From owner-freebsd-questions@FreeBSD.ORG Tue Sep 7 06:17:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5830216A4CE for ; Tue, 7 Sep 2004 06:17:16 +0000 (GMT) Received: from fwall.in.markiza.sk (fwall.in.markiza.sk [62.168.76.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 025D943D66 for ; Tue, 7 Sep 2004 06:17:15 +0000 (GMT) (envelope-from corwin@aeternal.net) Received: from localhost (localhost.markiza.sk [127.0.0.1]) by fwall.in.markiza.sk (Postfix) with ESMTP id 9C6B523083; Tue, 7 Sep 2004 08:17:13 +0200 (CEST) Received: from fwall.in.markiza.sk ([127.0.0.1]) by localhost (fwall.in.markiza.sk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57160-07; Tue, 7 Sep 2004 08:17:10 +0200 (CEST) Received: from pleiades.aeternal.net (pleiades.in.markiza.sk [192.168.13.7]) by fwall.in.markiza.sk (Postfix) with ESMTP id 2CCF122F46; Tue, 7 Sep 2004 08:17:10 +0200 (CEST) Received: by pleiades.aeternal.net (Postfix, from userid 502) id 6EB581703C; Tue, 7 Sep 2004 08:18:55 +0200 (CEST) Date: Tue, 7 Sep 2004 08:18:55 +0200 From: Martin Hudec To: FreeBSD Mail Lists Message-ID: <20040907061855.GA74115@pleiades.aeternal.net> References: <6ef4c2b8eb37d954d7b887c5e1f45810@untoldfaith.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99" Content-Disposition: inline In-Reply-To: <6ef4c2b8eb37d954d7b887c5e1f45810@untoldfaith.com> X-Copyright: (C) 2004 Martin Hudec X-Operating-System: FreeBSD pleiades.aeternal.net 5.2.1-RELEASE-p9 i386 X-PGP-Key: http://www.aeternal.net/corwin_aeternal.asc User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new at web.markiza.sk cc: freebsd-questions@freebsd.org Subject: Re: Update Databases from Webserver X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin Hudec List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 06:17:16 -0000 --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 06, 2004 at 10:55:42PM -0600 or thereabouts, FreeBSD Mail Lists= wrote: > Richard, > Thanks for your reply. I thought there was something terribly wrong=20 > with that logic. So I thought I would ask in this mail list since=20 > people have been great here in the past about everything else I=20 > wanted to know. > Are there any security lists in relation to ecommerce that you=20 > would recommend? So I can stop annoying everyone else here. =20 > I just don't want to make anymore mistakes than I have to=20 > starting down this road. Stop talking like that. You are not annoying anyone in here. You asked the question, you got the replies. Richard wrote nice email. But it would be much better and less painful for you, if you could run your credit card transactions using services of your Bank, or maybe by some kind of well know and trustworthy billing system. Why should you have dreamless nights? Credit card info is very *very* sensitive information. So ask yourself, do you really need to have all the stress or can you leave it to your bank/billing partner (although for small fee)? And mainly, are you well known to your customers, even to those which are new? Because if I am about to give someone my credit card info I will not trust to e-commerce application provider, but to well known bank or such. Cheers, Martin Hudec >=20 > -----Original message----- > From: "Richard Lynch" ceo@l-i-e.com > Date: Mon, 6 Sep 2004 17:22:54 -0600 > To: "FreeBSD Mail Lists" freebsd@untoldfaith.com > Subject: Re: Update Databases from Webserver >=20 > > FreeBSD Mail Lists wrote: > > > I would like to see how other people are updating backend databases > > > (postgresql on FreeBSD, internal network) from a webserver (apache,ph= p on > > > FreeBSD, dmz network) through a firewall. Pretty much what I am tryi= ng to > > > learn is how to take private information (credit card numbers, etc.) = and > > > write it to a backend database without leaving any huge holes for hac= king. > > > Should this be done or am I barking up the wrong tree, should there = be an > > > intermediary step? I have been trying to find information books/web = that > > > gives a real nuts and bolts way of trying to do this stuff and am not > > > having a lot of luck. Any pointers books or sites would be appreciat= ed. > >=20 > > The most common answer is "Don't do that" > >=20 > > 99.99999% of e-commerce sites have absolutely no business storing credit > > card numbers on any hardware they own. > >=20 > > They should simply run the transaction through their Merchant Account > > (bank) computer using a secure connection, and the software provided by > > their Merchant Account (bank). > >=20 > > If you need a recurring charge, you can run your charge through the > > Merchant Account as a "recurring charge" (whoda thunk it?) and the > > Merchant Account software will give you back a unique transaction # to > > refer to if you ever need to cancel THAT particular recurring charge. = You > > would store only that transaction number, and *NOT* the customer's cred= it > > card charge. > >=20 > > In the unlikely event that you really *ARE* in the 0.000001% of servers > > that needs to store credit card info... Well, it's kinda scare that > > you're asking here, rather than a security mailing list, but here is *O= NE* > > solution that may be worth considering. > >=20 > > I am posting to the list so that others can tell us just how inadequate > > this is. > >=20 > > You should also be aware that by no means am I an "expert" -- I am simp= ly > > describing what has been described to me as the "right way" (tm) to do > > this. > >=20 > > My information may be out of date. (It's been awhile.) > >=20 > > I chose to let the Merchant Account (bank) worry about keeping credit c= ard > > numbers safe, rather than do all of the following. > >=20 > > You probably should too. > >=20 > > Depending on the current interpretation of existing laws, you, the web > > developer, may or may not be held responsible for *ANY* damages that > > result from your work -- no matter how faultless you may be in reality.