SSL How Secure is 'Secure'?

[Brian Matthews]

I recently got a secure server page at Future Quest to accept credit card numbers, and store them, until I retrieve them later, then delete them.

The site has 128 bit encription. My Question is, just how hard would it be for someone to break their way into the system to steal the information? Don't know if how 'hard' is the right way to put it, or if how 'likely/unlikely' would a breakin be?

Any input is greatly appreciated.
Thanks, Brian

[jay scott]

The 128-bit encryption should be quite difficult to break, so the data should be safe in transit. It is far, far more likely to be stolen by somebody compromising one of the endpoints, either the user's computer or your back-end.

The user's computer is beyond your power to secure, but it's still of some concern because theft of data from it might be blamed on you. "I sent that only to you, you must be the one who spread it around!" If you've seen e-mail viruses, then you know that there are many, many compromised computers out there.

As for your back-end, I don't know. That depends on the software. All the big credit card number thefts that I've read about in the paper were from break-ins to corporate databases where the corporation should have known better, so you're asking a good question.

[Terra]

This is a very open ended question with no clear or defined answer as new security holes are found in software daily... It is an unfortunate side-effect to the natural evolution of software/systems...

The reality is that as long as a computer is connected to the Internet, then if someone wants in bad enough - the probability they will succeed depends on the skill of the cracker in relation to their intended target...

The only truly secure computer is the one that was never assembled...

If you are dealing with Credit Card numbers, those usually have a higher value on the black market than other sensitive information... In your case, if you have concerns on handling the security of CC numbers, then I highly recommend that you consult with an E-Commerce specialist... Rich Shockney with RSMarketing.com is an active participant in these forums so you may want to email him directly to discuss this further as it may require a customized solution for your exact needs...

--
Terra
--The main security issues that worry me are the ones that only a small number of blackhat crackers know about--
FutureQuest

[Rich]

Quote:

I recently got a secure server page at Future Quest to accept credit card numbers, and store them, until I retrieve them later, then delete them...

...The site has 128 bit encription.

Well...not exactly.

The contents of anything stored on the site does not have encryption. As Jay pointed out, only the data during transit between the user's browser and the server has encryption when transmitted using properly configured SSL.

How secure is the SSL transmission protocols? I have yet to see a reported incident of this being compromised.

How secure is the information obtained via SSL and stored on the server? NOT VERY SECURE AT ALL.

My recommendation to merchants is to never store any credit card information on any machine that is connected to the Internet. If you do decide to do this, you will need to do so using very secure encryption methods and use access procedures that are not easily compromised.

[EdSpidre]

I'm afraid I don't know much about merchant stuff but for an idea out of left field, and maybe some other experts can chime in, would it be possible to encrypt the data with someones public key so it sat on the server encrypted and then when they download it, they could just decrypt it?

Again, if the idea is ludicrous and I don't know what I'm talking about, please ignore me.

[brsett]

128 bit security is fine. Real security involves obfuscation as much as anything, for yours and mine security, encryption is a fine tool. I wouldn't be worried, but thus far the thread has contained much good info. Terra, now that you are iptable enabled have you set your default policy to DENY for all services (with logging for all connections)?

[Terra]

brsett:
I'm afraid that information/methodology is confidential...

--
Terra
sysAdmin
FutureQuest

[Rich]

Quote:

would it be possible to encrypt the data with someones public key so it sat on the server encrypted and then when they download it, they could just decrypt it

Yes, this would be the recommened way to store the data. You just have to remember that the secure key must not be stored on the server.

[brsett]

[Terra]

Quote:

Terra, now that you are iptable enabled have you set your default policy to DENY for all services (with logging for all connections)?

Without going into much detail, this is high on my list to solve however FTP PASV mode is causing an headache in this area... There was some security issues with the kernel FTP iptable module that caused concern and put the task temporarily on the backburner... The other issue is some merchant style software that creates short lived listener sockets that appears to be a type of callback anti-spoofing countermeasure... I do not want to impede any merchant style activity, nor do I want to constantly be adjusting the iptable rules to chase around the sockets... It may necessitate the need to custom code a new iptable/netfilter module to deal with this...

As far as logging, there is a separate dedicated logging framework because I don't want a performance hit on the Community Servers...

--
Terra
--it is my job to keep some aspects of our operations obscured from our competition--
FutureQuest


<first post removed due to general grumpiness>