I have a user who got the following cert error this morning.
Is it possible (likely) that the cert is complaining about a component on the page, and not the URL at the top of the page compared to the cert?
Dashrender
@Dashrender
10003
Reputation
30810
Posts
9678
Profile views
32
Followers
16
Following
Posts made by Dashrender
-
cert errorposted in IT Discussion
-
RE: PCI Point to Point vs End to Endposted in IT Discussion
@scottalanmiller said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
Maybe I should have said it can't be picked up in transit.
The card processors probably have more stringent requirements for infosec than PCI.
Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...
So I'm still not seeing a benefit to E2EE to the merchant.
I assume E2EE gives you some discounts.
based on what?
-
RE: PCI Point to Point vs End to Endposted in IT Discussion
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
Maybe I should have said it can't be picked up in transit.
The card processors probably have more stringent requirements for infosec than PCI.
Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...
So I'm still not seeing a benefit to E2EE to the merchant.
-
RE: PCI Point to Point vs End to Endposted in IT Discussion
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
-
RE: PCI Point to Point vs End to Endposted in IT Discussion
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
-
RE: Using IP Addresses - CompTIA A+ 220-1001 Prof Messerposted in IT Careers
@scottalanmiller said in Using IP Addresses - CompTIA A+ 220-1001 Prof Messer:
@connorsoliver said in Using IP Addresses - CompTIA A+ 220-1001 Prof Messer:
When using an SSL VPN, if the VPN concentrator decrypts the data being sent, wouldn't it be possible for someone to capture the data and also decrypt it?
Possible, sure. But very, very hard. The VPN concentrator has the keys, someone intercepting the traffic presumably does not. The point of VPN encryption is to make it so hard to decrypt the data that you don't care if they see it. It's about making something safe enough that we assume we will send it in the open and not worry.
So we assume that people capture that data constantly - but we have made it so hard to use, that they can't do it.
We more than assume that - we pretty much know the NSA is doing that after the Snowden leaks.
-
RE: PCI Point to Point vs End to Endposted in IT Discussion
@scottalanmiller said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
This also makes me ask - why is the data ever needing to be decrypted before it gets to the people who actually have to act on it?
Because it starts that way. You generally take the information as plain text when you receive it.
Huh? what does getting the data as decrypted have to do with it? Of course the data comes unencrypted as we collect it... but why does it need to be decypted before First Data or Elavon deal with it? Why does the payment gateway want to decrypt it?
-
RE: PCI Point to Point vs End to Endposted in IT Discussion
This also makes me ask - why is the data ever needing to be decrypted before it gets to the people who actually have to act on it?
Is it because by allowing someone to interact with the data in middle on your behalf, they can do things like, setup auto bill pays, etc? A feature that the actual backend processor like First Data or Elavon don't want to deal with?
-
RE: PCI Point to Point vs End to Endposted in IT Discussion
@scottalanmiller said in PCI Point to Point vs End to End:
Basically, unless I'm way off, Point to Point encryption means you take the credit card info and you send it over a secure channel, basically like a VPN. It keeps people from intercepting the data along the way. But the data is wide open on either end.
End to End means that the data starts encrypted and stays that way until it is received. It's way more intensive and much more secure. Basically the data never exists as plain text.
OK, but so what? As a merchant, I, so I just read, only care about the data remaining encrypted to the point where it reaches my payment gateway. Beyond that it's the processors problem if they are hacked.
-
PCI Point to Point vs End to Endposted in IT Discussion
My accounting person stopped me to today asking me the difference between End to End and Point to Point - at first I was like - nothing, they are basically the same, but upon further thinking.. they aren't.
End to End means literally, from one end to another end the data stays encrypted.
Point to Point means that between two points something stays encrypted. Assuming there are multiple 'points' between the ends, then the data could be unencrypted multiple times between the end points.OK that's all great.
Now she tosses at me that PCI is making a difference between these two things.
Here's the wiki page.
https://en.wikipedia.org/wiki/Point_to_Point_EncryptionAs far as I can tell From this page, Point to Point is really just the name PCI has given to an encryption process.
Though from the page, I can't really tell how End to End is really much different, other than they don't really spell out the encryption process.
Edit - OK.. one of the big things seems to be that P2PE does tokenization as a requirement.. E2EE doesn't appear to require that.