> --- Koen Martens <php@xxxxxxxx> wrote: > > > But your unencrypted data is there, so someone could > > possibly snoop > > that from the insecure memory. > > This is true. > > I am going to ask the hosting company to setuid gpg as > root. That should solve one problem (from gpg docs): > > "This is necessary to lock memory pages. Locking > memory pages prevents the operating system from > writing them to disk and thereby keeping your secret > keys really secret." > > But just out of curiousity, let's assume you are > running a shopping cart which takes credit cards and > passes them on to whomever approves them and you don't > _ever_ write this info to files. Aren't you also > vulnerable to someone being able to "snoop memory" on > your process for sensitive information? > > I mean at some point some program on the server has to > take the customer's credit card, and that info is in > memory somewhere until you get the approval. Isn't > that true? Im my case, I use a third party service that handles credit card payments. I take the order, and pass the order amount to the credit card processing service. THEY take the credit card info into THEIR system, process the payment, then send the customer back to my site. I never take credit card info. So, if somebody steals my customers identity, I am absolved of any responsibility. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
