Where I work we have an ecommerce system on an intranet set up to process customer's credit cards. Currently when we charge a customer's credit card using Authorize.net we are not sending the credit card info to Authorize.net over a secure connection. Instead it goes over regular http. I'd like to get other opinions of how serious/negligent this is. Thanks.
在我工作的地方,我们在内联网上设置了一个电子商务系统,用于处理客户的信用卡。目前,当我们使用Authorize.net向客户的信用卡收费时,我们不会通过安全连接向Authorize.net发送信用卡信息。相反,它会超过常规的http。我想得到关于这是多么严重/疏忽的其他意见。谢谢。
EDIT: It looks like I'm wrong. I snooped around in the code and it looks like it's processing the credit card at https://secure.authorize.net. However, the web page where the credit card is entered is not secure. This is a different situation than I originally described. Sorry about that.
编辑:看起来我错了。我在代码中窥探,看起来它正在处理https://secure.authorize.net上的信用卡。但是,输入信用卡的网页不安全。这与我最初描述的情况不同。对于那个很抱歉。
5 个解决方案
#1
This seems very negligent. There have been too many leaks of credit card information to allow this sort of behavior.
这似乎很疏忽。信用卡信息泄漏太多,无法实现这种行为。
Even if the processing was handled internal to your intranet, and not being sent up to a 3rd party, I would recommend using secured connections. You don't want this to be accessible by anybody, even internal, non-authorized employees.
即使处理是在您的Intranet内部处理,而不是发送给第三方,我建议使用安全连接。您不希望任何人访问此内容,即使是未经授权的内部员工也是如此。
#2
I'm confused. How are you sending plain HTTP requests to Authorize.net? Their transaction endpoints don't have HTTP versions - they'd be criminally negligent to permit that.
我糊涂了。你如何向Authorize.net发送纯HTTP请求?他们的事务端点没有HTTP版本 - 他们在犯罪上是疏忽的。
Now that you've edited, things are a bit clearer. Yes, it's still a security risk to have the intranet page be HTTP instead of HTTPS, but far less than what your question originally indicated (unencrypted transit of the public Internet).
既然你已经编辑过,事情会更清楚一些。是的,将Intranet页面设置为HTTP而不是HTTPS仍然存在安全风险,但远远低于您的问题最初指示的内容(未加密的公共Internet传输)。
As it's internal, you don't need a paid SSL certificate (if cost is the reason for avoiding HTTPS - I can't think of any other good reasons) - you should be able to use a self-signed one.
因为它是内部的,你不需要付费的SSL证书(如果成本是避免HTTPS的原因 - 我想不出任何其他好的理由) - 你应该能够使用自签名证书。
#3
It's very important and what you do can cause some serious problems.
这非常重要,你所做的事可能会导致一些严重的问题。
Also it's against PCI standards and every company who process credit card information has to follow PCI standards, therefore you might go into some legal trouble to do so.
此外,它违反了PCI标准,每个处理信用卡信息的公司都必须遵循PCI标准,因此您可能会遇到一些法律问题。
#4
It's an absolute, unmitigated disaster. You should immediately (and I mean immediately) use at least transport level security (SSL/TLS) and if Authorize.net can set up for it, message level security as well.
这是一场绝对的,毫不畏缩的灾难。你应该立即(我的意思是)立即使用传输级安全性(SSL / TLS),如果Authorize.net可以为它设置消息级安全性。
#5
I would recommend reading the OWASP guide: http://www.owasp.org/index.php/Category:OWASP_Guide_Project (Free download)
我建议阅读OWASP指南:http://www.owasp.org/index.php/Category:WHASP_Guide_Project(免费下载)
Page 53 and onwards .. Got some great information.
Page 53及以后..获得了一些很棒的信息。
I would say, what you're doing is terrible negligent and needs to be sorted ASAP ..
我会说,你正在做的是可怕的疏忽,需要尽快排序。
#1
This seems very negligent. There have been too many leaks of credit card information to allow this sort of behavior.
这似乎很疏忽。信用卡信息泄漏太多,无法实现这种行为。
Even if the processing was handled internal to your intranet, and not being sent up to a 3rd party, I would recommend using secured connections. You don't want this to be accessible by anybody, even internal, non-authorized employees.
即使处理是在您的Intranet内部处理,而不是发送给第三方,我建议使用安全连接。您不希望任何人访问此内容,即使是未经授权的内部员工也是如此。
#2
I'm confused. How are you sending plain HTTP requests to Authorize.net? Their transaction endpoints don't have HTTP versions - they'd be criminally negligent to permit that.
我糊涂了。你如何向Authorize.net发送纯HTTP请求?他们的事务端点没有HTTP版本 - 他们在犯罪上是疏忽的。
Now that you've edited, things are a bit clearer. Yes, it's still a security risk to have the intranet page be HTTP instead of HTTPS, but far less than what your question originally indicated (unencrypted transit of the public Internet).
既然你已经编辑过,事情会更清楚一些。是的,将Intranet页面设置为HTTP而不是HTTPS仍然存在安全风险,但远远低于您的问题最初指示的内容(未加密的公共Internet传输)。
As it's internal, you don't need a paid SSL certificate (if cost is the reason for avoiding HTTPS - I can't think of any other good reasons) - you should be able to use a self-signed one.
因为它是内部的,你不需要付费的SSL证书(如果成本是避免HTTPS的原因 - 我想不出任何其他好的理由) - 你应该能够使用自签名证书。
#3
It's very important and what you do can cause some serious problems.
这非常重要,你所做的事可能会导致一些严重的问题。
Also it's against PCI standards and every company who process credit card information has to follow PCI standards, therefore you might go into some legal trouble to do so.
此外,它违反了PCI标准,每个处理信用卡信息的公司都必须遵循PCI标准,因此您可能会遇到一些法律问题。
#4
It's an absolute, unmitigated disaster. You should immediately (and I mean immediately) use at least transport level security (SSL/TLS) and if Authorize.net can set up for it, message level security as well.
这是一场绝对的,毫不畏缩的灾难。你应该立即(我的意思是)立即使用传输级安全性(SSL / TLS),如果Authorize.net可以为它设置消息级安全性。
#5
I would recommend reading the OWASP guide: http://www.owasp.org/index.php/Category:OWASP_Guide_Project (Free download)
我建议阅读OWASP指南:http://www.owasp.org/index.php/Category:WHASP_Guide_Project(免费下载)
Page 53 and onwards .. Got some great information.
Page 53及以后..获得了一些很棒的信息。
I would say, what you're doing is terrible negligent and needs to be sorted ASAP ..
我会说,你正在做的是可怕的疏忽,需要尽快排序。