Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Obfuscation is such weak security it should be considered as pretty much worthless

Say obfuscation = encrypted.

> It's vulnerable to cookie jacking over non HTTPS

That's why you use the secure and httponly flag for the cookie.

> It's vulnerable to theft if you have access to a computer where someone has logged on

Pretty much everything is vulnerable to theft if you have access to a computer where someone else has logged on.



If you encrypt it, either you use a different key for each user's data, which means you're storing per-user session data on the server so you may as well store the cc number there, or you're not storing per-user keys on the server which (and I'm not a crypto expert here) probably opens you up to known plaintext attacks if an attacker gains access to many users cookies.

Are there any actual crypto experts reading who'd comment on the dangers of encrypting multiple credit card numbers with the same key? Keep in mind for a single bank the first 4 digits of a credit card will all be one of two choices (their Visa or Mastercard prefix) and for a single branch I think the first 6 digits will be the same for every customers Visa card, which only leaves 9 digits (and the checksum).

Surely a naive approach like:

  $encrypted_cookie_text = any_encryption_function($sixteen-digit-cc-number,$global_key);
could be brute forced pretty readily, with a knowledgeable guess at the first 6 digits and an understanding of the checksum algorithm, you're only left with one billion possible numbers. (In fact, I wonder if rainbow tables already exist for this for various values of any_encryption_function()?


If you encrypt it, either you use a different key for each user's data, which means you're storing per-user session data on the server so you may as well store the cc number there

I don't see how that follows. Storing credit card details on the server is generally a bad thing to do and takes a lot of work to get it to be PCI compliant.

What would be wrong with a different key/salt per user stored on the server, with the credit card number stored in a short-lived, secure, httponly cookie?


Obfuscation is not the same as encryption. Do not make that mistake!


True, but encryption is merely a computationally unfeasible form of obfuscation


I don't trust a site that stores my CC information in a cookie to always serve HTTPS pages.

Also you didn't address the most important point, PCI compliance.

The method Santander employs is unquestionably a bad way to do things.


If the cooke is set to secure it won't be sent in a non https request.


At the very least, the data (encrypted or no, but it should probably be encrypted) on the server related to a session lives outside the webroot, whereas in a cookie, even if it is encrypted, it's still essentially public. If there's no reason to have that data, explicitly, exposed in the client then why put it there?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: