Re: [Exim] Secure email->Webmail transaction question

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: exim-users
Subject: Re: [Exim] Secure email->Webmail transaction question
On Tue, 2002-11-05 at 22:39, Kevin P. Fleming wrote:
> Keep in mind that SSL security on a web site (https) is one-way secure; only
> data from the client to the web server is encrypted, I believe. The data coming
> back from the web server is unencrypted, which is why any good secure commerce
> site never displays your credit card number back to you (at least not the
> complete number).


This is completely wrong. An SSL link means the whole TCP data stream
is encrypted in both directions.

Sites normally do not show you the complete credit card number for a
number of reasons:-
        * if someone breaks the other security on the site (ie the
          password you use for logging in) then you haven't lost the
          credit card as well.
        * if you print the acknowledgment then your CC number is not
          fully exposed.
        * client side cache (although a client should not cache an SSL
          transaction).


    Nigel.
--
[ Nigel Metheringham           Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]