I do not have an SSL for my website, and I have to pass the credit card number from one page to another. The scenario is like this.
- I'll check the credit card number (this is a valid number)
- Then I will post the value on another page at response.php
-
The post value should be encrypted with index.php and I should be able to decrypt it in the next page (response.php)
& lt; Script type = "text / javascript" & gt; Function valid (payment_form) {var error = ""; If (trim (payment_form.credit_card_number.value) .length == 0) {document.getElementById ("credit_card_number_error"). InnerHTML = "Enter credit card number"; Error + = False; } Else {if (IsNumeric (payment_form.credit_card_number.value) == incorrect) {document.getElementById ("credit_card_number_error"). InnerHTML = "Enter numerical value"; Error + = False; } And {document.getElementById ("credit_card_number_error"). InnerHTML = ""; Error + = ""; }} If (error == "") {back true; } Other {return false; }} Function isNumeric (strString) {var strValidChars = "0123456789."; Var strChar; Var blnResult = true; If (strString.length == 0) incorrect return; For (i = 0; iCredit card number & lt; / Td> & Lt; Td> & Lt; Input type = "text" placeholder = "credit card number" value = "" id = "credit_card_number" name = "credit_card_number" & gt; & Lt; / Td> & Lt; Td> & Lt; Label class = "error" id = "credit_card_number_error" /> gt; & Lt; / Td> & Lt; Tr & gt; & Lt; Td> & Lt; / Td> & Lt; Td> & Lt; Input type = "submit" value = "PAYMENT" class = "login" id = "payment" name = "payment" & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt; / Table & gt; & Lt; / Form & gt; To summarize everyone, I am using a form to post a credit card number and have to encode it and I will be able to decode it. next page. Is it possible. What you want to do safely without the SSL and "real" certificate, i.e. Signed Trustworthy Certification Authority
- If you use symmetric encryption , then the client should know the secret key, so the attacker can easily capture the key through simple eShcrossing. With a few more hiding, he can capture the encrypted credit card number and decrypt it immediately.
- If you use asymmetric encryption , attackers can not detect the man in the middle attack (i.e., Together, you encrypt the data, it decrypt it, reads the data, re-encrypts it, the real public key sent by the server with SSL and "real" certificates, the browser is real Can tell the difference between public key and one of the attacker!)
Please, please, please: try not to become creative on security / cryptography unless you are a guru (In this case you probably will develop the most algorithms, and do not create a website). Obstacles will make you some badly broken
SSL with "real" certificates makes it secure because of these certificates signed by certification authorities , which your browser recognizes them as legitimate Will give If they are not signed by any browser recognized by the Certification Authority , it will display a horrible screen that will tell the user that it is probably being attacked. It is not possible for an attacker to generate a valid signature for your domain's certificate.
Buy a Certificate I recently transferred my domain to a new registrar and they offered me an SSL certificate for $ 1.99 a year (this is not good - CA is not recognized by my Android chrome, but well ... $ 1.99 ...)
- If you use asymmetric encryption , attackers can not detect the man in the middle attack (i.e., Together, you encrypt the data, it decrypt it, reads the data, re-encrypts it, the real public key sent by the server with SSL and "real" certificates, the browser is real Can tell the difference between public key and one of the attacker!)
- If you use symmetric encryption , then the client should know the secret key, so the attacker can easily capture the key through simple eShcrossing. With a few more hiding, he can capture the encrypted credit card number and decrypt it immediately.
No comments:
Post a Comment