7 replies to this topic

[ShadowLink64]

You might have noticed that when checking out of our store or logging into Neocodex, the page URL turns from http into https, and depending on your browser, a lock icon appears on the side of the screen. This tells you that SSL (Secure Sockets Layer) has been enabled on the communication between your browser and Neocodex.

SSL was created so that sensitive information like passwords or credit card information cannot be eavesdropped on by a third-party -- your browser encrypts this data and Neocodex takes the data and decrypts it, but anyone in the middle would have no idea how to read the data. These type of eavesdropping attacks are pretty rare and usually happen because the person is on an insecure connection such as public WiFi. The owner of the public WiFi could easily listen in to the traffic happening on the network.

In order for us to use SSL, we needed to have our identity verified by a reputable Certificate Authority (CA) and be issued a certificate (which has an expiry date of one year).

So to make a long story short, feel a bit safer. If you want to know more about this, visit the SSL post in the technology blog.

[Hydrogen]

Whenever there is a super technical announcement and no one responds to the announcement thread, I always wonder why. This is a pretty big deal for Neocodex, actually. SSL is incredibly important in this day and age and we really should have put this in place years ago. However, it's better that we did late than never.

[Strategist]

*Auto response enabled*

hehe

*Auto response disabled*

[artificial]

Whenever there is a super technical announcement and no one responds to the announcement thread, I always wonder why. This is a pretty big deal for Neocodex, actually. SSL is incredibly important in this day and age and we really should have put this in place years ago. However, it's better that we did late than never.

If you weren't previously using SSL when you collected credit card information through the store you deserve to be harshly criticised, not praised for implementing it this long after the stores introduction.

[Hydrogen]

If you weren't previously using SSL when you collected credit card information through the store you deserve to be harshly criticised, not praised for implementing it this long after the stores introduction.

We use stripe.com as our credit card processor. The credit card information never hits our server and the data is sent to stripe's servers over an ssl connection. There is no other way to use stripe other than ssl.

[artificial]

We use stripe.com as our credit card processor. The credit card information never hits our server and the data is sent to stripe's servers over an ssl connection. There is no other way to use stripe other than ssl.

I just had a look at the credit card form:

<form action="https://www.neocodex.us/forum/index.php?app=nexus&amp;module=payments&amp;section=receive&amp;do=validate" method="post" id="do_pay" onsubmit="return nexusCheckout.submitForm( 2426 )">

So if you only just installed https, that means it was previously been submitted to your servers over a plaintext connection prior to you sending it to stripe.com. There does appear to be some Javascript encryption which hides the values prior to submitting the form, but we both know that wouldn't be too difficult to reverse.

So unless I'm missing something, oh dear.

[Hydrogen]

I just had a look at the credit card form:

<form action="https://www.neocodex.us/forum/index.php?app=nexus&amp;module=payments&amp;section=receive&amp;do=validate" method="post" id="do_pay" onsubmit="return nexusCheckout.submitForm( 2426 )">

So if you only just installed https, that means it was previously been submitted to your servers over a plaintext connection prior to you sending it to stripe.com. There does appear to be some Javascript encryption which hides the values prior to submitting the form, but we both know that wouldn't be too difficult to reverse.

So unless I'm missing something, oh dear.

I'm not sure if you've ever integrated with stripe.com, but by the contents of your post, I'm going to guess not. The way that stripe.com works is that all credit card details are placed in HTML form elements which have no name attribute. Because of this, they aren't transmitted with the form data when the form is submitted. The stripe.js (served from their servers, also over ssl) script file pulls them out, makes the appropriate calls to stripe servers and gives us a single string token to reference the transaction and customer by. The actual credit card data never hits our server so we have no idea what it is nor do we care. We just get back a token like ch_lefjbwk7okwn or something.

The stripe documentation contains more about how this all works. It's a pretty good read so if you haven't read it already, do so .

[revenge1991]

Nice job on the added security;)