CGI and Perl

Transaction Security

Some types of transactions, especially credit-card purchases, may require that you assure the security of the transaction itself. There are numerous means for unsavory individuals to snoop into what you're sending or receiving from the other end, including, but not limited to, the following:

Spoofing The client can trick your server into believing that the request or post that it's sending is from some other site. This is known as IP and/or DNS spoofing. Your server may respond believing that the client is "Trusted" when it isn't.
Sniffing In some cases, it's possible for an unsavory individual to snatch packets as they zip by on the wire. Especially with the newer cellular modems, unsecured phone lines, and so on, it's becoming easier all the time to see everything coming and going to a client or server.
Traffic Analysis Using sampling techniques on the packets (a form of sniffing) or, more commonly, the httpd's logfiles, an individual (possibly unsavory) can learn about the nature of the transactions that your site processes. This may be useful, for instance, in analyzing the competitive level of your site by a site that provides the same services or products.

In each of these cases, the risk can be alleviated (or greatly reduced). In the cases of spoofing and sniffing, the preferred technique is to use data encryption, or signed data for the transaction. When the receiving end gets what your server sends them, they must have the appropriate key to decrypt and make use of it. In the case of traffic analysis of the data files, assigning the file permissions on the directory, logs, and the files themselves is the preferred technique. The logs themselves can be encrypted for permanent archival.

Nowadays, most commercially available servers and their respective clients implement encrypted transactions via some, usually proprietary, means. There's also a means to build encryption into the NCSA httpd and Apache httpd servers. See the documentation for these servers or the references listed at the end of this chapter in the section entitled "Further Reading" for details on how to do this.