Help Version: 2.12
Last Update: 05/01/2002

Security Issues

General

Please note: While the built-in encryption scheme is good, it is not as good as PGP. So, if you have the opportunity to use PGP on your server, you should seriously consider this option. The QuikStore scripts WILL work with PGP 4 or 5.

This is also NOT a substitute for checking to make sure that your site is secure. Again, MAKE SURE your cgi directory is NOT browsable. If it is, and your ISP cannot correct this, we recommend that you switch ISPs to make sure you are secured as best as possible!

Overview

Whenever you operate an online store that takes personal data from customers, security of that data should be one of your main concerns. We have outlined a few of the main concerns below that you should be aware of. Please take the time to look these things over and decide how your particular site should be best handled.

It is IMPORTANT that during the setup of the QuikStore program, you check to make sure that the cgi-bin or executable program directory of your web site are not be viewable from the outside world. You don't want the users to have access to your programs or log files that could be stored there!

The viewable or "browsable" executable directory problem usually only occurs on a misconfigured NT server. However, while it is rare, it IS possible for this to occur on a UNIX server. Past experience has shown that NT systems are more prone to this oversight. It is always a good idea to make sure your host server is set up correctly, and it only takes a minute to verify that it is.

Allowing users to browse your cgi-bin directory also allows them to see your order and configuration files. This, of course, is a bad thing!

How To Test Your Sever to make sure you are Secure

Open your browser and enter the FULL path (URL) to your cgi directory on your web site. You should NOT be able to view these files in your browser! You should also check your "Orders" directory.

A "no permissions" error, "file not found" error or blank screen return should be the system response to this query of your host server.

If you can view or download these files from the browser, someone else can too! The order files are located in the cgi-bin directory specifically for this reason. The executable program directory and all directories below it should NOT allow a user to "browse" any of the files! If you can see these files, you need to contact your ISP and tell them to make sure your cgi-bin or executable program directory is NOT browsable. This is the standard setup and they should have no issue with correcting your web site to comply.

On UNIX systems, you can also use .HTACCESS password protection on the "orders" directory. Contact your ISP for more on this.

This will provide one of the strongest levels of security protection you can get!

Order File Maintenance

Should you decide to log the encrypted orders to the server, you should purge these files frequently so that they are not accessible to anyone.

Built-in encryption

QuikStore does use a built-in encryption scheme to scramble the order files. This is turned on in the configuration file. You can turn it on by setting "Use Local Encryption" to "Yes" in the Configuration Editor (Step Two of the Main Menu).

This encryption will scramble the files so they are only readable through the Encryption Tool (Step Six of the Main Menu). A preset username, password, and PIN number that was set using the Encryption Tool will be required to decrypt (or unscramble) these files.

The orders may also be emailed to you directly (full order email) and then you can use the Encryption Tool to read them. It is YOUR responsibility to keep the Encryption Tool in a secure place so others cannot access it!

Summary

While we do our best to offer you alternatives to protecting your data, it's ultimately up to you which method you choose to do so. A good combination of server protection and encryption is highly recommended.

Continue to Encryption Tool Overview

 


Copyright 1997-2003 i-Soft, LLC