Steve Gibson’s E-Commerce System
Security fanatic and host of the #1 Tech Podcast (Security Now) Steve Gibson, built his own e-commerce system in assembly language. This came from a need and lack of a 3rd party product that offered the features Steve needed. What really intrigued me while listening to Steve on Security Now #109 was how accessible he made his e-commerce system.
The web was designed with a server-client model in mind. This means a server has no means for keeping state, or what information you have previously sent to it. A server spits out pages and has no means to keep track of who sent what. The classic model to solving this problem involved setting client-side cookies using JavaScript to write and read information specific to that user that can be sent back to the server. Steve is a firm believer that scripting is inheritly evil and didn’t want to rely on his potential customers having JavaScript enabled in order to complete a transaction. Instead, Steve came up with a pretty clever method of keeping track of customers as they go through the checkout process.
Steve’s system collects the basic info on the first page of the process and then sends it to the server for validation like does the provided e-mail address look like an e-mail address and is the credit card number properly entered. Steve then takes the customer to a second page where he asks to confirm their e-mail as well as gathering additional data. The trick to keeping track of the previous data entered without using cookies is the use of a hidden field which Steve fills with the previous data encrypted using a secret key on the server and then digitally signed using a cryptographic hash. The result is all of the users data that is essentially useless outside of the server which can then be sent back to Steve, decrypted, and used to fulfill the order.
Now this might sound a little fishy if it weren’t coming from Steve Gibson himself. But this is the guy who wrote the Ultra High Security Password Generator, which is guaranteed to never give the same password twice and is truly random.
I have always had this idea of creating my own e-commerce site to sell my photography and hearing Steve talk about designing and building his own e-commerce solution was really inspiring. You can listen to the 95 minute podcast or read the complete transcript over at GRC.com/securitynow.
Steve Gibson is a hysterical fearmonger with no real security credentials.