[NTLUG:Discuss] OT? security comparsion

Leroy Tennison leroy_tennison at prodigy.net
Tue Nov 29 04:54:49 CST 2005 

Neil Aggarwal wrote:

>Hello:
>
>  
>
>>1. submit information with regular http:// form
>>    
>>
>
>That is a bad idea.  It is completely insecure.
>
>  
>
>>2. submit information with SSL https:// form
>>    
>>
>
>That is secure.
>
>  
>
>>3. Fax information to them
>>    
>>
>
>>From a purely transmission point of view, this is secure
>(unless you are being wiretapped) *only if* it is sent over 
>regular phone lines and does not use an Internet fax service
>for any point in the transmission.
>
>Having said this, most customer will not spend the time
>and effort to place orders this way.
>
>  
>
>>4. Call them and give the information (leave message) 
>>    
>>
>
>Again, from a purely transmission point of view, this is secure
>(unless you are being wiretapped) *only if* it is sent over 
>regular phone lines and does not use a VOIP service that 
>traverses an insecure network.
>
>Having said this, most customer will not spend the time
>and effort to place orders this way.
>
>Thanks,
>	Neil
>
>--
>Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com
>FREE! Valuable info on how your business can reduce operating costs by
>17% or more in 6 months or less! http://newsletter.JAMMConsulting.com 
>
>-----Original Message-----
>From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] On Behalf
>Of m m
>Sent: Monday, November 28, 2005 10:52 AM
>To: discuss at ntlug.org
>Subject: Re: [NTLUG:Discuss] OT? security comparsion
>
>All:
>
>Thanks for all the valuable inputs
>
>Sorry for not very clearly state my question:
>What I am asking is "in sending of packet(s)" (make sense ?)
>
>"from the user input the credit card number (for example)
>on the web form (from the user's browser)
>to the server (database, email server...)"
>
>An example:
>If there is a e-commerce website
>you want to buy something from them
>they offer 4 type of payment method
>(the credit, address... information need to be submitted/sent)
>
>1. submit information with regular http:// form
>2. submit information with SSL https:// form
>3. Fax information to them
>4. Call them and give the information (leave message)
>
>
>which way(s) you will not (never) do?
>why? most of the answer would be security reason.
>
>most people will do #2 but not #1
>I think this is because SSL.
>
>But how is the chance your information got
>captured in the "middle the net"?
>if the chance is the 0.1%
>I think I have a ridiculous conclusion:
>#1 and #2 have almost no different
>but is the chance is 80% and above
>definitely, no option for #1
>
>>From Madhat and other mentioned
>How does the information been saved, stored
>Janitor see the fax information...
>I think this is another issue.
>because you never know
>how they store/handle your information, right?
>
>
>
>  
>
>>From: MadHat <madhat at unspecific.com>
>>Reply-To: NTLUG Discussion List <discuss at ntlug.org>
>>To: NTLUG Discussion List <discuss at ntlug.org>
>>Subject: Re: [NTLUG:Discuss] OT? security comparsion
>>Date: Wed, 16 Nov 2005 11:38:44 -0600
>>
>>On Nov 16, 2005, at 11:04 AM, Neil Aggarwal wrote:
>>    
>>
>>>Greg:
>>>
>>>I did not dismiss SSL in any of my comments.
>>>
>>>He was asking if email or fax was more secure than an SSL connection
>>>and I stated that email was not.
>>>      
>>>
>>Fax is not more secure, unless you know where it is going.  About  like SSL
>>    
>>
>
>  
>
>>it is about how the data is handled on the far end.  If you  are sending a 
>>FAX to a general fax machine, anyone in the company may  see it.  Do you 
>>know if the janitor, who makes minimum wage, has  access to the faxes?  Do 
>>they shred the faxes after the data is  entered somewhere else or do they 
>>just through them away?  Transport  is only one issue to worry about.
>>
>>
>>    
>>
>>>	Neil
>>>
>>>--
>>>Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com
>>>FREE! Valuable info on how your business can reduce operating costs by
>>>17% or more in 6 months or less! http://newsletter.JAMMConsulting.com
>>>
>>>-----Original Message-----
>>>From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org]  On 
>>>Behalf
>>>Of Greg Edwards
>>>Sent: Wednesday, November 16, 2005 9:55 AM
>>>To: NTLUG Discussion List
>>>Subject: Re: [NTLUG:Discuss] OT? security comparsion
>>>
>>>Neil Aggarwal wrote:
>>>      
>>>
>>>>Terry:
>>>>
>>>>Using your analogy, I think it is like putting the key in an  envelope,
>>>>writing the word "Key" on the outside, and leaving it on top of the
>>>>        
>>>>
>>>doormat.
>>>      
>>>
>>>>Anyone that is looking will have full access to whatever you are  
>>>>sending.
>>>>
>>>>If they are looking the in the first place, they have some  mischeivious
>>>>or malicious intent.
>>>>
>>>>	Neil
>>>>
>>>>        
>>>>
>>>Don't be so quick to dismiss the value of SSL.  As well stated  earlier,
>>>it's not SSL and the information transferred that hackers get.   They get
>>>it from the back end of systems they've broken into.  I don't know the
>>>percentages of which OS is cracked more often, but I'd think my  luck 
>>>guess
>>>of M$ being in the 95%+ would be right ;)
>>>
>>>If you do insist on sending zip files encrypt them first.  Let your
>>>receivers know off line what the encryption key is and they'll be  able to
>>>decrypt and uncompress with "unzip".  Your unzip does have to have the
>>>encryption option compiled in.
>>>
>>>--
>>>Greg Edwards
>>>New Age Software, Inc. - Software Engineering Services
>>>http://www.nas-inet.com
>>>
>>>_______________________________________________
>>>https://ntlug.org/mailman/listinfo/discuss
>>>
>>>
>>>_______________________________________________
>>>https://ntlug.org/mailman/listinfo/discuss
>>>
>>>      
>>>
>>--
>>MadHat (at) Unspecific.com, C²ISSP
>>E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98
>>gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
>>
>>
>>_______________________________________________
>>https://ntlug.org/mailman/listinfo/discuss
>>    
>>
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today - it's FREE! 
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>  
>
In the context of a credit card transaction,consider a few things. 
 Don't take unnecessary risks (plain http) but don't allow your only 
security to be technical (that's not the only risk).  First, make sure 
what your credit card's fraud terms are (most are probably similar).  If 
they aren't good get a competitor's card, the business is very 
competitive.  Almost anyone should be able to get another card if they 
have one that has been maintained at all well.

If it's available, use a "one time" number.  This kind of arrangement is 
available from at least Citi cards and I suspect competitors.  There's a 
Web process (at least with Citi) you go through to get the one time use 
number.  I believe you can even set a limit on it's value and maybe even 
specify the merchant.  If you do these things you have greatly limited 
your exposure.  The only downside I know of right now is that Citi's 
process requires IE (I'm not sure they even know how to spell Linux).

Pick a card you don't use much and use that for your high(er) risk 
purchases.  This way the statement has only a few items on it and 
unusuall charges are more likely to stand out.  If possible, pick (or 
get) a card that doesn't have a high limit.

Just some thoughts, there may be other good ideas as well.

More information about the Discuss mailing list