= =20 > > We're talking legalities here, not reality. > >=20 > > Did I mention that you really shouldn't be doing this at all? Good. > >=20 > >=20 > >=20 > > First, your servers *MUST* be in a physically secure location, with acc= ess > > limited to *ONLY* people you really really really trust. > >=20 > > No software in the world will do you any damn good if a not-so-honest > > person can waltz in and play around with the hardware! > >=20 > > If you *CANNOT* guarantee that the hardware in question can *ONLY* be > > accessed by trusted individuals, than you should stop reading right here > > and now. > >=20 > > This rules out shared servers, co-location (IMHO), and almost all > > corporate servers, which need too many people of limited trust value to= be > > able to access them to keep them up. > >=20 > > Next, you need a SECOND server which will be used to hold credit card > > info, and that second computer will *NOT* be connected to the Internet > > (directly) > >=20 > > You put an extra NIC in your web-server, and run a cross-over cable to = the > > SECOND server, the extra one, which will hold the credit card numbers. > >=20 > > You limit ethernet access to that second computer which will hold credit > > cards so that *ONLY* the one computer connected to it via the cross-over > > cable will be allowed to connect. > >=20 > > The "extra" NIC in the web-server and the SECOND server are both on a > > separate sub-net from everything else in your system. IE, the only > > interface cards in your entire organization that utilize the IP address > > space in question are those two (2) NICs. > >=20 > > You then make 100% sure that you simply cannot get to that SECOND box f= rom > > anywhere else in the organization. > >=20 > > What is quite well-documented is that you use SSL (and ONLY SSL) to all= ow > > the customer to get their credit card info to your web-server. > >=20 > > You then write some routines to get the credit card numbers from your > > web-server through your second NIC to the second server. > >=20 > > These routines get the fine-tooth code-review treatment, by multiple pe= ople. > >=20 > > They should be mind-numbingly simple, clearly documented, and do the > > absolute minimum possible to conduct your business. > >=20 > > You test these routines every way you can think of to see how they can = be > > broken. > >=20 > > You hire an outside security audit team to test your server and routines > > to see how they can be broken. > >=20 > > You use something like tripwire to raise nine kinds of hell if anything > > changes on the portion of the web-server that talks to the SECOND machi= ne, > > and, of course, if anything (other than data) changes on the SECOND > > machine. > >=20 > > Under *NO* circumstances should the routines *EVER* store the credit ca= rd > > numbers in any file, database, shared memory, or anything less transito= ry > > than the variables of a single script, operating under SSL, on the > > web-server. > >=20 > > So, in effect, you get the cc# onto the SECOND box which is not truly > > accessible from the Internet, and you shove it IMMEDIATELY into that > > SECOND box, and you make damn sure it NEVER "leaks" out of that SECOND = box > > and the air-tight routines on the web-server that are allowed to access > > that SECOND box. > >=20 > > All of this also presumes that your web-server is *ALSO* as secure as y= ou > > can make it, that data, and *ONLY* data, is changed on the web-server, = not > > programs. > >=20 > > You don't have an army of developers writing scripts (PHP, Perl, CGI, > > whatever) on this web-server -- If you need all that, get THREE boxes. > >=20 > > 1. Regular web-server. > > 2. E-commerce web-server, with link to "OTHER" box > > 3. OTHER box with CC#s in it. > >=20 > >=20 > > Box #1 is where your HTML/PHP/Perl/CGI programmers have "access" > >=20 > > Box #2 is rigged to scream if anybody so much as changes a tag on i= t, > > but has the "Checkout" page on it, where CC#s are taken in, and is > > accessible to the Internet. > >=20 > > Box #3 has the CC#s on it, and is not accessible to the Internet, only = to > > Box #2. > >=20 > >=20 > > I'll say it again: It's incredibly UNLIKELY that you really should be > > doing this at all. It's also very very very likely that this answer is= A) > > wrong,B) incomplete, C) out-dated, and D) all of the above. > >=20 > > --=20 > > Like Music? > > http://l-i-e.com/artists.htm > >=20 --=20 Martin Hudec | corwin at aeternal.net | corwin at web.markiza.sk http://www.aeternal.net | cell +421 907 303 393 --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBPVLPZYEZIv+rgggRAqlwAJ96cr8Z+XOlvBtGumJLp8Ll177QxwCfeLRm +UzSIFKQgWtEIwSUNawDCJE= =WzyY -----END PGP SIGNATURE----- --5vNYLRcllDrimb99--