CircleNet would like to introduce ourselves to the Obi world

<< < (9/62) > >>

Sam_from_CircleNet:
MacOverAll,
When you go to make a payment now it does drop into a proper SSL environment on paypal's servers so any billing information that you put in will be encrypted.

I can see why you would be concerned about the rest of the portal. Our next to development cycles are already full but we will aim to add a signed SSL cert to the customer portal on 5/3 or 5/10.

In the meantime the self signed certificate can be used for encrypting the connection but it doesn't verify you are on the correct page.

Thanks,
Sam

nitzan:
Wow. You're actually taking private customer information via plain HTTP?!?

Your user portal should be encrypted, yesterday. Aside from the obvious privacy issues with this you're actually running the risk of getting hit with a huge fine from the FCC if call data ever leaks out. You can't serve call records via HTTP. Your portal should be forcing users to HTTPS even if it's through a self-signed certificate.

Adding a SSL cert takes 15 minutes, you don't need a "development cycle" for it. This is way more important than anything else you are working on right now.

CLTGreg:
Quote from: nitzan on April 16, 2014, 05:05:00 am

Adding a SSL cert takes 15 minutes, you don't need a "development cycle" for it. This is way more important than anything else you are working on right now.


Apparently there are risks with certain deployed SSL environments. Which one do you recommend?

Sam_from_CircleNet:
Our signup and portal will work with either http or https but neither contains payment info. The customer is dropped into an SSL session with paypal prior to capturing any payment data. Also since we're a pay as you go we don't store ANY payment data, that's all done at paypal.

I see the security concerns here however over the customer's name and address. We will disable the http version shortly and push customers to the self signed version.

As to switching to a signed cert yes it is easy, but we still need to work it into our dev plan. Any change that potentially is production affecting needs looked at.

Sam_from_CircleNet:
Also as to the risks on SSL I strongly encourage anyone running an SSL instance that is even slightly based on openssl to verify their patch level and recreate certs as needed. This isn't just a web vulnerability SSL based services such as VPN concentrators also need closely scrutinized.

Sam

Navigation

[0] Message Index

[#] Next page

[*] Previous page