Data encryption
Hi there, I've got a form that makes use of the GET method to provide the cgi script with details. My problem is that you can see all of the fields being posted. i.e. /people.cgi?surname=TestSurnameforename=TestNamelocation=TestLocationphone=TestPhoneNumbersearch=+Search+ is there any way that I make sure these details are not seen or to be encrypted in some way? Kind Regards Werner -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Data encryption
On 14 May 2004, at 08:33, Werner wrote: I've got a form that makes use of the GET method to provide the cgi script with details. My problem is that you can see all of the fields being posted. i.e. /people.cgi? surname=TestSurnameforename=TestNamelocation=TestLocationphone=TestP honeNumbersearch=+Search+ is there any way that I make sure these details are not seen or to be encrypted in some way? Well, you could use POST (not that that makes it impossible for the user to see the data, it just doesn't encode it in the URL). This would break the ability of the user to bookmark the results page (and post is explicitly for http requests which change something on the server) so that wouldn't be a good idea. You could also use client side scripting (ha ha) to run the data through some encoding algorithm, then reverse it in the Perl. This would break the moment someone tried to use it without client side scripting enabled, so it also a bad idea. I can't think why you would want to hide this information; the user has, presumably, typed it into a search form and thus already knows it! -- David Dorward http://dorward.me.uk/ http://blog.dorward.me.uk/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Data encryption
On 14 May 2004, at 09:45, Alexander Blüm wrote: On Fri, 14 May 2004 09:25:27 +0100 David Dorward [EMAIL PROTECTED] wrote: On 14 May 2004, at 08:33, Werner wrote: I've got a form that makes use of the GET method to provide the cgi script with details. My problem is that you can see all of the fields being posted. better yet: use SSL (I mean the apache module) or any other secure data transport layer. That would be a good way to protect the information from third parties, I thought the question was about hiding it from the user. -- David Dorward http://dorward.me.uk/ http://blog.dorward.me.uk/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Data encryption
On Fri, 14 May 2004 09:25:27 +0100 David Dorward [EMAIL PROTECTED] wrote: On 14 May 2004, at 08:33, Werner wrote: I've got a form that makes use of the GET method to provide the cgi script with details. My problem is that you can see all of the fields being posted. i.e. /people.cgi? surname=TestSurnameforename=TestNamelocation=TestLocationphone=T estP honeNumbersearch=+Search+ is there any way that I make sure these details are not seen or to be encrypted in some way? Well, you could use POST (not that that makes it impossible for the user to see the data, it just doesn't encode it in the URL). This would break the ability of the user to bookmark the results page (and post is explicitly for http requests which change something on the server) so that wouldn't be a good idea. You could also use client side scripting (ha ha) to run the data through some encoding algorithm, then reverse it in the Perl. This would break the moment someone tried to use it without client side scripting enabled, so it also a bad idea. I can't think why you would want to hide this information; the user has, presumably, typed it into a search form and thus already knows it! -- David Dorward http://dorward.me.uk/ http://blog.dorward.me.uk/ better yet: use SSL (I mean the apache module) or any other secure data transport layer. cheers, Alex -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Data encryption
On Fri, 14 May 2004 09:55:15 +0100 David Dorward [EMAIL PROTECTED] wrote: On 14 May 2004, at 09:45, Alexander Blüm wrote: On Fri, 14 May 2004 09:25:27 +0100 David Dorward [EMAIL PROTECTED] wrote: On 14 May 2004, at 08:33, Werner wrote: I've got a form that makes use of the GET method to provide the cgi script with details. My problem is that you can see all of the fields being posted. better yet: use SSL (I mean the apache module) or any other secure data transport layer. That would be a good way to protect the information from third parties, I thought the question was about hiding it from the user. -- David Dorward http://dorward.me.uk/ http://blog.dorward.me.uk/ ok, then have embedded datablocks of encrypted values and use the perl--javascript solution. it is one of many possibilities. this way you restrict the user to use a javascript capable browser. another way would be to use java applets. bad choice, though. ;) if you use the js--perl solution, you'll have to invent a algorithm yourself. if you're dealing with not-the-smartest users, then a rot13 might do. and you'll have to use the POST method. for stronger encryption go here: http://www.vidwest.com/crypt/ cheers, Alex -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: encryption
