HTML5本地存储对信用卡信息的安全隐患是什么? [英] What are the security implications of HTML5 local storage for credit card info
问题描述
在我公司控制下的网络服务器中存储信用卡信息会产生严重的安全风险。这是一种闯入的动机。它迫使我们非常谨慎地保护对我们数据库的访问。这是一种法律责任。
Storing credit card info in web servers under my company's control creates severe security risk. It is an incentive to break in. It forces us to guard acces to our our database with great care. It is a legal liability.
显然,这对于从一个会话到另一个会话在同一浏览器上的用户才真正有用,因此会有用户体验。
Obviously this would only really be useful to users who are on the same browser from one session to another, so there is a UX hit.
将此信息放在HTML5本地存储中是否会提高安全性?
Would it be a security improvement to put this info in HTML5 local storage?
推荐答案
可能
通过在个人计算机上存储信用卡详细信息,可以减少单个服务器成功破解的可能性(或系统)导致许多(数百/数千)用户被泄露的信用详细信息。理想的解决方案是在服务器上存储类似(或更低)的风险,但会分配攻击面,从而大大减少影响。
By storing the credit card details on an individual's machine, you reduce the chance that a successful hack of a single server (or 'system') leads to the credit details of many (hundreds/thousands of) users being compromised. An ideal solution would entail a similar (or lower) risk as storing things on the server, but distribute the attack surface and hence massively reduce the impact.
这是摘要一个建议的方法(我已经完全提出了一个问题的 HERE ,还没有'poo-poos'):
Here is the summary of a suggested approach (which I've posed fully as a SO question HERE, with no 'poo-poos' as of yet):
-
通过HTTPS从服务器检索加密密钥。
Retrieve an encryption key from the server over HTTPS.
使用它(在javascript中)在用户输入的同时加密本地存储中的信用卡详细信息。
Use it (in javascript) to encrypt the credit card details in local storage at the same time as they are being entered by the user.
当用户离开页面时,将密钥丢弃。
Throw the key away when the user navigates away from the page.
如果用户稍后返回,他们可以从服务器检索相同的密钥,以及用于缓存未来细节的新密钥(以避免一次又一次地使用相同的密钥)。
If the user returns later, they can retrieve the same key from the server, as well as a new key with which to cache the details going forward (to avoid the same key being used again and again).
服务器没有k查看信用卡详细信息的副本,黑客需要获得一定程度的访问权限,以便他们能够看到用户在页面上输入的详细信息。
The server doesn't have to keep a copy of the credit card details, and a hacker would need to gain a level of access such that they could anyway see the details being entered on the page by the user.
这篇关于HTML5本地存储对信用卡信息的安全隐患是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
