[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] PGP for dummys

Subject: Re: [cobalt-users] PGP for dummys
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Tue May 14 03:51:44 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

"Jeff Lasman" <jblists@xxxxxxxxxxxxx> wrote:
> Steve Werby wrote:
>
> > Jeff, in your friend's solution, the credit card data is stored on the
> > server in plain text.  Anyone who can access the email spool has access
to
> > the credit card info.
>
> Thanks for pointing out the holes in this solution.  I agree with you.
> However, at the various points in transit the information is owned
> either by the specific user or root, as I recall.

And hopefully not group or world readable.  I think I said it's risky to
store sensitive data like credit card info. in plain text on the server for
any length of time.  If I didn't I should have.  If my credit card info. was
stolen I wouldn't care that the hacker had to get root access to the server
to do it.

> > and if the mail spool's owner ever accesses his/her
> > email via a client program using standard plain text POP or IMAP it's
> > possible for the credit card info. to be sniffed.
>
> Yes, good procedures are quite important.
>
> > It's certainly a step up
> > from sending data using HTTP or sending the email in plain text to an
> > external account, but any solution that keeps credit card information on
the
> > server in plain text is risky.
>
> His response: he gets an email immediately to his regular mailbox to
> tell him the credit card info is there; he goes right into the box and
> reads it out, and deletes it.

<sarcasm>It must be nice to control user behavior so emails only arrive when
he's at the computer.</sarcasm>

> I agree, it's riskier, but as you point out, it's one step above.
>
> Is it "better" than using a pgp/gpg solution? Nope.  Is it easy to
> implement for some people?  Yes.

Definitely.  But hopefully he's aware that servers can and do get hacked and
that this solution is vulnerable and there are possible points of failure.

> We use offsite payment processors ourselves.  The perceived advantage is
> that if anyone gets on the six-o'clock news, it's not us <smile>.

There's a lot to be said for that!

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- Re: [cobalt-users] PGP for dummys
  - From: Brian Rahill
- Re: [cobalt-users] PGP for dummys
  - From: Gerald Waugh
- Re: [cobalt-users] PGP for dummys
  - From: Jeff Lasman
- Re: [cobalt-users] PGP for dummys
  - From: Steve Werby
- Re: [cobalt-users] PGP for dummys
  - From: Jeff Lasman

Prev by Date: [cobalt-users] Re: cobalt-users digest, Vol 1 #4412 - 13 msgs
Next by Date: [cobalt-users] Early Adopter Comments?
Previous by thread: Re: [cobalt-users] PGP for dummys
Next by thread: Re: [cobalt-users] PGP for dummys

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index