On Fri, 30 Aug 2002 at 10:32, Jimmy George opined: JG:Is there any way of encrypting a credit card number etc. so that it can JG:not be seen when being transmitted from desktop to server? The user JG:needs to see what they type to make sure it is correct - so how do we JG:get cgi to encrypt that at the user end before transmission. JG: JG:I have read some books about it but all we appear to be able to do is to JG:encrypt the received raw number before storing it so that the file it is JG:kept in cannot be opened and read. Is that the limit right now? JG: JG:Any ideas or places to look? you could use FreezeThaw and store all the info associated with the credit card (number, exp date, address, name, etc) as a string. http://search.cpan.org/author/ILYAZ/FreezeThaw-0.43/FreezeThaw.pm or, you can use one of the Crypt:: modules. http://search.cpan.org/search?mode=allquery=encrypt -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: encryption
On Fri, 30 Aug 2002 10:32:27 +1000, [EMAIL PROTECTED] (Jimmy George) wrote: Is there any way of encrypting a credit card number etc. so that it can not be seen when being transmitted from desktop to server? The user needs to see what they type to make sure it is correct - so how do we get cgi to encrypt that at the user end before transmission. You don't use cgi to encrypt data on the user side. If you are accepting credit card data, you need to be using the SSL protocol (https instead of http), which sends everything encrypted. The user can enter cc data in the browser, then send to a https address. None of the cc data will be visible in the transmission. If you notice, most online stores will switch from http to https when you check out. Some just run https all the time. There is a developer who is trying a method of Login Authentication with MD5 over http for people who don't have a secure server, it's called Javascript-LoginMD5. It works like this: When you first go to the cgi-script, it sends out a md5 key, which is used by some javascript in the browser to hide the password. It times out after a time delay, like 30 seconds. BUT this is totally inadequate for credit card data. If you try something like that for credit cards, you could be held liable for negligence with the data. If you are running your own server, you need to get a server-certificate from someplace like Verisign.Then you can start running a secure server with https on port 443. You can make your own self-certified certificate, but it is not trusted, because no external authority like Verisign has endorsed you as being trustworthy. What is to stop people from setting up phony stores with a self-certified certificates, just to collect credit card numbers? The Verisign people, and their competitors, investigate your legitimacy, then they give you a signed certificate to use in your web server. If you are running on a server from someone else, look at their help section for secure server or ask the administrator. I have read some books about it but all we appear to be able to do is to encrypt the received raw number before storing it so that the file it is kept in cannot be opened and read. Is that the limit right now? That is the way it is, your cgi program can only do encryptions on the data it has on the server. The encryption during transmission is handled by the protocol used either http on port 80, or https on port 443. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: encryption
zentara wrote: On Fri, 30 Aug 2002 10:32:27 +1000, [EMAIL PROTECTED] (Jimmy George) wrote: Is there any way of encrypting a credit card number etc. so that it can not be seen when being transmitted from desktop to server? The user needs to see what they type to make sure it is correct - so how do we get cgi to encrypt that at the user end before transmission. snip You can make your own self-certified certificate, but it is not trusted, because no external authority like Verisign has endorsed you as being trustworthy. What is to stop people from setting up phony stores with a self-certified certificates, just to collect credit card numbers? The Verisign people, and their competitors, investigate your legitimacy, then they give you a signed certificate to use in your web server. snip obligatory microsoft bash With the exception of micro$oft internet explorer which still doesn't handle this correctly, which is what all the news has been about lately. /obligatory microsoft bash use Mozilla; (Had to get that out of my system, carry on) http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Base 64 encryption Routines
I'm currently working on a perl program that interacts with Windows Active Directory and was wondering if anyone knew or has a subroutine that will encrypt a password using base 64 encryption. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Base 64 encryption Routines
On Nov 21, 2001 at 04:29 -0500, Darryl Schnell took the soap box and proclaimed: : I'm currently working on a perl program that interacts with Windows : Active Directory and was wondering if anyone knew or has a subroutine : that will encrypt a password using base 64 encryption. Use the module Digest::MD5. There is a function called md5_base64(). use Digest::MD5 qw(md5_base64); my $encrypted = md5_base64( $password ); Read about it here: http://search.cpan.org/doc/MSERGEANT/AxKit-1.4/Digest-MD5-2.12/MD5.pm Casey West -- Shooting yourself in the foot with HURD You'll be able to shoot yourself in the foot Real Soon Now. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
