If he's writing PHP shopping carts, he ought to at least have a basic knowledge of what SSL is
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Heartbleed bug
Collapse
X
-
bloggoth
If everything isn't black and white, I say, 'Why the hell not?'
John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson) -
Originally posted by xoggoth View PostYou got me worried now. I have written a PHP shopping cart and had no idea what SSL was before all this news. Though I did check out the potential security issues and implement the suggested solutions, HTMLentities, limits on data length etc. so maybe I did indirectly.
Basically SSL is a way of securely encrypting personal data. So, as a rule of thumb, you should never enter credit card details on a site which isn't running SSL (as pg politely pointed out, in 99% of cases you see the https and padlock logo in the address bar.)
In the ideal world, all personal details (names, addresses, passwords) would be encrypted.
In the case of your site (assuming it's the one you've posted links to in the past) you're capturing name and address details over a non-secure connection, so someone could potentially 'listen' to the traffic and steal those details. You're redirecting to worldpay to get your payment details, and they are running SSL, so your customers' card details are safe.
Some sites with logins (like CUK) don't use SSL either - I'm guessing that actual passwords aren't sent, but instead a hash of the password, which is compared to a stored hash in the database. Session ids are probably thrown into the mix too, so that the hash is a combination of password and sessionId and changes as sessions expire. In theory that makes it hackable - by listening to the network traffic I could steal the hash of your password and fake a login to your session, but I couldn't actually get hold of your password. To do serious damage, I guess we'd have to steal admin's accountLast edited by mudskipper; 14 April 2014, 18:28.Comment
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Comment