most basic SSL questions ever ;-)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

most basic SSL questions ever ;-)

Post by bredoteau »

Hi,

I am creating a webshop and it is required that the customer enters his bank account information at some point. I want this information to be secured or encrypted before sending it over to my server.


1. Is SSL what I need?

2. I have libCurl with SSL support on my server. But how do I use it, or is it activated automatically and I dont have to do a thing?


Greets,
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SSL is what you need. libCurl won't help with this, as it is for communicating with external systems, not your own (for the client)
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Post by bredoteau »

So, what do I need?
How do I get SSL, how do I use it? I never found any tutorial or sample code for using ssl.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you'll need a Certificate from an authority. Talk to your host about it.
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Post by bredoteau »

OK.
I still wonder what I will do with that certificate (e.g. I downloaded a certificate from the PayPal developers central), do I have to code anything or is all security work done by my server dudes...?

Actually I can't talk to my server ppl because we will switch servers to someone yet unknown. I'd like to know what Im talking about...

Thank you!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

another thing to do is getting yourself a merchant account and getting authorized to store financial information of your customers.
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Post by bredoteau »

I guess/hope this means I dont have to code anything and it is just the connection handling between my server and the customers browser that changes?

Merchant account exists :)
(but it depends on the countries you are operating with if you need one or not.)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SSL is mostly just the connection handling, which is outside of php's control area, for the most part. You must still handle the data passed in very carefully to comply with the banking industries security and safety standards for handling customer financial information.
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Post by bredoteau »

OK, thanks!
Post Reply