tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leon Rosenberg" <rosenberg.l...@googlemail.com>
Subject Re: How to hide the keystorePass at the server.xml
Date Fri, 02 Jun 2006 09:45:35 GMT
On 6/2/06, Bill Barker <wbarker@wilshire.com> wrote:
> TC 3.3.x had an optional module to do this.  It never got ported.
>
> I generally agree with most of the people that say that this is the least of
> your problems.  If you are usings a self-signed cert, then you are just
> getting what you deserve.  Otherwise, you simply contact the CA and revoke
> the cert:  At least this problem solved :).  Now, how to deal with the fact
> that the hacker just uploaded 10,000 credit-card numbers, since my jdbc
> password was in the clear :).

Actually you are not allowed to save credit card numbers unless you
are a certified payment provider (which implies major security
constraints).
Even a certified payment provider is not allowed to store cvc codes,
and without the codes the credit card numbers are useless. (amazon of
course is an exception to this rule...)
However, if you saving cc-numbers or bank accounts or any other
payment related data in your database unencrypted you belong in jail
:-)
But please feel free to tell us that you are doing one of the above,
so we know which sites to avoid :-)

regards
leon

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message