On 6/7/02 1:47 AM, Laura [EMAIL PROTECTED] wrote:
Hi all,
it might be that I have a security problem and you should tell me if I am
right.
Well, I have a server with an ecommerce application: an user can buy
something a when he has to pay the servlet of the web application executes a
This is one way, there are probably others. By using encryption you can make
such a transaction secure.
If site X is where they buy the thing and site Y is your site:
You could get site X to pass two things:
- the amount of money the user is to pay in clear text
- the amount of money the user is
On 6/7/02 1:54 AM, Barney Hamish [EMAIL PROTECTED] wrote:
- the amount of money the user is to pay encrypted with the private key of
site X as a digest.
On site Y you recieve both. You decrypt the encrypted amount with site X's
public key. If the clear text amount matches the encrypted
On 6/7/02 1:54 AM, Barney Hamish [EMAIL PROTECTED] wrote:
- the amount of money the user is to pay encrypted with the private key of
site X as a digest.
On site Y you recieve both. You decrypt the encrypted amount with site X's
public key. If the clear text amount matches the
On 6/7/02 2:14 AM, Nikola Milutinovic [EMAIL PROTECTED] wrote:
On 6/7/02 1:54 AM, Barney Hamish [EMAIL PROTECTED] wrote:
- the amount of money the user is to pay encrypted with the private key of
site X as a digest.
On site Y you recieve both. You decrypt the encrypted amount with site
key.
Both can be used to encrypt the data in analogous ways.
-Original Message-
From: Nikola Milutinovic [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 07, 2002 11:14 AM
To: Tomcat Users List
Subject: Re: Security problem?
On 6/7/02 1:54 AM, Barney Hamish [EMAIL PROTECTED] wrote
, June 07, 2002 11:14 AM
To: Tomcat Users List
Subject: Re: Security problem?
On 6/7/02 1:54 AM, Barney Hamish [EMAIL PROTECTED] wrote:
- the amount of money the user is to pay encrypted with the private key
of
site X as a digest.
On site Y you recieve both. You decrypt the encrypted
So, what is suggested is that the shopping cart server creates the final
payment report and signs it with it's private key/certificate. The financial
transaction server would verify that *that* is an authentic request from the
shopping cart server.
Ok, it was signing. This still
On 6/7/02 2:30 AM, Nikola Milutinovic [EMAIL PROTECTED] wrote:
Just as Barney Hamish pointed out, with RSA (and I think DSA) keys, you can
encrypt/decript both ways. It is just that these two modes of operation have
been established as common. And yes, a signed object is not encrypted. What
Milutinovic [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 07, 2002 11:31 AM
To: Tomcat Users List
Subject: Re: Security problem?
So, what is suggested is that the shopping cart server creates the
final
payment report and signs it with it's private key/certificate. The
financial
transaction
HTTPS Alone won't help much in the described szenario.
HTTPS can't enshure that the user is not manipulating
the request. To disable that you have to sign the data.
I think it's better to use a complete different architecture.
If this has to be done with EJB as you suggest, a WebService
The best description I have seen is at
http://www.securityfocus.com/bid/2518. That's Bugtraq ID 2518. I was
using Tomcat 3.2.1 on UNIX systems, and it had the bug. I have updated to
Tomcat 3.2.2b2, and the bug is gone there. I am using Tomcat directly,
not through Apache. I do not know
12 matches
Mail list logo
