Tue May 14 02:13:56 2002
- Organization: nobaloney.net
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Steve Werby wrote:
> Jeff, in your friend's solution, the credit card data is stored on the
> server in plain text. Anyone who can access the email spool has access to
> the credit card info.
Thanks for pointing out the holes in this solution. I agree with you.
However, at the various points in transit the information is owned
either by the specific user or root, as I recall.
> and if the mail spool's owner ever accesses his/her
> email via a client program using standard plain text POP or IMAP it's
> possible for the credit card info. to be sniffed.
Yes, good procedures are quite important.
> It's certainly a step up
> from sending data using HTTP or sending the email in plain text to an
> external account, but any solution that keeps credit card information on the
> server in plain text is risky.
His response: he gets an email immediately to his regular mailbox to
tell him the credit card info is there; he goes right into the box and
reads it out, and deletes it.
I agree, it's riskier, but as you point out, it's one step above.
Is it "better" than using a pgp/gpg solution? Nope. Is it easy to
implement for some people? Yes.
We use offsite payment processors ourselves. The perceived advantage is
that if anyone gets on the six-o'clock news, it's not us <smile>.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484