1. Home
  2. Lainnya

Configuring for encryption and security

Configuring for encryption and security

If you have a lot of experience with Apache and its related tools, this may not be too big a deal, or if you are using an ISP and don’t have the authority to install programs on a box, then you won’t need to worry about the specialized installation necessary to work with e-commerce.

But in any case, you should have an idea of the tools you’ll need to get all of this working. First I will cover the basic theories behind encryption and Web security. I will then cover some of the mandatory tools for your Apache installation. Finally,

I will cover some of the options for maintaining state and processing credit card transactions offered in PHP.

ENCRYPTION AND SECURITY THEORY

One of the best things about working around the Web is having first-hand knowl- edge of the work done by people far, far smarter than myself. Some of the most intense, complex and brain-intensive work being done is in the realm of security. This is algorithm-heavy stuff, and to really understand how the protocols work, you need to know quite a bit of math. Luckily, you don’t need to have an advanced degree to understand the theories; and putting the stuff into practice really isn’t too bad.

PUBLIC- KEY/ PRIVATE- KEY ENCRYPTION Machines on the Web make use of a Public-key/Private-key security scheme. Basically this means that computers that wish to communicate using encrypted data must have two keys to encrypt and decrypt data. First there is the Public key. As the name suggests the Public key is not hidden. It is available to all those you wish to communicate with. So everybody

370 Part IV: Not So Simple Applications

out there who wishes to communicate with you securely will have a copy of your Public key.

You might think that this is potentially dangerous. After all, everyone has access to your Public key, and thus they’ll understand how you encrypted your data. But actually, it’s just fine, because the messages can only be decrypted by the Private key. The Private key is kept . . . well . . . private. No one else has access to it.

So, for example, say you are going process a credit card with a bank. You will have access to the bank’s Public key, with which you will encrypt the information. But because of the complex algorithms involved, only the Private key held by the bank can decrypt the data.

CERTIFICATES Even with the Public key/Private key safeguards, the banks will have one major concern: that the messages they are getting are not from the

sources they appear to be from. That is, if you are running sofamegastore.com , the bank needs to make sure that the request for credit-card authorization for that loveseat is actually from Sofa Megastore, not someone who is pretending to be Sofa Megastore. This requires a third party.

The encrypted messages that you send and receive will have a signature of sorts, but that signature must be verified. For this reason, organizations that wish to communicate over the Web make use of organizations that distribute certificates that verify the sender of a message. So it should make sense that you need to go to one of these organizations to get your Public and Private keys.

N OTE

Probably the best-known organization involved in securit y certificates is VeriSign. You can find out about their offerings at this site: http:// www.verisign.com/products/site/ss/index.html.

SECURE PROTOCOL HTTP by its very nature is open to eavesdropping. Packets that move across the Internet’s routers are full of messages just waiting to be sniffed and read. Normally, the fact that you can easily read data sent via HTTP is

a good thing. It makes the transfer and rendering of information quite easy. However, in cases where you need security, HTTP won’t work well. For example, if you are giving credit-card information to a site —say the commerce site you set up —you want to make sure that the information is unreadable. In order to do that, you need to make use of the Secure Socket Layer, or SSL. SSL is an additional protocol by which the keys and certificates from your site will be transferred to a browser or another server. Over SSL, your browser will be able to verify the certificate from your site so that it knows you are who you say you are. And sites will be able to verify each other.

Chapter 14: Shopping Cart 371

All the encryption in the world will not stop someone who has hacked into your box or has legitimate access.Most credit-card theft is done by dishonest

Ca u t io n

employees with too much access.

This has been a quick and dirt y introduction to Web securit y. If you would like to learn more, I suggest starting with this page, and following any inter-

XREF

esting links provided there: http://www.modssl.org/docs/2.6/ssl_ overview.html

Dokumen yang terkait

Minggu 2 : PHP, HTML, and State

0 0 25

Chapter02 - Presenting Data in Tables and Charts

0 0 35

Strategies and Steps to eBusiness Success

0 0 51

Chapter07 - Sampling and Sampling Distributions

0 0 37

Chapter12 - Chi Square Tests and Nonparametric

0 0 65

Chapter16 - Time-Series Forecasting and Index

0 1 57

Intro to Network Security and Scanning

1 2 40

Req and Specification.zip

0 0 25

Limit Index: This index groups the records (keys) and only provides the location

0 0 7

File Organization and Storage Structures

0 0 7