On 2/11/10, Booking Heaven wrote: > The best thing you have to do is you should encrypt it in client side before > it is passed to webservice (whatever it is, https or http) because man in > middle attack can tap your creditcard information before it is passed to > webservice.
With the method proposed the Flash Player plugin will hand the data off to the browser and the browser will encrypt it using SSL and send it to the webservice. Are you suggesting that there may be a man in the middle between the Flash Player plugin and the browser? It seems a bit of a far fetched scenario. Surely a simple keylogger would be much more likely as an attack vector. Jochem -- Jochem van Dieten http://jochem.vandieten.net/
