Leon Rosenberg wrote:
On 6/2/06, Bill Barker <[EMAIL PROTECTED]> wrote:
TC 3.3.x had an optional module to do this. It never got ported.
I generally agree with most of the people that say that this is the
least of
your problems. If you are usings a self-signed cert, then you are just
getting what you deserve. Otherwise, you simply contact the CA and
revoke
the cert: At least this problem solved :). Now, how to deal with
the fact
that the hacker just uploaded 10,000 credit-card numbers, since my jdbc
password was in the clear :).
Actually you are not allowed to save credit card numbers unless you
are a certified payment provider (which implies major security
constraints).
Even a certified payment provider is not allowed to store cvc codes,
and without the codes the credit card numbers are useless. (amazon of
course is an exception to this rule...)
However, if you saving cc-numbers or bank accounts or any other
payment related data in your database unencrypted you belong in jail
:-)
But please feel free to tell us that you are doing one of the above,
so we know which sites to avoid :-)
Somewhat true, but nearly every site that collects payment information
and charges at a later date stores that information until the card is
actually processed, and many businesses do not charge the card until the
product/service has been delivered.
Furthermore, that simply begs the issue, since it could be SSN,
salaries, student loan info, job histories, etc. that become vulnerable.
I don't think there's much argument that allowing the option to manually
enter the keystore password is a bad thing, just that protecting an SSL
cert is only a small concern if your filesystem has been compromised.
David
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]