IANAE --
But I think I know how the "secure" websites work. First and
foremost the page itself should reside in a password protected area of
the server, so no casual hacker can access it and find the encrypt
algorithm.
Second, all Arachne users have seen the code produced and sent when we
feed data to a page & submit it ... it usually overflows the URL line.
<G> Well, I play a little game of hangman on-line once in awhile, and I
wondered how in the heck the system knew which person trying to figure
out which word was sending in a new letter guess. Then I looked
carefully at that URL line and discovered that, along with my current
guess, the word itself sat up there in encoded form. It's only a simple
substitution code, but I haven't bothered to break it because then ALL
the fun of the game would be gone.
How does that code get to me? When I access the page, a word is chosen
at random and is fed to the page I download -- in its encrypted form and
as part of the data string that will be sent with each letter guessed.
On the server is a decoder which looks at the actual word, and then
checks to see if the letter I guessed is correct. If it is, it sends
the letter back to my screen rewrite in its proper place; regardless of
whether the letter is right or wrong, that letter is removed from the
alphabet available for me to select from.
On a secure website I would guess that the data I fill in and submit is
encoded by some sort of filter program prior to it being sent to the
store site's page where most people would expect to find credit card
numbers, etc. I would further guess that it is stored in encoded format
on the servers, and only decoded when a sales/service rep pulls up the
order; that decoding would be done in an entirely different program
separate from the website. If I were running such a system, I would
have the decoding done at the terminal level and not even have the
algorithm used at the server level.
Now, my design may actually be better than the current "secure" sites; I
can even think of a few additional things I would do to make it more
secure. But I think that's the general idea.
Bottom Line: The purchaser doesn't encrypt anything. The data supplied
is encrypted by the website, or an appropriate link, prior to
transmittal to the store accessible network.
[insert SWAG disclaimer here]
l.d.
====
On Sun, 09 Jan 2000 18:40:35 -0800, Clarence Verge wrote:
> Samuel W. Heywood wrote:
>> I do not understand how I could encrypt my credit card number, transmit
>> the encrypted number, and then have the recipient to decrypt the number
>> unless the recipient had a compatible decryption engine and had
>> knowledge of the original encryption key (i.e the password or pass
>> phrase that I use to encrypt the data). It would seem that somehow
>> this kind of thing is what would have to happen when using a "secure"
>> web site. How does this kind of "magic" work?
> Hi Sam;
> I don't know of a site that will provide the details you are looking for,
> and, the following is just my own bumble so don't take it as fact.
> Surely the simplest method would require that the recipient involved sends
> you the encryption key and then you send the encrypted data.
> How this prevents someone eavesdropping on the transaction from decrypting
> your data is unclear to me because it seems he/she can end up with all the
> necessary information.
> Like I said. My bumble.
> - Clarence Verge
> --
> - Help stamp out FATWARE. As a start visit: http://home.arachne.cz/
> --
-- Arachne V1.50;s.r.c., NON-COMMERCIAL copy, http://home.arachne.cz/
