Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Re: collecting sensitive data

by JavaFan (Canon)
on Jul 17, 2009 at 14:38 UTC ( #781070=note: print w/replies, xml ) Need Help??

in reply to collecting sensitive data

I noticed that HTTPS was mentioned by a few people. Note that HTTPS only offers a start. It's far from sufficient when it comes to the transportation. HTTPS it itself make the channel "secure" (as in, 'it takes a while to decrypt'). It doesn't authenticate either end of the channel; just the fact that I talk to you over HTTPS doesn't mean I'm entitled to your data, nor does it mean I am who I say I am.

Basically, when two parties communicate, you want to:

  • Encrypt you channel. Noone should be able to read what was send by inspecting the wire.
  • Authenticate both parties. You shouldn't send data to someone who isn't your client, and your client shouldn't accept data from someone else. No man in the middle attacks.
  • Authorize the parties. A test server from the client may be authenticated, but it's not entitled to the production data.
  • Audit trail the communication. Who logged in when. What was asked for. What was send.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://781070]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (1)
As of 2022-01-19 05:22 GMT
Find Nodes?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:

    Results (55 votes). Check out past polls.