Secure Sockets Layer resource at Wikipedia.

Interchange has several features that enable secure ordering via SSL. Despite their mystique, SSL web servers are actually quite easy to operate. The difference between the standard HTTP server and the SSL HTTPS server, from the standpoint of the user, is only in the encryption that happens kind-of transparently, and the specification of the URL -- https: is used for the URL protocol specification instead of the usual http: designation.


Interchange attempts to perform operations securely, but no guarantees or warranties of any kind are made! Since Interchange comes with Perl source, it is possible to modify the program to create bad security problems. One way to minimize this possibility is to record digital signatures, using MD5 or PGP, of bin/interchange, interchange.cfg, and all modules included in Interchange. Then verify them on a regular basis to ensure they have not been changed.

Interchange uses the SecureURL directive to set the base URL for secure transactions, and the VendURL directive for normal non-secure transactions. Secure URLs can be enabled for individual forms through a form action of [process secure=1]. An individual page can be displayed via SSL with [page href=PAGE_URL secure=1]PAGE_NAME</a>. A certain page can be set to always be secure with the AlwaysSecure directive.

Interchange incorporates additional security for credit card numbers. The field mv_credit_card_number will not ever be written to disk.

To enable automated encryption of the credit card information, you need to enable CreditCardAuto. EncryptProgram also needs to be set to a command which will, with hope, encrypt the number when invoked. PGP is now recommended above all other encryption program. The entries should look something like:

  CreditCardAuto Yes
  EncryptProgram /usr/bin/pgpe -fat -r [email protected]

See CreditCardAuto, PGP, GPG_PATH, EncryptKey and EncryptProgram configuration directives for more information and examples.

DocBook! Interchange!