On Tue, 2002-11-05 at 22:39, Kevin P. Fleming wrote:
> Keep in mind that SSL security on a web site (https) is one-way secure; only
> data from the client to the web server is encrypted, I believe. The data coming
> back from the web server is unencrypted, which is why any good secure commerce
> site never displays your credit card number back to you (at least not the
> complete number).
This is completely wrong. An SSL link means the whole TCP data stream
is encrypted in both directions.
Sites normally do not show you the complete credit card number for a
number of reasons:-
* if someone breaks the other security on the site (ie the
password you use for logging in) then you haven't lost the
credit card as well.
* if you print the acknowledgment then your CC number is not
fully exposed.
* client side cache (although a client should not cache an SSL
transaction).
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]